Companies that collect any kind of personal data on citizens in European Union (EU) countries will need to comply with new rules regarding protection of customer personal data as per the guidelines of the new standard called General Data Protection Regulation also know as GDPR in short.
Organizations are in the processes of understanding the new regulations and planning the actions need to be taken which causes some concerns obviously. For instance, what identifies as personal information of the customer is quite wide in range as per GDPR. Organizations will need to understand what categorized as personal data and what steps they need to take to protect all this data with the same level of protection as they now handle data like credit card information, SSN number etc.
Many of the organizations will need to change their processes and systems in order to be compliant with GDPR. We can see a lot of internal process changes happening already within the organizations especially changes to the existing security systems and data storage and sharing protocols.
Let us understand what GDPR exactly is and what steps organizations can take to be compliant.
What is General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is created by the European Union (EU) to strengthen and unify data protection for individuals. It is a new framework document regulating data protection.
It is designed to give individuals better control over their personal data and establish one single set of data protection rules across Europe. The GDPR will come into force on 25th May 2018 and it affects every business within 28 EU Member States. For the first time in the history, EU will have one set of regulations for all its member states but these standards are quite high and require most companies to make large investments to meet and be compliant with GDPR.
It is also applicable to businesses outside the EU who process the personal data of EU residents and offer them goods and services, irrespective of whether payment is required: or where the processing by a business related to the monitoring of the behavior of EU residents in so far as their behavior takes place within the EU.
Conditions for consent have been tightened. Companies must ensure consent is clear and distinguishable from other matters in an easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Companies will no longer be able to use illegible terms and conditions.
What is Personal Data?
Personal data is defined as any information relating to an identified or identifiable person. This means information that can identify someone, directly or indirectly for example by online means such as IP addresses and cookies if they are capable of being linked back to the individual.
This also includes indirect information, which might include physical, physiological, genetic, mental, economic, cultural or social identities that can be traced back to a specific individual.
The online identifiers provided by devices, applications or other tools can leave traces which, when combined with unique identifiers and/or other information received by the servers can be used to create profiles of data subjects and identify them, so it’s personal data. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address and other online identifiers.
What is the Compliance Criteria for Companies?
Almost all the companies which have their presence in the European Union or processes personal data of the citizens of EU will have to comply. Some of the specific criteria which will decide if the company falls users the GDPR compliance or not are:
- If the company is present and operates in any of the EU country.
- If the company is not present in EU, but it processes any kind of personal data of European residents.
- If the company have more then 250 employees.
- If the employee count is less then 250 but its data processing can in any way impact the rights and freedoms of European residents.
What are the Main Principles of Data Compliance under GDPR?
Each organization must ensure that processing of personal data complies with all six of the following general principles:
- Lawfulness, Fairness and Transparency: Personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose Limitation: Personal data must be collected for specified, explicit and legitimate purposes only and no further processed in any manner which is incompatible with the original purposes is allowed.
- Data Minimisation: Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed.
- Accuracy: Personal data must be acurate and where necessary, kept up to date. Inaccurate personal data should be corrected or deleted.
- Retention: Personal data should be kept in an identifiable format for no longer that is necessary.
- Integrity and Confidentiality: Personal data should be kept secure and integrity of the data should be maintained in all manners possible.
Which organizational roles defined by GDPR are responsible for compliance?
The GDPR defines the following roles which are should be responsible for ensuring compliance:
- Data Controller: Data controller is the role responsible for defining how personal data is processed and the purpose for which it is processed. Controller is in charge of the not only inside the organization but also for making sure that outside contractors comply.
- Data Processor: Data processor is not a single position, it can be internal stakeholders, teams, groups which are responsible for maintaining and processing personal data of the customers.
The GDPR holds processors liable for breaches or non-compliance. It’s is possible that the company and processing partners (example, cloud service provider etc) will be liable for penalties even if the fault is entirely on the processing partner.
- Data Protection Officer (DPO): Data Protection officer will be the person responsible for overseeing both data controllers and processors as well as developing the data security strategy and handling compliance. Companies are required to have mandatory DPO if they process or store large amounts of EU citizen data or if the organization is a public authority (with some exceptions like law enforcement department may be exempted from the requirement of a DPO).
What are the New Rules for Obtaining the Consent for Processing Personal Data?
A key part of GDPR required consent to be given by the individual whose data is held by, through an explicit action. The rule says:
Consent should be separate from other terms and conditions and should not be a precondition of signing up to a service.
The GDPR imposes the following condition which organizations need to follow in order to obtain a valid consent:
- Specific and granular consent for distinct processing operations should be taken from the customer. Current ways in-use like presumed consent and the consent obtained based on vague or blanket information are no longer allowed.
- Organizations should keep clear record to demonstrate consent, in order to show how and when the consent for each processing activity was obtained: who, when, how and what we told people.
- Organizations need explicitly to name any third parties who will rely on the consent of our customers for further processing activities.
Can I still market to my existing customers?
Providing they meet the new rules, existing consents should still apply. Where personal data is processed for direct marketing, the individual’s right to object should clearly be brought to their attention.
