Is anyone in your organization providing services or products to people in the European Union 1? Are you monitoring the behavior (including online activity) of people in the EU? Or are you collecting personal data on living, identifiable people in the EU?
If the answer to any of these questions is ‘Yes’, then the General Data Protection Regulation (GDPR) applies to you as a ‘controller’. If you are not a controller, but you process personal data (including collecting or storing it) on behalf of a controller, you qualify as a data processor. Either way, you are required to comply with the GDPR from the moment it comes into force on May 25th, 2018.
The GDPR places important obligations on the controller. The controller must, at all times, be able to demonstrate compliance to the GDPR through the use of documented data protection policies, work processes, audit reports, and a personal data processing administration. A new addition to the GDPR is that a processor is also responsible and accountable for their part of the processing and for assisting the controller in demonstrating compliance.
You can’t bury your head in the sand – non-compliance can lead to fines of €20 million or 4% of your organizations yearly turnover (whichever is highest). Depending on the situation supervisory authorities can impose lower fines, but GDPR article 83 demands that they must be ‘effective, proportionate and dissuasive’.
Know your data!
To help demonstrate compliance, article 30 of the GDPR requires you to have a ‘register of processing operations’. This register describes, for all collections of personal data you have, the most important information. Such as the categories of personal data, categories of recipients the data has been (or will be) disclosed to, technical and organizational security measures and, where applicable, transfers to a third country (i.e. outside the EEA) or international organization.
While mapping your data to build this register there are (at least) two situations which require extra attention.
No legitimate ground for processing
You may encounter collections of personal data for which the purpose is unclear or where the purpose is not lawful. Think of some forgotten shadow database or spreadsheet hidden somewhere on your network. It is important to find these collections because processing such data (including storing it) is illegal and you need to delete it without undue delay (including backup versions if there are any).
For personal data ‘in the cloud’, it is not always clear at which physical location in the world the data is stored and who has access to it. The GDPR imposes strict rules on transfers of personal data to countries outside the EEA. But even if the transfer would be permitted, you risk being in conflict with the rules of the law. Some of the larger cloud providers, for instance, are US companies. Based on US legislation US companies can be forced to hand over data to the US government, even when that would infringe the GDPR.
Possible solutions include pseudonymization (replacing the identifying part of the data with a key code), provided the key is kept separate in a safe environment, i.e. not in a non-EU jurisdiction or the encryption of the data (which would add an extra layer of security).
Policies to guarantee the rights of the data subject
The principle of transparency and the strong emphasis on the data subject’s rights in the GDPR means that your organization must develop policies to honor these rights. The policies are also important to demonstrate compliance in this regarding.
To begin with, your organization needs a policy to send a notification of processing to the data subject. The notification should provide information such as the identity and contact details of the controller, the purpose and legal basis of the processing, the categories of personal data concerned, etc. If the data is to be obtained from the data subject, the notification should be sent before collecting the data. If it comes from another source, the data subject should be notified ‘within a reasonable time’ and at the latest within a month after obtaining the data or when the data is divulged to another recipient or used to contact the data subject.
Then, when you have the data, the data subject has the right to access it. Upon request, the controller must confirm whether personal data concerning the subject is being processed. If that is the case, the controller must give access to the data and send relevant information, such as the purpose for processing, the categories of personal data concerned, recipients to which the data has been or will be disclosed, etc. But the controller must also give information such as the right to request from the controller rectification or erasure of personal data, the right to object to such processing, and the right to lodge a complaint with a supervisory authority.
The requirement to protect the rights of the data subject requires a great deal from the organization. Your administration must be set up to handle these rights and to send the notifications involved. It must also, for instance, if the right to erasure is executed, inform all parties to which the data has been distributed of the erasure. Additionally, the organization must also be equipped to handle the new right of the data subject to withdraw consent given in the past. If there is no other lawful purpose for processing, this means that it must be possible to stop the processing regarding the data subject concerned, and it must be possible to erase his data without harming the remainder of the processing.
The GDPR will come into force within mere days. If your organization is not fully prepared yet, there is no time to lose.
1. The GDPR has EEA relevance; it applies in the whole European Economic Area (EEA). This area consists of the members of the European Union (as yet including the United Kingdom) plus Iceland, Liechtenstein and Norway.↩
This article has been written by guest author Leo Besemer.