Will your company be GDPR compliant on May 25? The General Data Protection Regulation (GDPR) becomes EU law on 25 May 2018. Some companies are not sure if and how it applies to them, others are scared thinking that they will not be able to handle any personal data any longer or will have to pay millions of Euros in fines. As always, the reality is somewhere in between.
Non-compliance may create serious problems but, unless your company is mainly working with personal data, the measures you may need to take may not be so revolutionary as some of the doomsayers may say. For sure there are things which need to change. You cannot just carelessly collect personal data about people and use it for whatever you want without permission. But that may not be a bad thing. In the past, different countries had different data protection regulations, some pretty tough, while others were more lenient. The GDPR is tougher in some areas but more flexible in others. The good news is that the intention of the GDPR is that more or less the same legislation is valid across the EU which means that, by implementing it, you can work with any European country without problems. However, in reality a member state may implement additions to the GDPR and GDPR may also be a moving target.
At Gislen Software, we have over the last few months, worked on making our company GDPR compliant. Our company is located in India but works mainly with European clients. Therefore we need to take GDPR very seriously. Thanks to our own work we believe we have learned a few things. In this article, we would like to share some of our new knowledge. It should be said at the outset that we have no legal expertise. Obviously, we recommend that you use legal experts to assess your preparedness. But at the same time, it is good if you get a reasonably good picture yourself of what needs to be done for your company. Don’t just trust your lawyer to get GDPR compliant.
GDPR in short
Basically GDPR means that any establishment anywhere in the world which sells products or services to individual EU/EEA subjects (whether they charge for this or not) must have a reason to collect, store and process personal data and can only use this data for purposes clearly declared and which they either must store (for legal reasons or for being able to run their business) or which they have got explicit permission from the person to use. In addition, any individual about whom you store data has the right to request full details of all data you store, request changes, deletion or even export of the data in a standard format, if applicable.
You can’t any longer keep personal data forever and you have to delete it once it is not relevant any longer. In the case of a leak, you need to inform the concerned data protection authority and possibly any person whose data has leaked, within 72 hours of discovery. Overall the GDPR is technology agnostic, has a very broad definition of personal data and is based on self-assessed compliance.
The burden of proof is on the company. That means that the data protection authorities don’t have to prove that you have failed to follow GDPR. It is your responsibility to prove that your company is GDPR compliant. The data protection authorities have rights to warn or fine non-compliant companies.
Who has to be GDPR compliant?
Any establishment which provides products and services to the European Union or European Economic Area and collect or process personal information, whether it charges for them or not, has to be GDPR compliant covers personal data about people physically inside the European Union (i.e. it is not limited to European citizens or residents. Any establishment interacting with a European or a non-European visiting Europe is covered, while any establishment interacting with a European or non-European outside EU/EEA is not covered.
Note that person-to-person interaction is not covered, but an establishment providing a service which connects people with other people is covered (social media, auction sites etc.). Whether you are the prime owner of the data collected (controller) or a subcontractor (processor or sub-processor) GDPR applies to you and you still have to be GDPR compliant. However, the main responsibility lies with the controller who is obliged to establish a legal agreement with every processor. To make life easier, we recommend the implementation of a uniform process for personal data, treating everyone, regardless of citizenship, residence or location, in the same way.
What is Personal Data?
Personal data as per the GDPR is any data which uniquely identifies a physical person and properties and any actions/transactions related to that person. Personal data includes any data which alone or combined can identify a physical person and any attributes, actions or transactions connected or linked to the same entity. Aggregated or anonymised data is not considered personal data.
Here are some examples of personal data: Name, email address (including sender/receiver of an email), mobile number, home address, work address (if combined with any unique identification). Other forms of indirect unique identifiers include IP-address and cookies. If you have an address of a house in which many people live, it is not personal data but, if you combine that with something which makes it possible to identify one person (such as gender, age, hair colour or car ownership), the set of data becomes personal data. When aggregating data this may be an issue. Sometimes aggregated data is not aggregated sufficiently to ensure that it is not impossible to identify a unique person. GDPR then applies to the data.
Note that a person may be mentioned in an email or a document. A photo of a person who can be identified is personal data. Therefore, you have to consider the content of unstructured information also.
A third party may be mentioned in an email or a document. Documents are covered if they include personal data. Websites are covered if they set cookies, store IP-addresses, accept data in forms, have user accounts, etc.
Reasons to store or process personal data
GDPR does not in any way forbid you to store and process personal data. However, it says that you must have a reason to do so. Reasons to do so may be:
- There are laws in place which state that you must store data (such as bookkeeping laws)
- It is essential for your business to collect the data
- You have asked permission from the person to collect the data.
The last reason is the weakest. Getting permission from people in a dependent position, such as employees, may not be sufficient, as an employee may not be in a position to refuse or question the data collection. It may be better to justify storing the data because it is essential for your business to store it. You may ask a customer for permission. Even so, you must still justify your reasons for collecting the data and you are not allowed to use the data for reasons other than those for which permission has been given.
If you want to approach a prospect you may collect data from a public source and send an email or call the person (since this is essential for your business), but if you do this systematically without having asked for permission then it becomes a breach. Likewise, you may not need to ask permission to send an annual newsletter or similar to your clients.
