On May 25, 2018, a few short weeks away, the new EU General Data Protection Regulation (GDPR) will be applicable. The purpose of the GDPR is to regulate how personal data is used and give ownership of data back to the individuals who have supplied it; and while the ruling is specific to EU residents, it will impact any businesses who operate globally, as well as the businesses they may work with. Failure to comply with GDPR legislation can have significant consequences: the fine is currently 20 million euros or up to 4 percent of global revenues, whichever is greater.
The GDPR defines all businesses that deal with personal data as "controllers" or "processors".
Controller: “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
Processor: "a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
In other words, a controller controls how and why personal data is processed, while the processor actually processes the data on behalf of the controller. So while this definition ultimately makes the controller responsible for ensuring the processor abides by the legislation, the processor still has an obligation to follow the regulations and maintain detailed records of the personal data that is processed.
In short: it doesn't matter which definition your business may fall in, if you have dealings with EU residents, you will need to adhere to the GDPR.
What are some of the new requirements and regulations that businesses need to follow?
- Consent: Organizations will be required to obtain individual's consent to use and store their personal data in an easily understandable and easy-to-access form, and explain how that personal data will be used. It must be equally as easy for individual's to withdraw that consent as well.
- Breach Notification: Organizations will be required to notify the supervisory authority within 72 hours of discovering a data breach.
- Territorial Scope: Regardless of where Organizations are located or where they physically process the data, regulations apply to any company collecting and/or processing an EU resident's personal data
- Right to Access: Organizations must be able to provide electronic copies of all personal data records to the individual requesting it, and explain what data is processed, the purpose of that processing, and where that data is stored. The data must be exportable in a "commonly used and machine readable format" that the individual could transit it to another data controller.
- Right to Be Forgotten: EU Residents must be able to request that their personal data be erased and/or stopped being shared with third parties, and those third parties must stop in the processing of it as well.
- Privacy by Design: It is now a legal requirement that data privacy and protection are considered from the start of any new project, and provisions for such built into any new products or services.
- Data Protection Officers: Both data controllers and processors will be required to appoint a Data Protection Officer, or DPO, to manage compliance. This is only applicable to to companies "whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.”
So what does this mean to "adhere to the GDPR"? If it is applicable to your business, it's very important that you seek proper consultation or legal advice on the matter; in the meantime, we've put together a high-level list of some changes you may need to implement to be GDPR-compliant.
1. Educate Your Team
Although we're getting down to the wire with the May 25, 2018 effective date, it's not too late to educate your team on the requirements and impacts of GDPR. Between sales, marketing, support, HR, legal, finance -- so many departments can have access to data. Key leaders of each team should be aware of the regulations and knowledgeable about the requirements, and how their team may be impacted.
There are many agencies or consultants offering in-person or webinar-based training sessions; if you're feeling overwhelmed or confused, it's a good idea to seek professional help or advice.
2. Appoint a DPO (if applicable)
As noted above, not all companies will be required to have a DPO on staff or retainer. However, if managing, processing or monitoring data is a "core activity" of your business, this may be applicable to you. The DPO will have many responsibilities ensuring GDPR compliance, including:
- monitoring specific processes, such as data protection impact assessments
- maintaining data and data processing audit trails to ensure compliance
- maintaining all data inventory
- ensuring employee awareness and the training of employees
- liaising and collaboration with authorities
3. Conduct a Data Audit
In order to understand your liabilities and any holes that need to be patched, you'll need to undergo a data audit across your entire organization to identify all sources and types of data. This will be a big task, but is probably one of the more important things you'll need to do. Here's some suggestions as to where to start:
- Identify who you collect data from?
- Identify who has access to this data?
- Identify where you keep their data?
- Identify why you collect this data?
- Identify how long you keep their data for?
- Identify how the data is being processed?
Once you have these questions answered, you can branch out further:
- What third parties do we share this data with?
- Why do we share this data with third parties?
- How do we share this data with third parties?
- Do our third parties then share this data again to other parties?
- How do we safeguard data?
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- Who will it be shared with?
- What will be the effect of this on the individual?
- How long will the personal data be kept?
5. Manage Collection of Consent
Organizations will be required to obtain an individual's consent to use and store their personal data. Regulation also requires that this consent is obtained through an easy-to-access and easy to understand form which also explains how their data may be used. It will also be important to obtain affirmative consent from the guardian of any child under the age of 16.
You will also need to provide an easy mechanism for which individuals can also withdraw their consent at any time.
The Information Commissioner's Office has published some detailed instructions on how you can seek, record, manage and verify an individual's consent.
6. Create a Data Security & Breach Plan
In addition to the legal and financial implications that a data breach may have, GDPR also has strict requirements to ensure the proper procedures are in place to detect, investigate and report any breaches. This includes:
- Implementing data security processes and measures, and ensuring timely testing of these measures takes place
- Notifying the Data Protection Authority within 72 hours of any data breach incident
- Notifying affected individuals after a high-risk data breach incident
7. Respond to Personal Data Requests
Under the Right to Access and the Right to Be Forgotten, organizations must be able to respond to an individuals' personal data request in a timely manner (generally within 30 days). Compliance in this area is broad, and organizations will be able to demonstrate that they can accommodate the following:
- The ability to respond to personal data inquiries
- The ability to provide access to personal data records
- The ability to access and update personal data records, when requested
- The ability to delete the data of any individual, at any point in time, upon their request
- Confirm that no data is collected beyond the minimum that is required for processing
- Confirm that no data is kept beyond the minimum period of time that is required for processing
- Confirm that no personal data is sold
- Confirm that no personal data is used by either the controller or their processors, for any other purpose than that which was originally defined and consented to
8. Export Transferable Data
In addition to proving that they can easily access and provide data upon an individual's request, organizations also must comply with providing that data in a format that is transferable and in a machine-readable format, so that the data could be easily ported to another data controller, if so desired.
9. Conduct a Privacy Impact Assessment
If your organization processes data in a way that it poses a high risk to the "rights and freedoms" of individuals, then that organization will be required to complete a Privacy Impact Assessment (PIA), which would analyze exactly how personal data will be collected, used, processed and shared. The involvement of a DPO might be necessary at this stage.
10. Privacy by Design
Privacy by Design or Privacy by Default requires that all new programs or processes are designed with privacy in mind at all times. This means that any existing and new programs or processes need to be planned, designed and performed with GDPR compliance and data security provisions built right in. It means that all personal data collected should only be collected for the specific purpose that it is required, and it is maintained in a secure environment.
The regulations and requirements of the GDPR are complicated, and trying to figure out where to start can be overwhelming. If you think it may affect you, you might want to start with appointing a DPO or GDPR "owner" within your organization, and undertake a full data audit to find out where you might be most vulnerable. Depending on the results of this audit, you may need to seek additional legal or consultant advice to make sure you are ready -- and fully compliant -- by May 25.