The new digital world has connected us all together via electronic devices. We are sharing our personal data with organisations more than ever, sometimes willingly and other times without even realising it. In this era, we need more privacy and protection for our data. The European Union (EU) has taken a big step towards data protection by creating the biggest privacy law that influences not just EU organisations, but any organisation around the world that works with the EU individuals.
GDPR or General Data Protection Regulation is a set of data regulations that aims to protect personal data of EU residents by giving them more power and control over the data that is personally related to them. As of 25th May 2018, GDPR came into effect.
Does GDPR apply to your business? What is it really about? Perhaps these are the first questions you might ask but before, you need to know some key terms of GDPR.
Every living person who is an EU resident
It applies to organisations that process the personal data of EU individuals, whether the organisation is physically located inside the EU or not
It includes personal data that is processed wholly or partly by automated means, or as a part of a filling system
Any information that directly or indirectly reveals the identity of someone is considered as personal data. It could be name, email, address, or online identifier such as IP address or cookie
An organisation that sets the purpose and makes the main decisions about personal data processing
An organisation that acts on behalf of a controller
It includes any activity related to personal data, such as collection, use, storage and transfer
If you are a company inside or outside of the EU, that provides services or products to EU individuals, you must comply with GDPR regulations. These regulations grant people eight rights over their personal data and set seven principles to make sure companies put the data subject rights at the heart of their data processing efforts.
This is one of the most important concepts of the GDPR, and if you can successfully provide people with this right, you are much closer to GDPR compliance. That means, you need to tell people that you are collecting their data, what is your purpose of collecting it, who you will be sharing the data with and for how long you want to keep it.
You should use a clear and easy to understand language to convey this information to the data subject.
This right, commonly known as subject access, enables individuals to see their personal data anytime they want, and organisations have one month to give them the access. In fact, individuals have the right to ask for a copy of their personal data that is being processed by an organisation and that organisation should respect this right, even further, the company should provide a mean on its website to help people easily make their access requests.
Data subjects can ask for correction of any inaccurate or incomplete personal data and you have to take appropriate actions to respond to their demand and rectify the data if you cannot justify keeping the data as it is.
It is a good practice to make sure you are collecting the accurate data and avoid facing future possible challenges
GDPR gives data subjects the right to ask for erasing their personal data, also referred to as the right to be forgotten. You have one month to provide them with the appropriate answer. However, this right doesn’t apply in all circumstances. Here is a list of situations that you need to act upon the data subject request for having their personal data erased:
Data subjects own the right to restrict the processing of their personal data, which makes you responsible to do so. Although, this right, similar to the right of erasure, only applies to certain situations including:
You have one month to provide the data subjects with an answer to their requests.
With so many companies that offer different services to individuals, being able to transfer the data between different organisation is a great option and GDPR recognises this by granting data subjects the right to data portability.
This right applies when:
This right does not apply to the data that has already been anonymised. In the case of pseudonymised data, if it is still traceable to the individual, it is within the scope of this right
In some situations, when you are processing the personal data based on legitimate interests or public tasks, you have to stop the processing upon the data subject request. Although, in case of direct marketing, data subjects have absolute right to object to the data processing.
You will have one month to answer to the data subject request. You either stop processing their personal data or justify the reason why you can’t do that.
This specific right applies to the situation that your organisation has a completely automated decision-making process or profiling in place. For example, you might be a financial institute that evaluates clients’ eligibility for a line of credit by an automated process without any human engagement.
Data subjects are able to question your process when it has a significant negative impact on them, and you have to provide them with an answer.
You are allowed to have a solely automated decision-making process when it is required by law, there is a contract between you and your client, or your client has given you his or her explicit consent
At any stage of processing personal data, from collecting to destroying it, these 8 rights should be the basis for everything you do. For that, the GDPR sets 7 principles for controllers which breaching any of them equals to violating the GDPR regulations.
Before going into more details about each one of these principles, the below picture can give you a general overview on how these principles apply throughout the lifecycle of data in your organisation.
You need to keep these principles in mind, no matter where you are standing regarding your data processing procedure.
