I would like to point out as a disclaimer that I am not an expert on GDPR, nor have I sought out legal counsel on this information. This is all based on what I have learned through my research, which I hope will be helpful as you get the necessary systems in place to ensure compliance because most of the people working in the online space are still struggling to understand the essential aspects of GDPR.
I recommend that you look deeper into GDPR and get a full understanding as you get a clearer picture, but also understand that not all of you have the time to go through the full text of GDPR, which spans over 80 pages, and has 99 articles, so will hopefully this will bring you the gist of the regulation, which will make it easier for you to comply to GDPR.
GDPR is a new EU law on data protection and privacy for all individuals within the European Union. It addresses the export of personal data outside the EU.
Simply put, the world revolves around data. Much of it is pretty general and public, however, a lot of us actually have data which is personal to us as individuals. For example, our names and addresses, someone’s bank account information or medical records, even photos, videos and other information. Most of us who see whats going on and how companies are using our information would like to get back some control over our personal data. GDPR has been introduced to hopefully help protect such data and provide enhanced rights around it.
So, as you can see… not so complicated right? If anything it has been introduced to protect us and our personal information.
What Do I Need To Know?
First, you must make sure that you are well aware of the new data protection regulation, and the changes that it will bring. Being informed about GDPR will help you identify the hurdles in compliance, and enable you to predict and mitigate any problems that may arise in the future. Implementation of GDPR will lead to resource implications, irrespective of the scale of your company. Start by reviewing your risk management processes, and then move on to the more complex compliance issues.
To comply with GDPR’s accountability principle, you need to demonstrate and document the ways you process personal data. The first step in ensuring accountability is by examining the information that you hold on the basis of the following questions:
- What personal data do you hold?
- Where did it come from?
- Why are you holding the data?
- Why did you need it?
- How long will you retain it?
- How accessible is it?
- Is it encrypted and secure?
- Do you share this information with third parties?
- What is the basis for your information sharing?
Review all your current privacy notices, and ensure that they comply with the privacy notices code of practice published by the Information Commissioner’s Office (ICO). In addition to the disclosure of your identity, reasons for data collection, usage information, and transfer details, that you have to communicate with your customers, under the current legislation, GDPR requires you to primarily inform your customers about:
- A legal basis for data processing.
- Data retention period.
- Right to complain.
As per the GDPR guidelines, organizations are obligated to make sure that all the information communicated to the customers and the staff, with respect to the new regulation, should be clear, and unambiguous, and should be conveyed in an easy to understand language.
Rights of Individuals
The rights that individuals will enjoy under GDPR are similar to the ones that they have under the current legislation, except for a few additions. Here is a list of the individuals’ rights under GDPR:
- Right to be informed.
- A right of access.
- Right to rectification.
- Right to delete.
- Right to limit processing.
- Right to data portability.
- Right to avoid profiling.
- Right to not be subject to automated decision-making.
Revise your data collection and handling procedures, and upgrade your system, to ensure that your customers enjoy these rights when GDPR is implemented.
For organizations which handle a large number of access requests, GDPR will surely lead to increased logistical and administrative costs as:
- Timescale to process access requests will be reduced to 30 days, instead of the current 40.
- Access requests cannot be charged unless proved extraordinary.
- Organizations can refuse access only if they give valid reasons.
- Any refusal can be challenged by the individual, and he/she will have the right to complain and seek a judicial remedy.
Take the new rules into account and update your request handling procedures accordingly.
To fulfill the “accountability” requirements of GDPR, you must identify and document the legal basis for your data collection and processing activities, and clearly mention them in your privacy notices. If you are processing personal data only on the basis of consent, the individual will have a stronger right to erase their data. Legal basis will also be a necessary component of responses related to access requests.
According to the guidelines prescribed by the ICO, consent cannot be inferred from silence, pre-ticked boxes, or inactivity. Consent should be informed, specific, opt-in, clear, and freely given. Consent should not be implicit, should be separately mentioned, verifiable, and easily withdrawable. Though you are not expected to revise all your existing consent norms, you must ascertain that your consent mechanisms are GDPR-compliant.
Organizations will need to put age-verifying systems into place, to be fully aware of who they are catering to. If an organization provides commercial internet services such as social networking, or any other online services which might have children as an audience, it must develop a procedure to acquire a parent or a guardian’s consent, as GDPR mandates special protection of children’s personal data. The GDPR norms further mention that:
- Age to give own data processing consent is 16.
- Organizations which cater to children must simplify the language in their privacy notices to enable easy comprehension by children.
Personal Data Breach
GDPR mandates that every organization must have mechanisms which will efficiently detect, report, and investigate any personal data breach. According to the data breach guidelines by GDPR:
- The ICO and the concerned individuals must be notified if data breach results in risk to the rights and freedoms of individuals.
- Data breach leading to discrimination, financial loss, defamation, a leak of confidential data, and any other social or economic disadvantage, is considered as a high-risk situation.
- Organizations could be fined for the breach as well as the failure to report the breach when required.
Data Protection by Design
Though incorporating data protection mechanisms in design is recommended by industry experts and data specialists, several organizations fail to include privacy aspects while designing their systems. The GDPR makes “data protection by design and by default” mandatory, and requires you to evaluate your existing design through Data Protection Impact Assessments (DPIA) in high-risk scenarios where:
- There is data processing on a large scale.
- A new technology is adopted.
- Profiling is going to significantly affect individuals.
After the DPIA, if you come to the conclusion that your organization cannot address the high-risk situations effectively, you are required to consult the ICO immediately. With reference to the DPIA, here are a few questions that your organization must answer:
- Will any future projects need DPIA?
- Who will perform the DPIA?
- Will you run the process locally or centrally?
- Will there be other parties involved?
Data Protection Officers
To ensure complete GDPR compliance, every organization must have a well informed and knowledgeable data protection advisor. The advisor may be in-house or an external consultant. While every organization must have a data protection advisor, some organizations are required to have dedicated Data Protection Officers (DPO), they are:
- Organizations which process sensitive data on a large scale regularly.
- Organizations which perform systematic monitoring on a large scale.
- Public authorities (except courts).
Multinational organizations which operate in more than one EU member state, are required to identify their lead data protection supervisory authority. The lead authority is one of the following:
- The data protection authority (DPA) in the country where your main establishment is located.
- The DPA in the location where the decisions regarding the purposes and the means of processing are taken.
Thus, organizations are required to map out the location where the most important data processing decisions are made and comply with the regulations of the DPA in that location.