As you’re hopefully aware of by now, the EU is making sweeping reforms to their online data privacy laws with a law becoming enforceable 25 May 2018, known as the General Data Protection Regulation. Unfortunately, what was once a date far in the future is now right around the corner. If you do business with firms based in the UK, you’ve likely already begun taking steps to meet the new, more rigorous standards of the law, but if not it isn’t too late to start.
We combed through the vast resources available on the GDPR homepage and elsewhere and put together the following list of steps you’ll need to take to ensure you’re covered under the new rules. For the sake of your time and patience, we decided to keep this article relatively top level while providing links to more granular explanations in each step in case you have questions about a given topic that we didn’t directly address.
1. Data Mapping
One of the most essential themes across all of the upcoming GDPR requirements is the knowledge and transparency of how individual’s personal data is being used and stored by your business. With this in mind, the first step in gaining the necessary compliance is mapping exactly how data flows into your business, where it goes once you have it, and what you do with it when you’re done. This process is called Data Mapping and is essential to completing the remainder of the GDPR regulations.
As a firm, you should be able to know exactly who your data is from, who has access to it, what you are using it for, where it is going, when you are done with it, and why you needed it in the first place. If you aren’t able to find this out in a relatively quick and convenient manner, a data map will solve that problem and keep you from slipping up and becoming uncompliant.
You should gather your various teams that handle personal data most often (HR, Operations, Finance, etc.) and start putting together your map which answers every possible combination of who/what/when/where/why until you have a 100% clear knowledge of where you data comes and goes in your business. A good way of doing this is to put together a questionnaire that features these questions and send it to each team. Once you have these answers, follow up with a meeting or call to be absolutely certain there aren’t any gaps in your data’s journey.
When you have a thorough understanding of your data map, maintain it on a real-time basis and update it to reflect any subsequent changes to your data processing. The main goal is to be able to prove you are using the data you have collected to exclusively carry out whatever process the data’s source expressly gave their permission for. A lot of the time breaches in data protection laws are simply the result of negligence and this part of the GDPR is set out to put a stop to these types of errors.
2. Accountability Compliance
Once you have a map of your entire data flow, you will be able to get a clear view into how accountable you are for the privacy of your users. Unfortunately, this isn’t a task to be checked off a list and forgotten. Instead, maintaining accountability compliance is at the very least a weekly task for someone on your team to maintain, and at most a full-time role you will need to fill with a qualified professional.
Data Protection Officer
If you are required to hire a specialist to maintain your compliance, this person’s title will be the Data Protection Officer (DPO) of your firm. You may not be required to hire a DPO but in a few instances, it is mandatory. Your firm needs a DPO when:
- The processing of your data requires regular and systematic monitoring of individuals on a large scale
- Your core activities include processing sensitive personal data on a large scale
The best part about appointing a DPO, beyond knowing that your data transactions will be within the purview of the GDPR, is they will act as the contact point between your business and the Data Protection Authority (DPA), AKA the data police. Because their specific role will be to understand and speak the language of this public authority with the power to fine you up to 4% of your global turnover, it might be in your best interest to appoint a DPO regardless of your legal requirement to do so.
Find out more about Data Protection Officers here: What is a Data Protection Officer?
Privacy Impact Assessment (PIA)
Conducting Privacy Impact Assessments on all areas of business in which there are extensive amounts of personal data being processed (loan approvals, data analytics, etc.) will become a mandatory requirement as soon as the clock hits midnight on May 17, 2018, but it is in your best interest to conduct these assessments beforehand to get an idea of the potential security breaches your current systems may have.
The GDPR requires you to retroactively conduct these assessments on currently implemented technologies and processes which deal with people’s personal data, as well as on any new technologies that you introduce which affect personal data profiling, employee monitoring, or any health data on a large scale. This means you will need to set up a formal procedure to both determine the necessity of a PIA, as well as carry it out. This process should be integrated with your current development process so that over time it becomes second nature.
Learn more about Privacy Impact Assessments here: Privacy Impact Assessments – What, When and How?
Speaking of development, there are a couple of key ideas that the GDPR wants to introduce in regards to considering data privacy from square one of a development process.
Privacy by default
- Puts forth that only the personal data which is necessary for the specific purpose of the processing is processed (i.e. only use what you need)
- The purpose of this regulation is to minimize the amount of data collected, processed, and stored.
Privacy by design
- Puts forth that data privacy should be baked into the outset of any future development processes.
- This is to ensure that data privacy is a consistent priority and is never tabled until a point in the design process that it becomes an inconvenience or an impossibility.
Learn more about Privacy by design and default here: Designing for compliance
In the past, consent has been lawfully required in the transfer of personal data whether it be explicit, implicit, or “opt-out” consent. The GDPR plans on making the definition of consent much more stringent as to minimize any legal wiggle room an offending firm may currently have.
The GDPR is now requiring “a statement or a clear affirmative action,” from the owner of the data before the data is processed in any way. Consent must also be “freely given, specific, informed and unambiguous.” This unambiguous affirmative action may be as simple as ticking a box on a web page, as long as the action is clear and not up for interpretation.
Previously, consent could be inferred by inaction such as leaving a pre-checked box checked, otherwise known as “opt-out” consent. GDPR aims to put a stop to that type of consent by including three additional requirements:
- The right to withdraw consent at any time.
- It should be as easy to withdraw consent as it is to give it.
- Data subjects must be informed of their right to withdrawal before consent is given.
- Once consent is withdrawn, data subjects have the right to be forgotten (i.e. have their data deleted), a right also know as the right to erasure.
- Consent isn’t freely given if there is “a clear imbalance between the data subject and the controller”
- This is especially the case when the data controller is a public authority.
- A controller can’t withhold the service based on consent unless the processing of the user’s data is necessary to fulfill the service.
- Consent must be exclusively received for each separate processing operation.
- Separate data processing operations must be clearly distinguishable from each other.
- Does not apply to processing operations which are seen as “compatible”.
The new rules also require explicit consent is received for the processing of “special categories of personal data” such as racial or ethnic origin, political, religious or philosophical beliefs, trade-union memberships, genetic data, biometric data used to identify a person, or health data.
The real issue with these provisions for many firms is that they not only apply to attaining consent moving forward, they retroactively apply to all of the data you have collected prior to May 25th. This means you will be required to review the current way you receive consent to process data to ensure they are valid under the new regulations and, if they are not, you must immediately cease processing of the data in question and systematically re-solicit consent from the original data subjects before proceeding.
Find out more on the nuances of the updated consent acquisition standards here: Consent
There is enough info regarding the scope and impact of the GDPR to fill a set of encyclopedias so we broke down our compliance guide into three parts. Be sure to read on to part 2 and part 3:
- Achieving GDPR Compliance Part 2 | Individual Privacy Rights
- Achieving GDPR Compliance Part 3 | Contracts and Data Transfers
And if you still want more, check out these articles we’ve written about the impending impact of the GDPR: