D I G I L E G A L S

Loading

21 Apr

On the 25th of May 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) came into force. Companies that fall under the GDPR had to be compliant by this data however, we saw that many companies failed to do so, some even had to stop offering their services to EU citizens. Most of these companies that failed to comply with the GDPR, are now trying to do their utmost to quickly manage to become compliant. Seeing the high need of these companies for a quick and easy summary of the main steps one needs to take to achieve compliance, we prepared this short paper discussing the main 10 steps you need to take to eliminate the most serious of potential infringements of the GDPR.

The GDPR will cover all EU companies, and foreign companies that process personal data of EU citizens, this means that most companies will have to comply with the GDPR. The fines for non-compliance are high and strict, companies can be fined up to 4% of their annual global turnover for breaching the GDPR or €20 Million.
Seeing the high risk of non-compliance and the short time at disposal, companies that process EU citizen’s data will need to start working right away to achieve compliance.

Prior Analyses

The first thing you do should is conduct a Privacy Impact Assessment (PIA). The PIA is not mandatory, it is more of an internal analysis of where your company stands at the moment, however it is considered beneficial as it shows you where you are, what your flaws are, what you can improve also in the long run it can save you a lot of money and time.
According to the Information Commissioner’s Office a PIA should incorporate the following steps:
1. Identify the need for a PIA;
2. Describe the information flow;
3. Identify the privacy and related risks;
4. Identify and evaluate the privacy solutions;
5. Sign off and record the PIA outcomes;
6. Integrate the outcomes into the project plan and
7. Consult with internal and external stakeholders as needed throughou the process.*

Data Protection Officer (DPO)

The second step you should take is hiring a DPO. The DPO will be the person responsible inside the organization who will make sure that you comply with the GDPR and will be a person of contact for customers and other companies who have privacy related questions. However, not all need to hire a DPO under the GDPR, the ones that need to do so are:
– a public authority (except for courts acting in their judicial capacity);
– an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
-an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.

However it is advised that even if you do not fall under one of the bodies mentioned above, you should nonetheless at least a hire a lawyer specialized in data protection who can help you with GDPR compliance and deal with users and employees questions.

Awareness and Training

Even after the 25th of May, your company will have to continuously make sure it is not infringing user’s privacy rights and it is in continuous compliance with the GDPR. For that reason it is important that your staff especially those dealing with personal data of customers, are well informed of the GDPR and data protection principles. Because of this, your company should invest in raising awareness and training your staff. Your company should organize regular training seminars on GDPR awareness for all its employees on a yearly basis, where they can at least learn the basics. Whereas for those who deal with personal data directly such as the IT department or the Human resources department, they should follow more advanced courses where they learn about methods how to encrypt data etc. Your company should also make sure its customers understand their rights, so updating your privacy policy and terms and conditions is a must, besides that it would also be good to send them an e-mail to inform them about the new changes.

Consent and Lawful Basis
In order for your company to process data you need to have a legal basis to do so. Article 6 of the GDPR lists six cases where processing data is lawful, those are:

a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) (processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

If you are a private company the option you most likely fall under is a). So it is imperative that your company ensures that their customers consent to the collection and processing of their data. You can obtain consent by making a user “Agree” to your privacy policy, or by specifically asking consent through an e-mail or consent form.

User Rights and Subject Access Requests

Besides consent, you also need to ensure that you understand and respect your user’s privacy rights. The GDPR lists a number of rights for users that a company must provide to them, those are:
a) the right to be informed;
b) the right of access;
c) the right to rectification;
d) the right to erasure;
e) the right to restrict processing;
f) the right to data portability;
g) the right to object; and
h) the right not to be subject to automated decision-making including profiling.

You need to make sure you have the necessary measures in place to comply with their rights. Such as be able to delete all their data if they ask for it etc. This will require that you make sure you have the technological and human resource capabilities to fulfil these rights.
One right that is very important and with which most companies will have to deal right away, now that the GDPR has come into force is Data Subjects Access Rights. This ight allows data subjects to request information on their data, this means they can request from the controller to know the following:
-What personal data it is being processed.
-The purposes for which the personal data is being processed.
-Who, if anyone, the personal data is disclosed to.
-The extent to which it is using the personal data for the purpose of making automated decisions relating to the data subject and, if so, what logic is being used for that purpose.*

Seeing as this will become commonplace practice it’s important for companies to prepare procedures on how they will handle all the workload, as there are also certain rules in place which you will have to abide to, such as you can’t charge users for this, you have to comply within 40 days, if you refuse the request data subjects can complain to the supervisory authority etc.

Data Protection Agreements

As a private company you most likely transfer data to other companies, so that you can offer your services, whether it be a cloud storage company, the Google business suite package etc. If you wish to continue doing this, it is important that you make sure that your partner companies meet the required data protection standard, to ensure that they will protect your customer’s data. If your partners do not wish to abide to such standards you have no choice but to end your contractual relationship with them and find a substitute for them. One way to ensure that these companies will comply with your standards is by making them sign a Data Protection Agreement with all your partner companies, this agreement ensures that the partner company will comply with the GDPR and thus protect your customer’s data.

Data Breaches

Your company needs to have safeguards in place, to protect its customer’s data from potential cyber-attacks. Besides having a strong cyber-security plan in place, you also need to have a plan in case of a data breach. Data Breaches are almost inevitable in today’s era, thus it’s important that you prepare for one. In case a data breach does happen, you are obliged to inform your National Data Protection Agency, your Data Protection Officer, the Controller (if you are the processor) and also the customer’s whose data has been attacked. You have only 48 hours to do so, unless you have an excuse and you make a request at the data protection authority. After the incident has happened you should do everything in your power to minimize the damages and improve your cyber security defence.

Concluding Remarks
If you company has failed to fully comply with the GDPR by the 25th, you should continue working on compliance until you have reached a comfortable level, but even then you should constantly be aware of data protection and privacy so that in future projects when you wish to implement something which includes also personal data of your customers you are self-aware of the data protection in order to avoid unnecessary infringements. The best way to do this is to constantly train your personnel, conduct data protection impact assessments and employ the principles of security by design and default.

Citation:

*Conducting privacy impact assessments code of practice.
https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf

*GDPR Report, “GDPR Subject Access Requests” (2017).
https://gdpr.report/news/2017/11/20/gdpr-subject-access-requests/

No Comments
TAGS :