The European Union General Data Protection Regulation (GDPR) will come into force throughout the European Union and European Economic Area on May 25th 2018. This six-part guide will explain the new law, and what businesses need to do to be compliant. The last article the more major differences between the Data Protection Directive and GDPR. This article contains part one of the action guide.
When preparing for GDPR, businesses must first understand that data protection is not a responsibility for IT alone. It needs to be taken seriously at the highest level and should be a coordinated task for all departments, such as legal, compliance, finance, marketing & HR, in partnership with IT.
Here are the six steps firms must think about when organising themselves for the new law:
- Review current data
When the law comes into force it will cover all data gathered from then onwards, but also any existing data that is currently held. The first step, therefore, is to look at all the current data held on individuals and review the various aspects of its keeping; where it’s stored, procedures for transfers, outsourcing, use of cloud services, security policies, training of employees, and technologies deployed to secure the data.
The new law does not state that existing subjects should be contacted to give new consent, assuming consent was given originally to the data being held. However, as there are clauses where the controller may have to show when and how consent was given, the organisation should look at the history of data gathering to check that it conforms to the new regulation. If data is likely to have been collected in ways that do not comply with GDPR, or there is no evidence to prove that it wasn’t, businesses may consider deleting all customer data and starting from scratch; an action that UK pub chain JD Wetherspoons has recently taken.
- Collecting new data
Before collecting information, businesses should inform the subject of the purpose of the data collection, who must then opt-in. In order to help them make an informed decision, they must receive clear information on data gathering, it cannot be opaque and hidden within long terms and conditions or other documents.
Businesses should only use the data for the purpose it was collected, it cannot be used for another reason. Separate processes require separate consent.
Data should only be kept for the length of time necessary, with the local regulator – The Information Commissioner’s Office (ICO) in the UK – able to ask the controller for their policies on data retention and deletion.
- Ensuring easy opt-out
Data subjects have the right to withdraw their consent at any time. A controller needs to provide an option to allow subjects to withdraw their consent and procedures for removal of their data from all sources. This can be complicated, especially if an organisation has multiple sources that automatically sync data between them.
- Encryption may mean not having to disclose breaches to customers
The regulation specifically calls out encryption as a technology that may mitigate data risks. This is because data remains encrypted and unreadable to those without the relevant keys, regardless of where it resides. As such, data loss generates little risk to the subject and they do not need to be informed about such incidents, protecting reputation. Businesses should investigate how encryption can be utilised to reduce the risk of data loss. It is worth looking at individual fields in data records to decide which need encryption and which do not.
- Using data processors
A data processor is a separate organisation that processes the data on behalf of the controller, such as a cloud provider or a marketing organisation asked to conduct a short-term project.
Controllers are still ultimately responsible for data security so should ensure that they only use processors that understand that they have similar responsibilities and will meet the regulation’s requirements.
The data controller, therefore, needs to know all the data processors that the organisation or its employees may be using, and be able to measure their policies and technology to ensure that they conform to the regulation. IT can provide that information and keep it up-to-date as new processors are used. As the average organisation now uses over 1,000 different cloud services, all of which could be considered data processors, this is a task that needs focus.
- Transferring data outside the union
Data transfer happens as soon as data leaves the 28 countries of the European Union, no matter how it occurs. It could be transferring within a company (emailing an Excel sheet of customers from an EU-based employee to a US-based one), outsourcing to a non-EU data processor or saving data onto a shared file service hosted outside the EU, for example.
There are some non-EU countries that the European Commission deems to have ‘adequate’ protection laws meaning transfers to them can take place without the need for a contract. These countries include Argentina, Canada and New Zealand. For any country not listed, a legal contract stating that the non-EU recipient agrees to GDPR data protection safeguards is required before transfer can take place.
If data is to be transferred to America, it can be legally transferred under the US/EU Privacy Shield. The programme puts strong privacy obligations on the companies receiving the data, as well as insisting on robust enforcement, clearer safeguards on US government access, and a redress mechanism for EU citizens. US organisations self-certify annually and the framework is administered by the US Department of Commerce and Federal Trade Commission.
If businesses are sure that data transfer will happen at some point, subjects must be told and also given the option to opt-out.
The next article will contain part two of the GDPR action guide.
By Nigel Hawthorn, privacy spokesperson at Skyhigh Networks
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.