The General Data Protection Act (GDPR) becomes law on 25 May 2018, so it’s important that all businesses and organisations are aware of GDPR best practices. Failure to adopt these GDPR best practices could result in non-compliance. This in turn could lead to businesses facing heavy fines, or other sanctions. No business can afford for this to happen.
Of course, complying with the GDPR also means that businesses can maintain a good reputation with customers who value protection of their personal data. After all, no-one wants their personal data to be compromised.
Know what the GDPR is about
The first thing you need to do is ensure that you know what the GDPR is about and what has changed. This helps you and others in your business to understand the new policies that you must follow. One of the main aims of the GDPR is to give people living in the EU greater control over the way their personal data is processed. As per the existing legislation, individuals can ask to have a copy of the personal data that is held about them by submitting a subject access request (SAR). The processing time for these requests has been reduced to 30 days, under the GDPR. Individuals also have the right to ask for data to be amended or deleted in certain cases, except when there is a valid legal reason for retaining the data.
Another aim of the GDPR is to ensure that the protection of personal data is dealt with in the same way across all EU states. Although individual Data Protection Authorities will have leeway in some areas, such as the imposition of fines, it’s expected that they will liaise closely with one another. This means that there should be a new uniformity to data protection management in the EU.
Overall the GDPR gives data subjects better control over how their data is processed and brings greater obligations on organisations processing that personal data.
Companies and organisations must have the core data protection principles of GDPR entrenched in the organisation. As per Article 5 of GDPR these are, Lawfulness, Fairness and Transparency, Purpose Limitation, Data Minimisation, Accuracy, Storage Limitation, Integrity and Confidentiality and Accountability.
A “Controller” under GDPR is the organisation or business that determines the purposes of the processing of personal data where a “processor” carries out the processing of the personal data on behalf of the “Controller”. A “processor” can further engage “sub-processors” and the “Controller” would have visibility and approval rights over these “sub-processors”.
The GDPR does not refer to data subjects or clients the language that is used most consistently throughout the GDPR is “natural person” or ‘’data subject’’ and. The term ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). For the purpose of this article data subjects or end clients or customers will be referred to as ‘’data subjects’’
The term ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Article 4 of GDPR contains a full list of definitions.
Understand what the GDPR means for you
It’s fine to know why the GDPR has been created, but your business cannot hope to meet GDPR requirements if it does not understand how it is affected by the GDPR. Many businesses believe that they do not have to comply with GDPR. For a great number of these, this is not true. Most online businesses will find that they are affected by the new regulations. Here are some facts which you may find interesting.
Every business that processes the personal data of people living within the EU must comply with the GDPR. This includes businesses across the globe; not just businesses that are based in EU states.
Many businesses may need to appoint a Data Protection Officer (DPO).
All businesses must also comply with the GDPR if they process personal data on a regular basis, or if they are involved in processing special categories of personal data, as defined in Article 9 of the GDPR.
It’s vital that you know how the GDPR relates to your business, and that you acquaint yourself with the new regulations. If you do not have this knowledge, you cannot go on to ensure that your business is prepared for the GDPR’s implementation.
Companies must understand whether they are a Controller or Processor many organisations may combine some elements of both.
Working on the areas below will assist a business or organisation to implement best practices with respect to the GDPR.
Audit your data
Auditing the data your business holds will not be a trivial task, but it will enable you to make many informed decisions on how to comply with the GDPR.
Key questions to answer include locating where your data is stored; why certain kinds of personal data are being processed; what is the legal basis for processing; how long it is retained; who has access currently to personal data and who should have access moving forward; are the appropriate technical and organisational controls in place and how much duplication of customer personal data exists across multiple sites.
All these areas need to be addressed before you can decide on the best course of action for your business. This first step in creating a holistic view of where all the different types of your customer data is residing is a critical one. If you don’t know what personal data, you hold you can’t make any plan around that data.