This principle includes 3 elements that you need to consider all of them in your process. You must make sure that:
This principle is tied to the right to be informed
Declaring your intention(s) of processing personal data right from the beginning, in a clear and concise manner, is a vital step you need to take to become GDPR compliance.
Records of purpose(s) must be a part of your documentation and privacy information for individuals
In fact, you need to inform people about why you are collecting their data and what you want to do with it in the future. This is critical to know your exact purpose at the beginning because you cannot easily change it in the future, unless your new purpose is compatible with what you have declared in the first place.
Being asked for so much unrelated information is a familiar scenario that most of us have come across before. GDPR wants to make sure you are only collecting the information that you need, nothing more or less.
GDPR does not recommend a specific data limitation; instead, your purpose should be your guide on how much data is enough for your particular intent. This is another reason why you need to be clear about your purpose right from the start.
You cannot collect information that you might one day use or need. You must collect the minimum amount of data that is related to your purpose
Collecting data less than what you need to fulfil your purpose makes that data inadequate and you should not process it as it might violate the subject’s rights
As the name implies, this principle asks you to make sure the personal data you have collected is accurate. In addition, you have to update the information when it is necessary. Otherwise, individuals can use their right to rectification.
This principle is perfectly linked to other principles such as data minimisation and accuracy, also the subject right to erasure. At its core, storage limitation principle needs you to declare and justify for how long you want to keep the data.
GDPR does not accept storing the data forever or for some new purposes in future. You need to have a clear lifecycle for the personal data you collect
When you no longer need the data, you have to make sure to delete it or use other techniques including anonymising or pseudonymising.
This refers to the data that has been transformed into some sort of key or code, but you are still able to identity individuals using that data. This process does not justify keeping data for longer than it is necessary for your purpose
You can keep the data as long as you want, if it is not personally identifiable. Anonymising is considered a valid solution to keep the personal data forever or for a long period of time
This principle is all about the security of the personal data you hold. You need to have adequate technical mechanisms as well as the right organisational processes in place to be able to keep the data safe against any harm or damage.
The GDPR does not mention a specific method for safeguarding the data. It depends on your organisation’s conditions and what makes sense for you in term of applicability and financial aspects. Pseudonymisation and encryption are two methods that are currently available, and you can use either one of them that suits you.
You should be able to demonstrate that you are responsible for the whole lifecycle of processing the personal data in your organisation. Accountability is about showing your compliance to the GDPR and all the previous principles.
The GDPR does not introduce any fixed framework for demonstrating your compliance, and this gives you the freedom to act based on your unique circumstances and update your mechanisms when necessary. Although, you must be able to document the process in a way that proves you comply with the GDPR.
In the principle section, we talked about how your data processing must have a lawful ground. The GDPR introduces 6 lawful bases that allow organisations to process personal data. Based on your specific purpose, you can select a lawful basis that is best for you. You should find and document your lawful basis before beginning to process the personal data.
If you carry out this step right, you gain the trust of your clients and build a long-lasting relationship with them.
At least one of these 6 lawful bases should apply when you are processing the personal data. Here are the lawful bases at a glance:
In this case, individuals give you permission to process their personal data. This only works when you are giving clear information about your data processing and data subject is in full control over the process and can withdraw the consent any time she or he wants.
When there is not a balance of power, such as employer-employee relationship, using consent as the lawful basis should be avoided as long as possible
This could be your lawful basis when there is a contract between you and the data subject; therefore, processing the personal data is necessary to proceed with the contract, or to enter the contract.
When you have to comply with a law and processing personal data is required, you can set legal obligation as your lawful basis. For example, employers need to keep the records of employees’ payroll for tax purposes.
This applies to the situation in which you are entitled to an official authority or you are carrying out a task with the public interest. Either way, performing a specific public task must be required, if not, you should find a more appropriate lawful basis for your purpose.
This lawful basis is limited to the situations that you have a life or death matter in your hand, mostly in medical cases. Otherwise, you cannot use vital interests as lawful basis for processing personal data. You must be sure that no other ground is more eligible, for example, you cannot use consent as your lawful basis.
When you or your third parties need to process personal data for a reasonable interest that is justifiable within GDPR regulations, you can choose legitimate interests as your lawful basis.
