When the General Data Protection Regulation (GDPR) becomes law, on 25 May 2018, you will need to know about software upgrades for GDPR compliance. It could be that your business or organisation may need to upgrade software that is already in place, or it may need to find a different software solution.
What does GDPR mean for your business?
Let’s start by examining what the GDPR actually is. The GDPR is legislation that is intended to provide consistency in the way personal data is processed throughout EU states. But it does not just afffect the EU. The GDPR also introduces new and improved rights for data subjects who are EU citizens. This means that any business or organisation that processes the personal data of EU citizens has to comply with the GDPR, no matter where in the world it is based.
If you know little about the GDPR, you may find it helpful to read the advice of the Article 29 working party, or the information provided by the Data Protection Authority (DPA) that is relevant to your organisation.
Many of the businesses that will need to comply with the GDPR have shown concern regarding its implementation. They are worried that current processes and software solutions will not be sufficient to implement new policies. But, the fact is that businesses will need to find a way to be compliant, or face fines of up to $20 million Euros, or 4% of annual turnover, whichever is more.
Special personal data that is high risk
When it comes to considering software upgrades for GDPR compliance, it’s important that any business or organisation pays particular attention to high risk processing activities. These activities include the processing of special personal data such as:
- Information about ethnicity.
- Information about religious or political beliefs.
- Information about health.
- Information about sexual orientation.
- Genetic information.
If your business or organisation is involved in the large scale processing of any of these types of personal data it needs to ensure that it is legally permitted to do so, and that the software and processes are in place, in order for any identified risks to be mitigated against.
What types of Software Company are affected by the GDPR?
As with any other type of business or organisation, software companies themselves are affected by the introduction of the GDPR. They need to ensure that the software they produce, and the methods they employ, are compliant with GDPR rules. This applies to software companies that are based in the EU, and to those that are based outside of the EU, but are involved in processing the personal data of EU citizens. Of course, for those companies based outside the EU, they only have to comply with the GDPR when it comes to the personal data of people who live within the EU.
That being said, it’s probably not practical to separate two sets of customers and deal with their personal data separately, based on geographic location. It’s easier to ensure that the software, processes and procedures are in place to ensure that the company complies with the GDPR in relation to all of the personal data that is processes.
How is software itself affected – why are software upgrades for GDPR compliance required?
So, we have seen that software companies can be affected by the GDPR but what about the software that they produce?
One of the most important aspects of GDPR compliant software is that it needs to enable a means for explicit consent to be provided. Although consent is not the only legally permitted reason for processing personal data, if it is being used as the reason for processing, it needs to satisfy certain criteria:
- It has to be given freely and fully understand.
- It has to be given separately to other agreements.
- It has to be given as the result as a positive action. A business or organisation can no longer make use of pre-checked tick boxes.
What this means that a license agreement for the general use of software is not sufficient consent for personal data to be processed. Consent has to be sought outside of this type of agreement. It’s worth including a whole separate section regarding consent. Do not forget that you need to ensure this happens for all users, not just new ones. And, you have to be careful about how you get this consent. You cannot email current users directly as this represents direct marketing, which is illegal under GDPR without consent. You may want to think about including information about consent on your website, with a link to the relevant software.
Storing consent with personal data
It makes sense to ensure that the software and systems that you use enable you to store consent so that it can be related to the relevant personal data. This is because it’s not sufficient to be compliant with the GDPR, you need to have the paperwork in place to prove that you are compliant. Keep a record of the date and time at which consent was provided, as well as how it was provided, and a copy of the consent itself. Doing all of this means that you have all of the necessary proof to hand should you be asked to provide it.
Do not forget that when you request consent from people you need to make it easy for them to withdraw it at any time. For example, is someone gives permission for you to send them a regular newsletter it has to be easy for them to update their records and withdraw their consent for the newsletter to be sent, whenever they wish to do so.
What information should customers be able to see?
One of the major principles of the GDPR is that data subjects have more control over the way their personal data is used. This is one of the reasons why software upgrades for GDPR compliance are so important. You need to ensure that your software enables customers to have the access that they require.
This includes the ability to:
- See the personal data that is being processed.
- Get access to a full record of all of the data held within 40 days of request. A system access request (SAR).
- Change data that is incorrect, or request that it is changed.
- Request to be forgotten. This means that customers can ask that all of the personal data held is deleted. It’s important to note that there may be legally valid reasons which mean that you are unable to comply with this type of request.
- Ensure that data is provided to the data subject in a portable and machine readable manner. This is a new aspect of data protection which has been introduced as a result of the GDPR. It means that data subjects should be able to transfer data between software solutions easily. This may mean that they transfer the data to one of your competitors.
All of these are freedoms which are guaranteed by the introduction of the GDPR. This is why you need to ensure that you have the right software in place in order to ensure that your business or organisation is compliant.
Reporting a data breach within 72 hours
One of the stipulations of the GDPR is that data breaches should be reported within 72 hours. It’s important to note that the time starts from when the business or organisation could reasonably be expected to have first realised that a breach had occurred. It’s important for you to make sure that you have the right software and systems in place to ensure that you can quickly and effectively ascertain is there has been a data breach. Enabling this to happen means that you should be able to comply with this aspect of the GDPR.
Hopefully, you can start to see why software upgrades for GDPR compliance are so important. You need to ensure that you have all of the right software in place, to make sure that all of your processes are GDPR compliant. This includes being able to analyse data so that you know that your business or organisation only processes data that is accurate, relevant and should still be being processed.
Do not forget that it’s not just about the software either. You also have to ensure that the people who work within your business or organisation are fully aware of the implications of the GDPR. Everyone has a responsibility to ensure that they take actions which are GDPR compliant. Ensuring that this is the case, together with upgrading or replacing software should help your business or organisation to comply with the stipulations of the GDPR at all times. This in turn should help you to avoid the imposition of large fines and other potential sanctions which could adversely affect your business.