The General Data Protection Act (GDPR) took effect on 25 May 2018, and while enforcement of compliance was relatively lax in the first few months, the number of violations that have resulted in financial penalties has been increasing. It is therefore important for all businesses and organizations to implement GDPR best practices and ensure they are fully compliant. Any entity required to comply with the GDPR that does not adopt these GDPR best practices could easily violate provisions of the GDPR which could lead to a heavy fine or other sanctions. No business can afford for this to happen.
Of course, complying with the GDPR is not only about avoiding financial penalties. It is easier for businesses that are fully compliant to maintain a good reputation with customers who value the protection of their personal data. After all, no-one wants their personal data to be compromised.
Know what the GDPR is about
The first thing you need to do is ensure that you know what the GDPR is about and what has changed. This helps you and others in your business understand the new policies that you must follow. One of the main aims of the GDPR is to give people living in the EU greater control over the way their personal data is collected and processed.
One notable change from previous legislation concerned access to personal data. Individuals can ask for a copy of the personal data that is held on them by submitting a subject access request (SAR). The processing time for these requests was reduced to 30 days under the GDPR. Individuals also have the right to ask for data to be amended or deleted in certain cases, except when there is a valid legal reason for retaining the data.
Another aim of the GDPR is to ensure the requirements for protecting personal data is uniform across all EU states. Although individual Data Protection Authorities have leeway in some areas, such as the imposition of fines, it is expected that they will liaise closely with one another. That means there should be a new uniformity to data protection and management of personal data everywhere in the EU.
Overall the GDPR gives data subjects better control over how their data are processed and brings greater obligations on organizations processing personal data. Companies and organizations must have the core data protection principles of GDPR entrenched . As per Article 5 of the GDPR these are, Lawfulness, Fairness and Transparency, Purpose Limitation, Data Minimization, Accuracy, Storage Limitation, Integrity and Confidentiality, and Accountability.
Some important GDPR definitions
A “Controller” under GDPR is an organization or business that determines the purposes of the processing of personal data, whereas a “Processor” carries out the processing of personal data on behalf of the Controller. A Processor can further engage “sub-processors” and the Controller would have visibility and approval rights over these sub-processors.
The GDPR refers to individuals as either a “natural person” or ‘’data subject.’’ The term ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’). For the purpose of this article we will use the term data subjects for clients and customers.
The term ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not that is through manual or automated means. Processing includes collection, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing, transmitting, disseminating, combining, restricting, erasing, or destroying personal data. Article 4 of GDPR contains a full list of definitions used throughout the legislation.
Understand what the GDPR means for you
It’s important to know why the GDPR has been created, but your business cannot hope to meet GDPR requirements if it does not understand how it is affected by the GDPR. Many businesses believe that they do not have to comply with GDPR. For a great number of these, this is not true. Most online businesses will find that they are affected by the new regulations, even if they do not have a base in an EU member state. Here are some facts which you may find interesting.
- Every business that processes the personal data of people living within the EU must comply with the GDPR. This includes businesses across the globe; not just businesses that are based in EU states.
- Many businesses may need to appoint a Data Protection Officer (DPO).
- All businesses must comply with the GDPR if they process personal data on a regular basis, or if they are involved in processing special categories of personal data, as defined in Article 9 of the GDPR.
It’s vital that you know how the GDPR relates to your business, and that you acquaint yourself with the regulations. If you do not have this knowledge, you cannot ensure your business is fully compliant. Ignorance of the requirements to the GDPR is not a valid defense and will not allow you to escape a fine for noncompliance.
Companies must understand whether they are a Controller or Processor many organizations may combine some elements of both. Working on the areas below will help businesses and organizations implement best practices with respect to the GDPR.
Audit your data
Auditing the data your business holds will not be a trivial task, but it will enable you to make many informed decisions on how to comply with the GDPR.
Key questions to answer include identifying where all personal data are stored; why certain kinds of personal data are being processed; what is the legal basis for processing; how long must the information be retained; who has access currently to personal data and who should have access moving forward; are the appropriate technical and organizational controls in place, and how much duplication of customer personal data exists across multiple sites.
