What is the General Data Protection Regulation (GDPR)?
The European Union’s new General Data Protection Regulation (GDPR) will come into effect on the 25 May 2018. The GDPR marks a significant change in the EU data protection and privacy regime, with some calling it the most important change in data privacy regulation in 20 years.
The GDPR will repeal and replace the current EU Data Protection Directive, which forms the basis for the existing data protection regimes in Ireland, the UK and across Europe.
How will the GDPR affect me?
The scope and standards of the GDPR reach wider and higher than its predecessor. The GDPR applies both to organisations established in the EU and to non–EU established organisations that target or monitor EU residents.
The GDPR introduces the principle of accountability, which means that affected organisations will have to work on their internal compliance.
New requirements relating to consent, breach notification, transparency, and the appointment of data protection offcers (DPOs) mean impacted organisations need to review their policies and operations procedures.
These changes are important due to large penalties and fines for non-compliance of up to €20 million or 4% of annual revenue. But what are some practical steps required to become GDPR compliant?
Law firms are publishing many articles describing what the new GDPR privacy legislation says. But, from a practical perspective, businesses need to know what they need to do to put themselves in the best position possible for compliance. Roughly, I advocate a four stage approach:
- Assessment – understanding your current data-related environment.
- Gap Analysis – comparing your current data-related environment with the ideal standard required under the GDPR.
- Remediation – undertaking the activities needed to reach the standard of compliance required under the GDPR.
- Adherence – taking the actions necessary to maintain and update GDPR compliance.
1. Assessment – where you are
The first step involves an assessment of your organisation’s information processes and procedures from the ground up.
Ideally, data protection compliance should be embedded within the DNA of your organisation, in all of its processes, products and services.
The assessments phase involves a variety of components related to your organisation’s activities, including hardware, security, software, contracts, policies and paperwork and training.
I recommend you document all your findings so that you can refer to them during steps 2 – 4.
As part of the assessment you should examine the hardware your organisation uses to process data and determine its capability to maintain appropriate security and confidentiality in respect of personal data.
This will involve considering the nature of the personal data and the costs and practicalities of implementation and recti cation.
You will need to evaluate the security risks inherent in your organisation’s processing of data and assess its current ability to manage and mitigate those risks.
In assessing data security risks, you may wish to consider the information security and data protection risks of processing personal data, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.
You should review the software involved in your organisation’s data processing activities to assess what types of personal data it captures and what controls are in place in respect of managing this data capture.
It is important to identify whether this data is being disclosed to third parties outside the European Economic Area as a certain steps are needed to legitimise the transfer of data depending on the destination.
The GDPR requires parties to include appropriate data protection language into all contracts that involve the processing of personal data.
Many day-to-day commercial and IT contracts that an organisation enters into will involve some form of
data processing. Examples include services agreements, sourcing agreements, consultancy agreements, and cloud contracts.
You should identify all contracts that relate to or are connected with the processing of personal data.
Where your organisation is acting as the capacity of a data processor, it will also need to assess all contracts with its sub-contractors (known in this context as ‘sub-processors’), as the GDPR requires organisations to obtain the written authorisation of the controller.
Policies and Paperwork
You will need to assess your organisation’s current privacy notices and policies as the way they are written today is unlikely to provide for the higher thresholds under the GDPR regarding valid consents or methods for communicating to relevant individuals.
This step should be undertaken as part of a full review of all of your current privacy compliance paperwork in light of the expansion of data subjects’ rights under GDPR.
Today, organisations commonly justify processing based on an individual’s consent or on the pursuance of legitimate interests of that organisation. The GDPR changes both of these standards.
Under the GDPR, consent must now be in the form of an unambiguous indication of the individual’s wishes by a statement or clear affirmative action. This can be achieved by, for example, ticking a box, choosing technical settings on a website, or a signature.
You should also carefully review all consents your organisation obtained prior to the GDPR coming into force. If these consents were not given in line with the requirements of the GDPR, they will no longer be valid and new consents will need to be secured.
Your organisation will also need to assess the adequacy of data protection training provided to employees and contractors involved in data processing activities.
Coming up in Part 2
In Part 2 of this article I will discuss how your organisation can follow steps 2 to 4 in the road to GDPR compliance – gap analysis, remediation and adherence.
Parts of this article are adapted from the Your General Data Protection Regulation Journey: A Practical Guide that I produced in accordance with Saros Consulting in Ireland.
Photo credit: Pixabay