The General Data Protection Act (GDPR) is considered to be the biggest data protection law change in Europe in over 2 decades. The GDPR law aims at protecting the personal data and privacy of EU citizens and requires businesses to take the necessary measures to comply with such policy. Penalties in not complying with the regulation may result in a heft fine of up to 4% of your business's annual global turnover and the deadline is right around the corner. The GDPR regulation will come into effect on the 25th May 2018.
What is GDPR?
GDPR is essentially a framework aimed at homogenising the data protection and privacy laws within Europe in order to provide the consumers with better protection and understanding of their personal data. Up to this point, each EU state was allowed to push their own data protection policies on top of the current European Data Protection Directive leaving room for interpretation and ambiguities from a legal stand point. The GDPR will have a standard set of regulation all across Europe. Every country will stand as its own Supervisory Authority to oversee and ensure compliance and legislation.
Preparing for the GDPR
The very first step in preparing for GDPR compliance is to start raising awareness within your organisation. It is important that thorough research is conducted on the subject and advice is sought where necessary especially if you are already storing your user's personal information. It is also required to appoint an internal Data Protection Officer (DPO) who will oversee the data security strategy being applied in line with GDPR compliance.
Data Controllers vs Data Processors
The GDPR defines two individual roles responsible for the user's data and its protection, Data Controllers and Data Processors. It is very important for businesses to understand which role they fall under and the respective responsibilities.
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
In other words, if you own a website but have hired a web development company to develop and host the website for you, then you are the Data Controller and the development company is the Data Processor. The Data Processor is responsible for handling the data upon the Data Controller's request. It is up to the Data Controller to inform the users regarding the data being stored and the limits to which it is used. The Data Processor on the other hand is responsible for providing the Data Controller a means to store this data, process it and make it available when necessary in line with GDPR compliance.
The distinction is very important for compliance. Generally speaking, the GDPR treats the data controller as the principal party for responsibilities such as collecting consent, managing consent-revoking (un-subscription), enabling right to data access etc. If a data subject requires any information or deletion of their profile from the platform, the request is made to the Data Controller and it is up to the Data Controller to initiate the request even if the data is hosted on servers belonging to the Data Processor.
Understanding your User's rights under GDPR
It is imperative that your company is completely aware of your user's rights under GDPR. These rights include:
- The right to be informed
- The right for access
- The right to rectification
- The right to erasure (be forgotten)
- The right to restrict processing
- The right to data protability
- The right to object
- Rights in relation to automated decision making and profiling
Steps to Compliance
Step 1: Privacy by Design
The product you're selling, be it a process, an email service, a website or a mobile app should be planned and designed with privacy in mind from the very initial stages. If the development is going to be outsourced, one should make sure that the Software Development Provider is adequately qualified to design, develop and release software solutions with a sufficient degree of security and privacy to protect your user's data. As the product owner, you should not assume that your third party knows their way around the required, it is your responsibility to demand a certain level of security and make sure the Software Provider is capable of providing you with enough information as to the software security in question.
Step 2: Remain Accountable
It is not just about being compliant, but about being able to prove you are. This means documenting your procedures, architecture, security measures and every effort you're making into protecting your user's data and information. You may start by conducting a Data Protection Impact Assessment (DPIA) to help you identify any weaknesses or flaws within your system. You should also get in touch with your Software Provider and ask them about documentation in regards to their security measures.
Step 3: Active Consent
Step 4: Be Prepared to Delete your Data
Users may, at any point in time ask you to delete their data from your systems. It is no longer sufficient to disable or de-activate your user's account. You must be able to completely delete the users' personal data from your systems. If you're sub contracting your hosting and maintenance, it is very important to make sure that your Data Processor has the tools and skills in place to be able to delete the user's data upon request.
Step 5: Regular Data Audits
GDPR is not a one time process which can be injected in the initial stages of a project and then forgotten about. One must make sure that the system remains compliant throughout its operational lifetime. Data Processors should inform Data Controllers about processor changes for example a change in hosting provider. The Data Controller should make sure that the system remains compliant from end to end following the changes and may require documentation to prove so.
Step 6: Monitor Threats and Breaches
GDPR will strengthen disclosure requirements and data breaches. Under the new regulation, data protection authorities must be notified of a data breach within 72 hours of it becoming known. You must also inform your individual users if their personal data has been breached or is at risk. Data breaches should be well documented and all parties should be kept informed of the remedies and rectifications applied including any preventive measures put into place.
If you are not sure whether your system is GDPR compliant or not, get in touch and together we will perform a GDPR audit of your online software.