All these areas need to be addressed before you can decide on the best course of action for your business. This first step in creating a holistic view of where all the different types of your customer data reside is a critical one. If you don’t know what personal data is held or where the information is located, you can’t make any comprehensive plans concerning personal data.
DPIA’s or Data Protection Impact Assessments may need to be carried out by companies before new processing starts to ensure data protection by default and by design is in place, a key GDPR concept. You will also need to assess any risks to data subjects around any new data processing. Most European Data commissioners give guidance on their websites around DPIA’s and when they should be carried out.
Audit your service providers
The task of auditing your service provider’s compliance is where a lot of US companies may fall flat and may be where the most significant risk resides. You will need to review your agreements with third-party service providers who process personal data on your behalf and sign data processing agreements. The data controller is obliged to sign contracts under GDPR, and the data processor can only act on the Controller’s instructions.
If one of your data service providers is not able to prove that they are on the right side of GDPR compliance for US companies, then the work they do related to the personal data of your data subjects in the EU could be deemed non-compliant and put a Controller at risk.
The right to be forgotten and other data subject rights
The GDPR introduced two additional rights for people in the EU that are covered by the regulation; the right to be forgotten (erasure) and the right to portability of their data. The rights of data subjects are extensive under GDPR, and are detailed in Articles 12-22. Those rights also include the right to access and receive a copy of their personal data, the right to rectification and restriction of processing, and the right to object to processing, including automated processing and profiling.
These rights have led to a significant increase in requests from data subjects in the European Union and companies and organizations must ensure they have processes and staff to deal with them promptly. Automation is key in this area.
Controllers and processors
You need to understand whether you fall into the category of a data processor or a data controller under the GDPR. A data processor is a business or organization that processes personal data on behalf of a Controller. A data controller is a business or organization that determines the purposes and means of how customer data are processed. Both Controllers and Processors have different implications concerning how they comply with the GDPR for US companies, and your business could be both a data controller and data processor at the same time.
To complicate matters even further, a Controller can have multiple data processors and the processor in turn multiple sub-processors. Under the GDPR, the data controller is liable for the actions of data processors that they work with in the market. It is essential that US companies carefully select their data processors where the data of data subjects in the EU are being processed and that they sign data processing agreements with them, A data processing agreement governs the relationship between a Controller and a Processor and in turn the Processor’s sub-processors. The agreement should include all aspects of data protection governance. Articles 28 and 82 of the GDPR detail what these agreements or contracts should cover.
GDPR penalties and sanctions
The new enforcement procedures and fines associated with GDPR compliance are perhaps the aspects which have most US corporate leaders sitting up and paying close attention.
The hefty penalties associated with non-compliance with the GDPR could potentially reach into millions of dollars. Companies that do not comply will fall into one of two categories, and the higher of these could cost €20 million or 4% of the business’s global annual turnover, whichever is higher. In addition to financial penalties, Data Protection Authorities have the power to order a business to cease processing of all personal data.
The first companies penalized for non-compliance attracted significant negative attention. The reputational damage to companies that do not comply with the GDPR is significant, and could prove to be more costly than the GDPR fines themselves. Many companies were prepared for the introduction of the GDPR and have been fully compliant from the start, and they have used that to gain a competitive advantage to position themselves ahead in the marketplace.
Are you prepared to suffer the reputational damage that non-compliance could bring to your business? In the months and years ahead, data privacy is likely to be become the new arena for marketers to compete and win new customers, and your business should be preparing for that battle.
Data protection officer
In some cases, companies will need to recruit or appoint a Data Protection Officer (DPO). The GDPR sets out guidelines when a DPO is mandatory in Article 37 of the GDPR and Article 38 explains the position of the DPO.
The GDPR impacts almost all operational teams within your business. Complying with the GDPR requires a lot of hard work, and the best practice to centralize all the work under one person’s responsibility rather than having multiple data ‘chiefs’ within your business. If someone is accountable, then they take charge and put things into motion to achieve and maintain compliance.
