As you have probably heard, the EU commission signed the General Data Protection Regulation (GDPR) back in April 2016. The legislation is designed to help companies handle efficiently the data challenges of the 21st century and give strict guidelines as to how to work with massive flows of digital information. It is set to protect web users (data subjects) from malicious use and loss of their personal info and, also, to give people greater control over how their records are processed.
GDPR is to take effect on May 25, 2018.
Company runners still have time enough to modify organizational processes to comply fully with new security rules, and today we will explain how they should start.
What Exactly Is GDPR About?
First off, it outlines how companies that work with EU personal data should obtain client’s consent. It gives instructions on how they should collect/store/process personal information, and urges firms to report, in case of a hack or system failure, any data breaches.
It also puts an obligation on companies to prove accountability – every business should be able to demonstrate, vividly, that it’s compliant with the GDPR and that it grants extensive rights (concerning data) to both its customers and employees.
This piece of legislation is to be enforced upon every firm that works with the personal data of EU citizens, not just businesses that reside in the EU.
Secondly, it affords data subjects:
- A right to be informed as to the purpose of the collection of their personal data
- A right to get a copy of that information in its entirety and in a portable format
- A right to have the personal records corrected
- A right to restrict data processing
- A right to have personal information erased from a company’s database (not an absolute right; if there’s a legal ground for a company to keep your data, it might, lawfully, reject such a request)
- A right to object to automated personal data processing
Why is GDPR Needed?
The currently active Data Protection Directive, too, has outlined a comprehensive system for securing personal information. But, adopted in 1995, it lacks regulatory policies for handling the vast data flows of the digital world.
Also, it is merely a directive. The EU state members themselves (not the EU parliament) decide how to translate the guidance and integrate it with their country laws. Therefore, the security framework a European country ends up with often varies greatly from that in a neighboring state.
The 1995 Data Protection Act does require companies in countries outside the EU, be they data controllers or processors, to provide a satisfiable level of security. However, since there’s been no enforcement, many businesses have chosen to neglect it.
So, What are the New Obligations for Companies (Data Controllers and Data Processors) Under the GDPR?
Again, the rules outlined by the law apply equally to companies in the EU area, those operating in the European market, and, in general, every firm that deals with personal info of European citizens.
The law requires companies to:
- Be accountable and able to demonstrate compliance
- Adopt the “privacy by design” approach
- Appoint an EU representative (if a company itself is not residing in the EU zone)
- Conduct due diligence on third-parties; ensure the right contracts are in place to work with businesses outside the EU
- Store records of processing (which regulators might request to see at any time)
- Have a system setup that allows a company to inform an authority about a data breach within 72 hours
- Notify data subjects about data breaches (when the data lost is sensitive, and the probable damage is high)
- Ensure there are technical and organizational measures taken to protect data rights of EU citizens
- Conduct privacy risk assessments
- Appoint a Data Protection Officer (for enterprises that store and/or process vast amounts of personal data)
What Should You Do?
Risk assessment, one of the key requirements outlined by the GDPR, is no strange procedure to enterprises around the world. Financial institutions especially are used to measuring financial, reputational and regulatory impacts of each possible information security fail.
However, it’s wrong to assume a company can get a pass by sticking to its standard processes in 2018. The new data protection act requires you to figure out how much damage a data breach can cause to a client’s privacy and integrity, not your organization, and take precautionary steps accordingly to that assessment.
The first thing CEOs should do is estimate who their data subjects are and how much information their companies are actually processing. This includes customers, employees, candidates who applied for a position at a firm and those who worked there in the past.
Also, establish precisely which type of data you work with. How personal is it? Health and criminal records, people’s religion and sexuality, sensitive financial information – a breach of these records could damage data subjects greatly. Therefore, if your company is one collecting such personal info, be sure to take on protection measures, technical and organizational, that are appropriate to the level of risk.
Besides that, we advise you to catalog the third-parties. An HR or a Performance Evaluation system – you’re probably using those, add them to the list. A CRM software? How about a software vendor(s) you’re outsourcing development to – do they have access to clients’ personal records? Determine clearly where your firm’s data is stored, who has access to it, and where the copies of it are.
An estimation of organizational risks will give you clarity as to the degree of compliance your firm should be aiming to achieve. Once it’s established, we suggest involving a legal team to check the lawfulness of your data processing (if it’s in line with the GDPR). If not, update the policies and, possibly, adopt new procedures.
If necessary (if you do collect lots of personal records) appoint a Data Protection Officer to ensure that every practice you have in place is one allowed under the GDPR.
Then, minimize the risks of data corruption by deleting the information your company no longer needs. Developers in tech firms create backups of the main production base each time they apply a modification. That is what they are used to doing to stay on the safe side but, paradoxically, that is what can get them in trouble once the GDPR comes into full force.
Duplicates, excess fields in systems (CRMs, CMSs, etc.) and overall, the records you firm can do without should be deleted.
Also, start building up a procedure for fulfilling, efficiently, the requests of data subjects. Work out a way to grant the aforementioned right to your clients and employees alike.
Finally, once everything else is done, move on to data protection impact assessment DPIA for the projects your firm is currently working on. Use the official GDPR guidelines.
As a company runner you should ask yourself these questions:
- Do we have a legal ground to store and process the data we collect?
- Should we apply pseudoanonymaztion and encryption so that if data is lost there’s less damage?
- How many people at my organization have access to clients and employees data?
This will help you understand how your firm’s data collection and processing can be cleaned and improved.
The GDPR might seem daunting to adapt to, although, in fact, the principles it introduces largely resemble (and build upon) those in the currently active Data Protection Act. With a right amount of dedication, you can achieve the compliance without putting a whole lot of time and resources into it.
Would you like to hear more about GDPR and how to comply with it quickly? Reach out to our expert for a free consultation.