DPIA’s or Data Protection Impact Assessments may need to be carried out by companies before new processing starts to ensure data protection by default and by design is in place, a key GDPR concept and examine any risks to data subjects around any new data processing. Most European Data commissioners give guidance on their websites around DPIA’s and when they should be carried out.
Audit your service providers
The task of auditing your service provider’s compliance is where a lot of US companies may fall flat and may be where the most significant risk resides in your business. You will need to review your agreements with third-party service providers who process personal data on your behalf and sign data processing agreements. The data controller is obliged to sign contracts under GDPR, and the data processor can only act on the Controllers instructions.
If one of your data service providers is not able to prove that they are on the right side of GDPR compliance for US companies, then the work they do related to the personal data of your data subjects in the EU could be deemed non-compliant and put the controller at risk.
The right to be forgotten and other Data Subject Rights
The GDPR introduces two additional rights for people in the EU that are covered by the regulation; the right to be forgotten(erasure) and the right to portability of their data. The rights of data subjects are extensive under GDPR governed by Articles 12-22 of GDPR, Those rights also include, the right to access to receive a copy of their personal data, the right to rectification and restriction of processing and the right to object to processing including to automated processing and profiling.
These rights may lead to a significant increase in requests from data subjects in the European Union and companies and organisations must ensure they are set up and staffed correctly to deal with them.
Controllers and Processors
You will need to understand whether you fall into the category of a data processor or a data controller under the new GDPR guidelines. A data processor is a business or organisation that processes personal data on behalf of a controller. A data controller is a business or organisation that determines the purposes and means of how customer data is to be processed. Both Controllers and Processors have different implications concerning how they comply with the GDPR for US companies, and your business could be both a data controller and data processor at the same time.
To complicate matters even further, a data controller can have multiple data processors and the processor in turn multiple sub-processors. Under the new Regulation, the data controller is liable for the actions of the data processors that they work with in the market. It is essential that US companies carefully select their data processors where the data of data subjects in the EU is being processed and sign data processing agreements with them, A data processing agreement should govern the relationship between a controller and a processor and in turn the processors sub-processors. The agreement should include all aspects of data protection governance and article 28 and 82 of the GDPR detail what these agreements or contracts should cover.
GDPR Penalties and Fines
The new enforcement procedures and fines associated with GDPR compliance are perhaps the aspects which have most US corporate leaders sitting up and paying close attention.
The hefty penalties associated with non-compliance of GDPR could potentially reach into millions of dollars. Companies that do not comply will fall into one of two categories, and the higher of these could cost €20 million or 4% of the business’s annual turnover, whichever is higher. Apart from any financial penalties data protection regulators have the power to order a business to cease processing.
It is highly likely that the first companies to be penalized for non-compliance will receive significant attention. The reputational damage to companies that do not comply with the new law could be more costly than the GDPR fines themselves.
It is very possible that some of your competitors will be preparing to use GDPR compliance as a competitive advantage to position themselves ahead in the marketplace.
Are you prepared to suffer the reputational damage that non-compliance could bring to your business? In the months and years ahead, data privacy could become the new arena for marketers to compete and win new customers, and your business should be preparing for that battle.
Data Protection Officer
In some cases, companies will need to recruit a Data Protection Officer (DPO). The GDPR sets out guidelines when A DPO is mandatory in Article 37 of the GDPR and Article 38 explains the position of the DPO.
The GDPR is going to impact almost all operational teams within your business. Complying with the new regulation is going to require a lot of hard work, and it may be a best practice to centralize all the work under one person’s responsibility rather than having multiple data ‘chiefs’ within your business. If someone is accountable, then they take charge and put things into motion to achieve compliance.
For a business with no establishment in the EU but regularly processing the personal data of EU data subjects they may be required to appoint a representative based in the EU, to facilitate contact with EU regulatory authorities and EU data subjects.
Data Breach Notification
If a data breach does occur, your business must report the event to the appropriate data protection authority within 72 hours of becoming aware of the event.
