Top Mandates for GDPR

This past year the GDPR talk has been going on intensively but since it came into effect on 25 May 2018, it was the first major update to European data protection law for over 20 years. That’s a lot of talk. Clearly data handling and privacy concerns matter a lot. It replaces the Data Protection Directive 95/46/EC (28 different laws) bringing uniformity by introducing one harmonized data protection law for organizations to comply with.

Data transfers outside the EU are also under scrutiny especially if you do business offer services or goods to individuals in the EU regardless of transactions. If personal data is concerned which it will be the GDPR rules apply and must be observed.

  [pullquote]If you do business, offer services or goods to individuals in the EU the GDPR rules apply and must be observed.  Period. [/pullquote]

Though some businesses might consider it a burden to carry out a compliance procedure, not least such a hefty one, but it is not. It is a chance to clean house. Data handling that is without reproach can only foster better customer relationships through transparency and trust – a huge innovation driver. This improves brand image and reputation and secures competitive advantage. Improved information security and data governance also show your organization is committed to continuous improvement.

Why was GDPR introduced?

Any business or company gathering personal data from a customer within the EU as a result of a business transaction needs to take heed because it has a duty to safeguard that information. They are subject to the regulations of GDPR without exception. Anyone not complying with the provisions of GDPR is subject to a global annual turnover fine of 4% (maximum) or 20 million euros. Since enforcement many organizations including Google fell foul of non-compliance. In January 2019 French authorities hit the tech giant with a 50million Euro fine for not being transparent about the use of customer data and its use for creating personalized site advertising. In a nutshell GDPR keeps organizations in line with the growing digital landscape and aims to:

  • Improve customer/client/consumer confidence in organizations that hold and process their data by reinforced privacy and security across the EU
  • Provides EU member states with a consistent data protection framework for simplifying the free flow of personal data

What is personal data?

This refers to any information pertaining to an identifiable natural person (data subject). GDP supersedes DPA 1998 and places much more stringent controls over special categories such as genetic or biometric data. Personal data includes: name, address, email address, photo, IP address, location data, cookies and profiling/data analytics. Special categories include: race, religion, sexual orientation, health information, political affiliations, trade union membership and genetic or biometric data.

Some GDPR definitions

  • Data controller

Is the legal person (in an organization) – public authority or other body which, alone or with others, determines the method and purpose of the processing personal data

  • Data subject

Is an individual who can be identified, directly or indirectly an identifier such as a name, an identification number, location data, or an online identifier such as an IP address

  • Personal data

Refers to any information relating to an identified or identifiable person or data subject. It also includes online identifiers such as IP addresses and cookies

  • Data processor

Is a service provider – a person, public authority other body which processes personal data on behalf of the controller

GDPR top edicts

Accountability and governance

  • This requires organizations to establish a governance framework with set roles and responsibilities
  • Detailed records of all data processing operations must be kept
  • Data protection policies and procedures are to be documented
  • Data protection impact assessments (DPIAs) are to be conducted for high risk processing operations  
  • Implementing appropriate measures to secure personal data
  • Staff training and awareness programs are put in place (including a Data Protection Officer)

Data processing principles

There are six of these which state personal data should be:

  1. Processed lawfully, fairly and transparently
  2. Collected for specific legitimate purposes only
  3. Adequate, relevant and limited to what is necessary
  4. Accurate and kept up to date
  5. Stored only as long as is necessary
  6. Protected with appropriate security measures, ensuring its integrity and confidentiality

Lawful processing

Each process taking place around personal data must only occur on a lawful basis and be identified and documented. These bases are:

  • Consent: the individual has given clear and easy to withdraw permission for their personal data to be processed for a specific purpose
  • Contract: the data processing activity has to enter into a contract with the data subject or individual
  • Legal obligation: the processing activity is necessary to comply with the law such as an information security, employment or consumer transaction law
  • Vital interest: the processing is required to save a person’s life
  • Public interest: the processing activity is necessary to perform a task in the public interest
  • Legitimate interest: the processing activity is necessary for your legitimate interests as long as it does not override the interests of the individual

Privacy rights of individuals

An individual’s rights extend into a few important areas:

Valid consent

GDPR imposes stricter rules for acquiring valid consent from individuals justifying the processing of their personal data. Consent has to be a clear and unambiguous indication of an individual’s wishes and has to be freely given. Records must be kept by the organization to demonstrate consent was given.

Data breach notification

Compliance requires organizations to notify data subjects when a data breach occurs. Usually this must be within 72 hours and occur according to the most appropriate and timely communication method. If this does not happen the reason for the delay must be reported when eventual notification is made. It must also include breach mitigation measures occurring in the meantime.

Right to be forgotten

Also known as the right to data deletion, under GDPR rules once the original purpose or use of the customer data has been fulfilled customers have the right to request total erase of their personal data. At this point dissemination and processing of the data by the organization must cease, it includes situations where data has become irrelevant.

[pullquote]The Citizens of the EU have been granted the right to have their pasts forgotten as far as the internet is concerned.  As an organization you MUST be able to identify EVERY users data, where it is stored, and have the capability to delete, anonymize, or remove upon request.[/pullquote]

Right to access

At a subject’s request an organization must provide confirmation as to whether personal data pertaining to them is being processed, where and for what purpose. A free of charge copy of the personal data being processed must also be supplied in an electronic format.

Data portability

Companies have to provide mechanisms for an individual to receive any previously provided personal data in a commonly used and machine-readable format. The subject also has the right to request the company transmit the data free of charge to another processor. This only applies to data processed through automated means however.

Privacy by Design

This part of GDPR requires organizations to foster a mentality of accountability and proactively design their systems with correct protocols from the outset. By implementing appropriate technical and organizational measures means they will only process the data that is absolutely necessary for the completion of its business. Failure to design your systems the right way will result in a fine. Approved codes of conduct or management system certifications, such as ISO 27001 can help demonstrate compliance.

DPO (data protection officer)

This is a designated individual who oversees the implementation and maintenance of GDPR guidelines. They safeguard the data from abuse and unauthorized access and security breaches. The appointment of a DPO is mandatory for large enterprises with over 250 employees or for any business processing large amounts of personal data in a 12 month period.

Non-compliance can get you in trouble

To put in perspective the penalty for non-compliance can be as big or small as you like it to be. Well not really by this I mean it all depends on your annual revenue, the bigger that is the more non-compliance will sting look at it like a means-tested fine. It is 4% of the global annual turnover for the maximum penalty (or 20million Euros depending which sum is larger) but lesser violations than can be fined at a lower percentage.