There are some special clauses related to sensitive data. If you for some reason collect medical data, or data about someone’s political or religious views, this data may need to be protected in a much stricter way.
Data Protection Officer
Public authorities must always appoint Data Protection Officers, and any establishment where collection, processing and storage of personal data is an essential part of the business must also do that.
A data protection officer must:
- Educate and train the staff of the company in the compliance requirements and how to process data
- Audit to make sure compliance and address issues proactively
- Be the contact person in relation to the Data Protection organisations
- Monitor performance
- Maintain records of all data processing activities
- Interface with people whose data is stored, inform them about their rights and how the organisation protects their personal information
- Have expert knowledge of data protection law and practices.
Representative in the EU/EEA
In some cases a company located outside of EU/EEA have a representative inside EU. This is described in Article 27 and Recital 80. As we understand it, this is not required in all cases, but some member states seem to take a different view so it is wise to investigate this carefully.
Unless the company is small (less than 250 people) and if data processing is not a core activity it is compulsory to keep records of what is being done in regards to GDPR. Records must be stored about permission received to store data, and requests to view, edit, delete or export data. Note that data about requests to delete may need to be stored even after data has been deleted, but can obviously not be used for any purpose other than to prove compliance.
How to get GDPR compliant?
You must map what personal data you have (not just in computer systems, but in physical form as well). You must for each data set give reasons why you need it, how long you will keep it, what measures you have in place to protect it, etc.
Keep in mind that personal data may exist in staffs devices. Company provided laptops but also in personal BYOD such as mobile phones. Data may exist in cloud-based personal services such as Skype and DropBox. You need to map all such data. For a small company, it may be possible to manage this. But what would you do if an employee leaves? Can you ensure that all data is deleted? What happens if a laptop is stolen? Was it encrypted? Are you ensuring that data is erased from harddisks before a laptop is reused or scrapped? These are just some examples of how GDPR compliance will demand new policies, procedures and technical solutions.
Note that compliance is not verified, but you have to be GDPR compliant. If you are reported to a Data Protection Authority in the EU, it is your duty to show your compliance, not theirs to prove your lack of compliance. Compliance is not optional.
Basically, for all such data, the company must be transparent with what data it collects and how it is processed. They have to explain WHY there is a need to collect the data, which can be for legal reasons, or because it is needed to run the business (such as a customer database or contact details for an invoice etc.), and explicit permission. Explicit permission really means explicit. It is no longer possible to have implicit opt-in for setting cookies, so the user must accept that a website sets cookies before any cookies are set.
All persons you have personal data about having a right to request for –
- details of all data stored about him/her (without charge)
- changes to incorrect data
- deletion (or anonymisation) of data about him/herself (unless there are laws which forces you to continue to keep them)
- export the data in a standard format (whenever applicable)
Obviously if the reason you store data is based on legal compliance, you may not be allowed to delete data until the law allows you to do so, e.g. you may for legal reasons have to store supplier or customer invoices for a certain time, but a client may even in this case request that you don’t use the data for marketing or sales.
No legal language
One important aspect is that it is not enough to have a data policy written in legal language. GDPR requires that you communicate in an easy to understand way why you store data and what you do with it.
Obligation to report
If you get to know about a leak of data, you must inform the relevant authority in the country of the EU subject (and possibly the person also) within 72 hours. This may be tough during long holidays and you may have to look into your preparedness. If you get to know about a data breach in the afternoon on the Thursday before Easter you must still report the breach by Easter Sunday afternoon at the latest. Christmas and other religious holidays present similar challenges as do Bank Holidays and other public holidays.
Consequences of non-compliance
The data protection authorities will now have right to warn non-compliant establishments or fine them. Fines can be as high as €20M or 4% of global revenue whichever is higher. Note that this applies to establishments selling products or services to the EU where personal inormation i s collected or processed. The EU obviously may not have jurisdiction for transactions taking place outside of EU, so any data about EU citizens which has been initiated when they travel outside of EU would, as far as we understand, be exempted, at least if that establishment has no business in Europe.
However, if a European establishment provides personal data to a non-EU establishment, the former is considered a controller and the Indian company a processor. For such work, GDPR demands that there is an agreement between the two establishments to ensure that responsibility and accountability are clearly established. This is particularly true for third countries. There is an agreement between the USA and Europe, so an agreement is a must if the Indian party is classified as a processor. But it is important to understand that even non-EU establishments dealing with EU citizens must be GDPR compliant.
Need for processor agreements
You would also need a processor agreement with any third party involved with your websites such as the hosting company, Google Analytics or any other tracking company. The same applies to any subcontractor or partner with whom you share personal data about your employees, customers or clients.
Standard agreements which may be useful if you work with a company outside the EU or if you are a company outside the EU which deals with European clients and, in the process, accesses or processes personal data are found here!
You may find more info (for the UK, but the principles are more or less the same for the entire EU/EEA) here!
We have in this article covered what GDPR is, what you need to think of to become GDPR compliant. For many companies GDPR may not be very cumbersome but, if your company handles a lot of personal data, a substantial amount of work to become compliant may be necessary. If you need help with ensuring your IT systems is GDPR compliant, we would be happy to help you. Here, you can find details of our software development services. In future articles, we plan to give some detailed advice – especially advises on how to make your website GDPR compliant.