Ever since the Global Data Protection (GDPR) was announced a couple of years ago, companies across the world have been in a state of anticipation. As one of the biggest regulatory overhauls of the past decade, the GDPR adds a variety of new data protection laws governing the handling of EU citizen data.
The EU has announced that companies will be fined €20 million or 4% of their annual turnover if they fail to comply with the new regulations. This legislation has left IT professionals in a precarious position. IT departments are facing a race against time to ensure they have the internal procedures in place to comply by the starting date of 25th May 2018.
Even though the GDPR does raise a number of challenges in terms of data handling, compliance is within reach of any organization committed to data protection. In this guide we break down the core components of complying with the GDPR to ensure that you’re ready when the time comes.
At the foundation of the GDPR is the idea that all data must be underpinned by consent of the data subject. An organization must hold affirmative consent of a data subject in order to process their data. Lack of objection will no longer be tolerated as an expression of consent, so you need to be proactive about obtaining consent from your data subjects.
The easiest way to do this is by asking them directly. For example, if you have a mailing list sending out an email to ask subjects if they’d like you to stay subscribed would be one way to stay compliant. On the other hand you need to make sure that the subject can withdraw consent at any time. This means that if a subject requests to be removed from your database, you need to comply ASAP.
Under the GDPR, if you hold data on an individual they have the right to access this on demand. The right of access allows individuals to see how their data is processed and whether their information is handled ethically. More specifically a user has the right to confirmation that their data is being processed, as well as to access this data and any supporting information.
You have around a month to provide individuals access to their data. If a request is particularly complex you can extend by two months but you have to have a valid reason in order to do so. In the event of excessive requests you can charge for processing fees. However it is best to assess whether this is the best course of action on a case-by-case basis.
The appointment of a data protection officer is one of the more unique stipulations of the GDPR. A DPO is to be appointed to oversee an organization’s internal processes and to ensure regulatory compliance. In an IT context this means acting as a contact point for data subjects and identifying data protection obligations.
A DPO can be appointed on an internal or external basis. The most important consideration is that the DPO must be independent from other decision makers in the organization. Likewise the DPO must be considered an expert in data protection best practices. In future, appointing a qualified DPO will be key to implementing an effective data protection strategy. You can browse suitable technology professionals with GDPR knowledge in our database.
One of the more complex aspects of the GDPR is that organizations must report data breaches to a supervisory authority within 72 hours of discovering the breach. This is complex because many IT teams struggle to access all of their data, especially on demand. The GDPR defines a personal data breach as any security event, which affects the integrity or accessibility of personal data.
Once a data breach has been identified you have an obligation to notify the affected individuals and let them know that their data has been compromised. To do this you not only need the tools to identify if a breach has occurred, but the internal procedures to ensure that threats are reported and addressed efficiently. This means IT staff should put in place a specific breach management policy and keep employees updated for future reference.
At the heart of the GDPR is the concept that you need to have a lawful reason for possessing the data of EU citizens. In other words processing their data needs to be ‘necessary’ to your service. That being said, processing data isn’t strictly relegate to tasks that are deemed essential.
There are six categories that are considered lawful, including: contract, legal obligation, vital interests, public tasks, legitimate interests, and consent. As a company it’s on you to determine that you have a lawful basis for processing this data before you start processing. If you don’t have a lawful basis for processing the data you hold, you will be found in breach of the GDPR and subject to fines.
6. Take On New Hires to Monitor Compliance
In order to comply with the GDPR, it’s important to ensure you have the inhouse staff in place to monitor compliance. Currently, around two-thirds of companies in the UK are hiring new talent to prepare for the introduction of the GDPR. The rise of new regulations has meant that there is a clear need for experienced IT professionals.
To make sure you’re prepared for compliance it’s a good idea to take on IT hires with analytics knowledge and project management skills. Ideal professionals would be data analysts and information security specialists. Taking on new skilled staff will ensure that you’re internal processes are maintained to prevent noncompliance.
7. GDPR and Facebook Data
Currently, when a user conducts any activity on Facebook they are consenting to disclose their personal data. This data is generally used by companies to provide and improve their external services. However with the implementation of the GDPR, organizations will be prevented from using this personal data unless they are supplied with explicit consent. Likewise this data will need to be “collected for specified, explicitly and legitimate purposes and no further processed in a manner that is incompatible with those purposes”.
In practice this means that companies like Facebook will no longer be able to harvest user data for non-specific reasons. They will be unable to collect data under the proviso of improving their user experience as this is too broad a goal. In other words, employing more specific parameters to the collection of data will narrow down the information that’s available to third parties.
Plan In Advance!
Ultimately the GDPR is acting as a way for companies to demonstrate their commitment to ensuring the security of their subject’s data. Even though the legislation raises a number of challenges, its intended to protect the rights of consumers. As a result, preparing for GDPR compliance offers organizations an opportunity to differentiate themselves from the competition.
In order to be ready on time, data management needs to become the bedrock of company policy. IT departments need to take the time to educate employees on the GDPR and implement an internal data handling policy to ensure compliance. By taking the time to draw up a strategy in advance, you’ll not only protect your subject’s data but avoid some hefty fines as well.