How do I obtain consent?
In general, consent needs to be explicit, opt-in, and freely given. This means popular opt-out based consent of today will no longer be acceptable.
What is an opt-in statement?
No longer can consent be obtained by silence or opt-outs, instead an active process(e.g. ticking a box) must be completed to class as consent. Companies must be able to demonstrate that the individual has actually given consent for their data to be processed after they were completely informed. The new rules outline that “Silence, pre-ticked boxes or inactivity should not, therefore, constitute consent.”
Control and Visibility
- Data subjects need to comprehend how any organisation is collecting, processing, storing and sharing their personal data.
- The organization will be obliged to obtain customers’ explicit consent for all specific processing purposes, based on complete and transparent information.
- When we are relying on individuals’ consent for any processing activity of their personal data, we must inform individuals of their right to withdraw consent.
- Individuals can request the deletion of all their data.
- Complete anonymity of this data is also accpetable.
- Individuals will be able to request copies of their personal data, free of charge.
- Electronic access: It must be possible to make requests electronically.
- Where such a request is made, the information should also be provided electronically, unless otherwise requested by the individual. Where possible, the individual should also be able to get secure access to their personal data.
- Purpose of requests? The request should allow the individual to be aware of and verify the lawfulness of the processing activities the company is carrying out, including all the processing purposes.
- Time for compliance: The organization must comply with the exercise of these rights within a month. If the request is complex or if the number of requests received is large, organization can extend the period but only after informing the individual about the reasons for providing a late answer.
Everyone has the right to have their personal data deleted “without undue delay”, for example where data is no longer necessary for the purpose it was initially collected or processed.
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or EUR20 Million. This is the maximum fine that can be imposed for the most serious infringements (e.g. not having sufficient consent to process data or violating the core of privacy by design concepts). There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, no notifying the supervising authority and data subject about a breach or not conducting an impact assessment.
It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ will not be exempt from GDPR enforcement.
What does ‘Privacy by Design’ mean?
The GDPR for the first time introduces the concept of “data protection by design” into formal legislation. At the conceptual level, data protection by design means that privacy should be a feature of the development of a product, rather than something that is tacked on later. Thus, the companies are required to implement appropriate safeguards, including the enclosure of privacy into the design of the business processes, new projects that involve processing of personal data and IT applications support, in order to include all the necessary security requirements at the initial implementation stages of such developments.
Data protection must be a key consideration when designing the projects, applications or data systems, and not an addition. This principle also ensures that wherever consent from the individual is required for data to be processed, their consent cannot be assumed and must be given actively.
Steps every organization should take to tackle this
Every organization should take steps in order to be compliant with the GDPR regulations when it comes to action. Some of the actions organizations can take are listed below:
- Make sure that all the employees of the organizations are aware that the Data Privacy is changing, and trying to anticipate the impact of GDPR on the daily activities employees are performing.
- Documenting what personal data is held by the organization, followed by where it came from and with whom it is shared.
- Reviewng the internal policies and develop new ones in order to address the new rights that individuals will have, such as: how and when the organization should delete personal data or how the data will be made available electronically and in what format.
- Planning how to handle customers’ access requests within the new time frames and provide the required additional information.
- Identifying and documenting the legal basis for each type of data processing activity.
- Reviewing how, consent for each processing activity is sought, obtained and recorded and implementing new features if required. Refreshing the existing consents if they don’t meet the GDPR standard.
- Ensuring that relevant procedures will be in place to detect, report and investigate any data breaches until May 2018
- Reviewing the current Privacy Policies and Statements and make any necessary changes, in order to provide a complete, clear and transparent information.
- Designating a responsible person for Data Privacy topics and risks, as a contact point for all matters regarding data privacy rights. The GDPR does not say whether the DPO needs to be a discrete position, so presumably a company may name someone who already has a similar role to the position as long as that person can ensure the protection of PII with no conflict of interest. Otherwise, you will need to hire a DPO. Depending on the organization, that DPO might not need to be full-time. In that case, a virtual DPO is an option. GDPR rules allow a DPO to work for multiple organizations, so a virtual DPO would be like a consultant who works as needed.
The General Data Protection Regulation is a good set of regulations to protect people in this world where every activity the customer performs is recorded and is used to make a profit out of us. Initial setup and changes which organizations need to act upon will take some time and resources but it is beneficial for the organizations in the long term. It will be especially good for those who are operating in multiple EU member states, now they will need to comply only to one set of regulations.
On the other hand, GDPR leaves a lot to interpretation for the organizations as well as governing bodies. For example, It mentions that organizations much make sure to provide “reasonable” level of protection for customer’s personal data, but what does “reasonable” means is not defined. This will give the GDPR governing body a lot of leeways when it comes to taking any actions against organizations and assessing fines for any kind of breaches and non-compliance.
But as every set of regulations there are positives and negatives, GDPR also have its good and bads but it will require some time to understand how effective it is and if it is as beneficial for the customer’s personal data protection as it seems on the paper.