Each EU member state has its own data protection authority that will be responsible for implementing the GDPR rules. Where the data breach poses a high privacy risk, a high risk to the rights and freedoms of data subjects (your customers), then those customers must also be notified by your business.
Prepare for Data Breaches
You will need to review and update the internal processes that you currently have in place at your business to detect, report, and investigate data breaches once they happen so you can comply with the timeframe and rules set down by the GDPR and supervisory authorities.
Record of Processing Legal Basis and consent
You will need to document the record of processing as set out in GDPR article 30 and understand and document the appropriate legal basis for processing of personal data. Understanding your legal basis should be part of the data audit. Where consent is the legal basis, for example for marketing lists, a business must be able to demonstrate how that consent was obtained. Consent should be granular, specific, freely given by an unambiguous affirmative action and as easy to withdraw as to give.
There is one exception in paragraph 5 of article 30 of the GDPR which may apply to companies with less than 250 employees where it states that a business or organisation employing less than 250 persons may be exempt from maintaining records under Article 30. This exemption would only apply where processing is not occasional, not likely to result in a risk to the rights and freedoms of data subjects or not involving special categories of data subject or criminal data.
While a large part of the GDPR regulation focuses on how companies look after their consumers’ data, your business will also have to apply the GDPR standards to employee data.
Data Retention Policy
A data retention policy is a key GDPR component and the documentation and accountability requirement under GDPR means that the retention policy of organisations and companies needs to be documented. To comply with the GDPR, it makes sense for organisations and companies to audit the data they hold, document a data retention policy considering their statutory requirements and regularly review their processing and personal data held in line with their retention policy. The GDPR brings a requirement to demonstrate extra accountability so the organisation or business must be able to demonstrate compliance.
Best Practice means covering multiple workstreams
Best Practice means being GDPR compliant which means implementing the necessary measures to move a business or organisation towards compliance. GDPR Compliance is an ongoing process of multiple workstreams.
- Ensure that contracts with data processing providers reflect the respective GDPR responsibilities.
- Ensure that the Data Protection principles as per Article 5 of GDPR are implemented in the business or organisation.
- Audit any personal data that the business processes to ensure that it’s accurate, up to date and that the business still has a legal basis to retain it. Complete a data inventory and ensure that your data inventory is compliant with the GDPR Article 30 requirement.
- Ensure the business has a fit for purpose retention policy and that the business is respecting it and that it respects the statutory law on insurance industry data retention.
- Ensure that the business has the appropriate Technical and Organisational measures in place to keep personal data safe and secure.
- Ensure the business is set up and trained as an organisation to deal with any data subject access requests or other requests from data subjects around their personal data. The GDPR introduces new data subject rights around data portability and data erasure. Personal data erasure is not an absolute right, and should the business have a legal requirement to retain the data it would be retained. The new data portability right means that a business or organisation may have to transfer a client’s data in a machine-readable format to a rival business or organisation.
- Ensure the business is set up and trained to deal with any data breaches and reporting of such to the data protection authorities.
- General training and awareness around data protection is critical for organisations as incorrect data disclosure is the greatest reason for data protection breaches.
- Ensure the business is legally entitled to process personal data, that it has an applicable legal basis be that contract, legal obligation or where consent based that any required consent is in place. Where processing is based on consent ensure that there are proper records of that consent. There are 6 legal bases for processing personal data set out in Article 6 of GDPR and extra ones for special category data set out in Article 9 of GDPR.
- Demonstrating compliance is a key area under the accountability requirement of GDPR organisations must be able to demonstrate compliance with the regulation by means of a paper trail. Ensure there is ongoing monitoring of compliance.
- Consider appointing a DPO (Data Protection officer), the European Data protection working group WP29 has issued guidance on sectors which should consider appointing a DPO.
- Data minimisation and privacy by default and design must be a core principle of any data processing. This means collecting only the personal data required for the purpose and having data protection as a key lifecycle component of any processing in the business or organisation.