You can benefit the flexibility of this lawful basis as long as you make sure that you are not overwriting any personal interests or freedom of data subjects and do not use their data for anything that might have a negative impact on them.
There are various reasons why you need to comply with GDPR and how it can influence your business. We try to explain couple of the most crucial ones here:
Penalties for non-compliance are significant, with large fines for those in breach of the regulation: the maximum fine for a single breach is €20 million or 4% of annual worldwide turnover, whichever is greater.
No matter you are a large Tech company like Google or a sole trader, GDPR regulations are applicable if you process the EU individuals’ personal data.
The GDPR regulations apply to a large portion of companies around the world and could be considered the first global Data protection law. The range and severity of these regulations has led to a high awareness among people who share their personal data with you and the companies that want to work with you. In such an environment, compliance to GDPR is a must for the success of your organisation.
Preparation for GDPR and compliance might not be easy for you at first, but the result could help you to develop a simplified and organised workflow. Since data is one of the main assets of any organisation you can expect to save money and time in long term as a result of having effective work processes.
You can be among the trusted companies for your end users as well as a reliable partner for companies who want to work with you. The sooner you comply with GDPR, the better you can position yourself as a trustworthy organisation among others.
The amount of work you need to dedicate to become GDPR compliance, depends on your specific organisation characteristics, complexity and resources, but the result is always achieving effective data process and stronger data governance that encourage trust.
Article 30 of the GDPR asks controllers and processers to maintain a record of their processing activities. For organisations with more than 250 employees, having documented processes is mandatory. In the case of smaller organisations, there is no obligation unless you are processing personal data regularly, your processing puts data subject rights and freedom in high risk, or you are processing the special categories of personal data.
Special categories of data include:
orientation of data subject
Documenting your data processing, even if you are not obligated to do so, is a great way to initiate or demonstrate your compliance to GDPR, because it helps you to identify the gaps between your current process and what GDPR expects.
One way to gather all the personal data processes in your organisation is by building your data inventory. A data inventory includes every data processing activities with related details in one place.
You can use a technique called data flow mapping to create your data inventory. A data flow pictures the entire lifecycle of data in your organisation in a clear and concise manner. It shows what data you hold, where it comes from and how it transfers inside or outside the organisation. Your data flow maps demonstrate the current flow of information and reveal where the gaps are. At this point, it will be easier to know what needs to be done to fill the gaps.
There are many elements that you can include in your data flow maps, but these are among the key elements that you need to consider adding them to your data flow:
This list can go on as much as you want, the important point to bear in mind is that this is not a onetime activity and you need to keep your data maps up-to-date. You might need to add some new elements to your data flow to make sure you can satisfy clients, third parties or regulatory officers’ demands.
The best way to approach creating your data flow maps depends on your organisation’s structure or preference. Some companies prefer to create a data flow for every process that they have inside their organisation, such as sales, customer service, performance evaluation, while for others creating a data flow for each department makes more sense.
All these data flow maps that you create shape your data inventory. If you do this step successfully, you will be able to address some major concerns of GDPR including:
Using a data inventory as a mean for documenting data processing in your organisation puts you in the position of power and control over your data processing procedures.
GDPR is a very strict law that has a huge impact on the way that personal data privacy is treated and how organisations approach the data privacy and data governance. It is about putting customers’ rights in the center of what you do and try to achieve customer trust.
Implementing GDPR needs the commitment and constant engagement of the entire organisation. But, like any other big change that happens in an organisation, it requires the top management to be involved and start the compliance process form the higher level of organisation. Senior manager should show that data protection is one of the organisation’s top priorities by allocating the appropriate support and resources.
Next step is providing awareness and training for employees in all departments that touches personal data in any possible way. Besides, there should be a person or a team in your organisation who are clearly responsible for data protection activities and issues.
From there, building your data inventory could be a smart move. It helps you to identify all the data processing activities, and the gaps between your reality and the ideal state you want to reach to become GDPR compliance.
You can seek external help to make the process easier and smoother. Here at Compliance Council, our team of consultants can accelerate and simplify your compliance process. For more information you can fill out our contact form or talk to our general manager Jason O’Grady.