Psst, is your business ready for the General Data Protection Regulation?
On May 25th one of the world’s largest and most expansive privacy laws comes into force, with over 97 Articles and mandatory practices for organizations collecting, using, storing, distributing or destroying personal information (PI). The General Data Protection Regulation, commonly referred to the GDPR, is also extremely expansive by scope: not only does it cover European organizations and companies with European offices, but compliance is required of all businesses that collect or process EU citizen PI, or monitor EU citizens. This means that if you’re selling a product, even online, to EU customers and collect information, or your company processes information for another business that collects PI, you too will be expected to comply.
While this may sound like a lot of unnecessary red tape, don’t be fooled by a few angry outlets: the GDPR has not been created as a crackdown on corporate activity or for government to butt its nose into business. The GDPR is here for two reasons: first, the prior legislation, active since 1995, is horribly out of date to protect the privacy of individuals in the modern age. The second reason we have the GDPR is because the honours system has failed: businesses and organizations, public, private, crown and not-for-profit have failed at performing due diligence to protect personal privacy, a longtime basic human right in Europe. The language of the GDPR, particularly the highlights of the data subject rights, demonstrated a commitment to protecting consumers of systems, services and products. Given some of the horror stories we’ve heard over the past two years, including the Equifax breach and Cambridge Analytical scandal, it seems legislators may have a point.
If you are starting to prepare your organization for compliance, head’s up: depending on your company size, the data you collect and existing processes you may be in for a lot of work. Unfortunately, given the dept of the legislation the following list is hardly all-inclusive of all of all of the practices you may need to put in place. Instead it has been based on my own readings of the GDPR and expert articles to give a ‘starting point’ on areas you’ll want to pay attention to when you begin. Take a deep breath, here are seven points to use when starting to outline that project plan.
1. Get moving. Now.
First, bit of bad news: if you’re looking at how to start getting ready for the GDPR at this point, you’re not going to make compliance by deadline. Not trying to be a buzzkill on this one, but the reality is the GDPR is one heavy bit of privacy legislation that pushes data subjects rights and expectations to a higher standard, and expects privacy to be implemented with care, and includes stronger documentation requirements than simply updating the business privacy policy. Those who have or will make May 25th deadline are those organizations who already started: either they anticipated the crunch and got right on things, or they already have a higher internal culture of privacy practices, in which case they will have been very much aware of the GDPR since it’s signing in April of 2016. We also know that there will be no extensions given on the date: those that are not in compliance after May and are reported to the European Data Protection Supervisor can expect penalties.
The good news is, unless your business is front-page news there’s still time to get your data in order now, before a warning or fine is on it’s way. Remember, the GDPR is’t restricted to deadline alone: it is the baseline new privacy law for all data collection, monitoring, retention and processing going forward, and it will not be possible for the Data Protection Supervisor to review every single instance of non-compliance instantaneously: your business or organization will need to be reported first. So you do still have some time to get your privacy house in order without facing major penalties, however be aware that the window of opportunity won’t last.
2. Run an Information Inventory
You can’t protect what you don’t know, and when it comes to personal data under the GDPR you'll need to know not only what you're collecting and where it goes, but be able to provide lawful reasons or the legitimate interests of the data subject for processing. Ask your organization:
1. What types of Personal Information do you collect? Some data, such as information about health, religion, ethnicity, children and finances may require more care.
2. Why are you collecting/ processing the data? Do you have the legal right or legitimate interest in use?
3. Where is the data kept? If outside the EU be sure that certain safeguards are in effect, and that the country data resides in will uphold the data subject rights and any legal decisions made by the European Data Protection Supervisor
4. How do you get consent? The GDPR pays particular attention not only to implied and explicit consent, but also the nature of the relationships, the understanding between both parties and the powers involved to confirm consent is, in fact, ‘freely given’.
3. Pick your team
Under the GDPR, you will need to know exactly who is calling the shots for data protection, who is using it and what they can use it for. Be sure to identify:
1. Who is the Controller of the data? This can be a person or another legal entity, but it must be an entity capable of making decisions over “the purposes and means of the processing of personal data”. The Controller has a number of responsibilities, including determining if a Data Protection Impact Assessment is in order, and maintaining a Record of Processing Activities.
2. Who are your data Processors? Processors can be people, agencies or other bodies “which processes personal data on behalf of the controller”. Processors are expected to be use the data only according to the instructions of the controller. Prior to processing there may need to be a contractual agreement in place between the Controller and Processor, and they are expected to maintain a record of all categories of processing activities.
3. Do you need a Data Protection Officer? If you organization has over 250 people or processes special classes of data, the answer may be yes. The Data Protection Officer is assigned based on knowledge of the law, can be internal or an external consultant, who reports to executive management as an auditor of existing and future practices.
4. Ask: How Does Your Organization Support the Data Subject’s Rights?
The GDPR places heavy emphasis on the right to privacy and the right of the data subject’s control over their own information. These rights include:
- The Right to be Forgotten
- The Right to Rectification
- The Right to Data Portability
- The Right to Erasure
- The Right to Restriction of Processing
- The Right to Object
Be sure to confirm with your IT team and/or developers that your software and practices can be in total compliance, and fully able to uphold the rights for all personal information not just some of it; down to the last data point.
5. Have an Incident Response Protocol
Under the GDPR you have 72 hours to report a breach to the data subjects, and may be expected to provide certain documentation to supervisory authorities. Be ready!
6. Update Your Website
Websites may need adjustments including active opt-ins and the ability to withdraw information from forms, a clear privacy policy and notice to visitors about the use of cookies. Here is a good guideline to get started.
7. Review Security Safeguards
Ask:
- Does your data need to be pseudonymised or encrypted?
- Do you have a system to keep confidentiality, integrity, availability and resilience in place?
- Can you confirm your organization does regular testing, assessing, evaluating of information resources?
Finally, it's worth stating that if your business’s view of compliance is to simply get explicit permissions for all data use and rewrite your privacy notice, you may be in for an unpleasant surprise. The heavy fines and penalties for the GDPR are intended as a tool to get organizations to take privacy seriously, particularly those who have power and repeatedly have been showing less than stellar track records at privacy prevention. If you want to avoid heavy penalty, start moving towards solid privacy foundations, build into GDPR compliance by providing evidence that you care about data subject rights and respect the law of the land. Remember, compliance to the GDPR isn’t for a single day of reckoning: unless the law is repealed or replaced, proactively paying attention to privacy will be the law for all businesses engaging in European Citizen personal information from this point forward.