The General Data Protection Regulation (“GDPR”) is an updated regime set to dominate board rooms across Europe and the world. Organisations that process EU data subject information are now within the scope of the regulation. It is the Sarbanes-Oxley of privacy. It relates to the offer of goods or services to individuals in the EU, irrespective of whether a payment is required, or, the monitoring of those individuals’ behaviour in the EU. Enforcement begins 25th May 2018. Below are the top ten considerations.
- Get Board By-in
Board attitude is crucial to getting the resources needed to adequately address new GDPR requirements. Ensure the impact of the new requirements are understood operationally and financially with the view to saving money in the long run. If you think hiring a professional is expensive, cutting costs on compliance will give you a bigger financial headache - fines are up to 4% of annual worldwide turnover or €20 million.
- Train up an EU Data Protection Officer (DPO) now
Organisations whose core activities consist of processing “which require regular and systematic monitoring of data subjects on a large scale” or consist of large scale processing of sensitive personal data (including companies based outside the EU) will be required to appoint a DPO, responsible for implementing compliance with the GDPR. With widespread reports of shortages of suitably qualified DPOs in the EU alone (28,000), organisations may want to consider training up an individual to act as its DPO. Alternatively, organisations should consider engaging a qualified third party DPO on an outsourced basis.
- Where is your personal data and what is it doing?
Organisations should develop an understanding of the personal data held and its sensitivity. Likewise, organisations need to fully understand the flows of personal data within their company and identify any potential for breaches.
- If you operate outside the EU, plan to appoint a DP representative who is based in the EU or better still, a DPO
The extra territorial scope of the GDPR includes organisations outside of the EU who process data relating to EU citizens (including those offering services or monitoring user behaviour). This means EU Data Protection law will apply to non-European companies if they do business within the EU (cloud-based processing outside of the EU for an EU-based company is also covered by the Regulation).
While many global multinationals adopted Binding Corporate Rules or Standard Model Clauses, smaller businesses will need to be aware of such codes of conduct and how best to apply them. Companies which previously relied on Safe Harbor must be aware of charges regarding the legitimacy of data transfers to and from the EU and the ongoing developments around the “EU-US Privacy Shield.” They should consider appointing a European based DPO to address their increased data protection obligations. On May 25th 2016, the Irish Data Protection Commissioner responsible for monitoring the compliance of amongst others, Microsoft, Yahoo, Google, LinkedIn, PayPal and Amazon have referred Facebook’s model clauses to the European Court of Justice to test their validity. This is on foot of an investigation following the groundbreaking case taken by student Max Schrems resulting in the end of Safe Harbor.
- Create an Information Management Policy and Data Register
Up to date data sources will help ensure its confidentiality and assist information security practitioners in applying appropriate defence techniques. An Information Management Policy is the roadmap for how data and information is captured in an organisation. It should describe how data is collected, collated, captured and analysed as well as define data flows and the roles of each person in the information management cycle. It is critical to have an understanding of not just how data comes into your organisation but its “life cycle” and when it time to purge or delete data you no longer need.
The GDPR requires organisations to notify their national authority within 72 hours following a breach. Where there is a significant risk to the rights and freedoms of individuals they may also be required to notify the data subject.
Organisations should prepare a response plan to ensure they can react to the incident itself while notifying data subjects and regulators within the required timeframe.
- Review contracts with data processors to ensure that appropriate Data Protection clauses are included.
If your organisation engages the services of a sub-contractor to process personal data (such as payroll or cloud service provider) then you must ensure Data Protection safeguards are enforced at a contractual level. In other words, get it in writing.
- Review your Data Protection policies & training culture
Maintaining and enforcing internal data protection policies and procedures is a requirement under the GDPR. If policies and procedures do not exist, you will need to create these.
- Privacy by Design and Default
Privacy should be built in to all operations involving personal data by default; privacy can no longer be considered as an afterthought. This is achieved by integrating Privacy Impact Assessments (PIAs) into new and existing projects and risk management processes. For cloud service providers, enhanced Privacy Level Agreements (PLAs) should be used to complement their service offering.
- Consent is King
Organisations must get explicit consent from data subjects (either by a statement or by a clear affirmative action), proving agreement to process their personal or sensitive data. For children under 16 years of age, the child's parent or guardian must consent. (there is a provision to have a lower age limit but no lower than 13.) A data subject's silence does not constitute consent. The processes for data capture such as online forms or cookies may need to be redesigned to include data processing policies in line with the requirements of the regulation which calls for more transparency. New rights for data subjects include the “right to be forgotten”, “data portability” in order to move personal data from one service provider to another and the “right not to profiled”.
About Elizabeth K. Dunne
Elizabeth is a lawyer and certified data protection practitioner with fourteen years experience in data protection, telecoms, financial services and regulatory compliance.
Elizabeth is based in Dublin, Ireland. www.dataofficer.ie