For a business with no establishment in the EU that is regularly processing the personal data of EU data subjects, the best practice is to appoint a representative based within the EU to facilitate contact with EU regulatory authorities and EU data subjects.
Data breach notifications
If a data breach does occur, your business must report the event to the appropriate data protection authority within 72 hours of becoming aware of the event.
Each EU member state has its own Data Protection Authority that is responsible for implementing and enforcing the GDPR rules. Where a data breach poses a high privacy risk, or a high risk to the rights and freedoms of data subjects (your customers), then those customers must also be notified by your business if their personal data are exposed or compromised.
Prepare for data breaches
You will need to review and update the internal processes that you currently have in place at your business to detect, report, and investigate data breaches when they happen so you can comply with the timeframe and rules set down by the GDPR and supervisory authorities.
Records of the legal basis for data processing and consent
You need to maintain a record of processing as set out in GDPR Article 30 and understand and document the appropriate legal basis for processing personal data. Understanding the legal basis should be part of the data audit. Where consent is the legal basis, for example for marketing lists, a business must be able to demonstrate how that consent was obtained. Consent should be granular, specific, freely given by an unambiguous affirmative action, and just as easy to withdraw as to give.
There is one exception in paragraph 5 of Article 30 of the GDPR which may apply to companies with fewer than 250 employees. A business or organization employing fewer than 250 persons may be exempt from maintaining records under Article 30. This exemption would apply unless “the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data”.
While a large part of the GDPR focuses on how companies look after their customers’ data, your business will also have to apply the GDPR standards to employee data.
Data retention policy
A data retention policy is a key GDPR component and the documentation and accountability requirement under the GDPR means the data retention policy of organizations and companies needs to be documented. To comply with the GDPR, it makes sense for organizations and companies to audit the data they hold, document a data retention policy considering their statutory requirements, and regularly review their processing the storage of personal data to ensure their retention policy is being followed. The GDPR has a requirement for accountability, so an organization or business must be able to demonstrate compliance.
Summary and GDPR compliance checklist
- Ensure contracts with data processing providers reflect their respective GDPR responsibilities.
- Ensure the Data Protection principles as per Article 5 of GDPR are implemented.
- Audit any personal data processed to ensure it is accurate, up to date, and there is a legal basis to retain personal data. Complete a data inventory and ensure that your data inventory is compliant with the GDPR Article 30 requirement.
- Ensure the business has a fit for purpose retention policy and that the business is respecting it and it respects the statutory law on insurance industry data retention.
- Ensure the business has the appropriate Technical and Organizational measures in place to keep personal data safe and secure.
- Ensure the business is set up and trained as an organization to deal with any data subject access requests or other requests from data subjects around their personal data. The GDPR introduced new data subject rights around data portability and data erasure. Personal data erasure is not an absolute right, and should the business have a legal requirement to retain data it can be retained. The new data portability right means a business or organization may have to transfer a client’s data in a machine-readable format to a rival business or organization.
- Ensure the business is set up and trained to deal with any data breaches and can report data breaches to data protection authorities promptly.
- General training and awareness around data protection is critical, as incorrect data disclosure is the main cause of privacy violations.
- Ensure the business is legally entitled to process personal data, that it has an applicable legal basis to process data, be that a contract, legal obligation or where consent has been given. Where processing is based on consent, ensure proper records of consent are maintained. There are 6 legal cases for processing personal data set out in Article 6 of GDPR, and extra ones for special category data set out in Article 9 of GDPR.
- Demonstrating compliance is a key area under the accountability requirement of GDPR. Organizations must be able to demonstrate compliance by maintaining a paper trail. Ensure there is ongoing monitoring of compliance.
- Consider appointing a DPO (Data Protection Officer), the European data protection working group WP29 has issued guidance for sectors that should consider appointing a DPO.
- Data minimization and privacy by default and design is a core principle of any data processing. This means only collecting the personal data required for the purpose for which consent is obtained and having data protection as a key lifecycle component of any processing.