In our previous article, we tried to highlight the main aspects of the GDPR and its relationship with existing Swiss regulations.
Now, it's time to talk about the real impact the new GDPR will have on organizations and how to make sure your business is well prepared and in full compliance.
The new GDPR will finally take effect on May 25, 2018, which is very soon. It is designed to introduce uniform requirements for data confidentiality throughout the European Union (EU). So, if you are marketing or processing information from EU data subjects, including end-users, customers, and employees, you need to determine if you have data protection issues that need to be adjusted to meet these new requirements.
First of all, the good news is that many of the new provisions of the GDPR are substantially the same as in its predecessor, the Data Protection Act (DPA), so if your business operations are in compliance with it, they will remain mainly valid under the new conditions as well. From this point of view, you have a good base to start.
It is clear that different parts of the GDPR will have a different impact on different organizations (eg, the profiling or children's data provisions), so it would be useful to determine first which parts of the GDPR are more likely to affect your business model and pay more attention to them.
However, to ensure full compliance, here is the 12 step guide that will help you find your way around the subject.
Make sure that your company's decision-makers are fully aware of the upcoming changes in the new GDPR law: you may need their approval for the implementation of new procedures regarding the transparency and individual’s rights provisions of the GDPR. In large companies, this could involve important implications in terms of budget, human resources, IT, governance and communication. You should also think about training your staff accordingly.
2. Communicating privacy information
When you collect personal data, you must currently give certain information to people, such as your identity and how you plan to use their information. This is usually done through a privacy notice. Under the GDPR, there are other things you will have to tell people. For example, you will need to explain your legal basis for data processing, your data retention periods, and so on. So, you will need to review your current privacy notices and make any necessary changes.
3. Information you hold
You can start by detecting and documenting all the personally identifiable information you hold: these are usually details such as name and address, phone numbers, date of birth and passport number, being stored in your booking system, CRM or just in PDF-copies of invoices. If you have no reason to keep this data, think about getting rid of it. The GDPR requires you to keep records of your processing activities. You need to document what personal data you hold, where it comes from and who you share it with. You may need to organize an audit of information across the organization or in specific business areas.
4. Individuals’ rights
Overall, the rights that individuals will receive from GDPR are the same as those of DPA, but with some significant improvements. You should check your procedures to make sure they cover all the rights of individuals, including how you delete personal data or provide data electronically and in a commonly used format. The GDPR includes the following rights for individuals:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to deletion;
- the right to restrict treatment;
- the right to portability of data;
- the right to oppose;
- the right not to be subject to automated decision-making, including profiling.
Note that the right to portability of data is new. This only applies:
- personal data that an individual has provided to a controller;
- where the treatment is based on the consent of the individual or the performance of a contract;
- when the treatment is carried out by automated means.
5. Management of access requests
According to the new GDPR, you must consider the following rules when processing your access requests:
- Essentially, you will not be able to bill for compliance with an application.
- You will have to comply within a month, rather than the current 40 days.
- You can refuse or charge predeterminedly groundless or excessive requests.
- In case of refusal, within one month, the reason must be indicated as well as the right of the person to lodge a complaint with a competent authority.
6. Legal basis for personal data processing
You must specify the legal basis of your data processing activity in the GDPR, document it, and update your privacy notice accordingly to make this basis evident to users. The legal bases in the GDPR are quite the same as the processing conditions in the current DPA. It should be possible to review the types of treatment activities you perform and identify your legal basis for doing so.
7. Consent to the processing of personal data
This part is about how you collect, record and manage the consent of your customers. Consent must be detailed, specific, informed, opt-in, verifiable, freely given and properly documented. Please note that people generally have more rights when you rely on consent to process their data. There must be a clearly formulated opt-in - consent cannot be obtained from silence, pre-checked boxes or no action. It must also be presented separately from other terms and conditions, and you will need to have simple ways for people to withdraw their consent. Public authorities and employers should pay particular attention to their consent procedure.
This new GDPR feature is related to the protection of children's personal data, especially in terms of commercial Internet services such as social networks. If your organization offers online services ("Information Society Services") to children and relies on consent to collect information about them, you may need the consent of a parent or a guardian to legally process their personal data. According to GDPR, children can give their own consent to data processing from the age of 16 (can be lowered to a minimum of 13 in the UK). If a child is younger, you will need the consent of the parent or a person with "parental responsibility".
9. Personal data breach
This step allows you to check if your company has an established procedure to detect, investigate and report incidents of personal data breach. According to the GDPR, all organizations are obliged to report certain types of data breaches to the appropriate data protection entity (e.g. the Information Commissioner Officer) and, in some cases, to those individuals who may be affected. Notification should only be made in the event of a violation that represents a risk to the rights and freedoms of individuals (reputational damage, discrimination, financial loss, and breach of confidentiality or other significant economic or social disruption). You will also need to inform the individuals directly in most cases. Keep in mind that failure to report a personal data breach when required may involve a fine in addition to the fine for the breach itself.
10. Data protection by design and Data protection impact assessments.
Some companies used to provide privacy protection through design and implement a Privacy Impact Assessment (PIA) as part of this process. However, with the new GDPR, the protection of privacy from the design stage will now be a separate legal requirement, named by a specific term "data protection by design and default". It also makes PIAs - called "Data Protection Impact Assessments" or DPIAs - mandatory in certain circumstances, where data processing can lead to high risks for individuals, such as:
- implementation of a new technology;
- profiling operation that can significantly affect individuals;
- large scale processing of special categories of data.
You must therefore assess the circumstances in which it will be necessary to conduct a DPIA and determine its procedure.
11. Hire Data Protection Officer (DPO)
According to the new GDPR, you may need to appoint a specific person (DPO) who will be responsible for the compliance of your data protection, in cases you are:
- a public authority (with the exception of courts acting in the exercise of their judicial functions);
- an organization that performs regular and systematic monitoring of individuals;
- an organization that performs large-scale processing of particular categories of data, such as patient medical records, information on criminal convictions, etc.
Your DPO may be a member of your team or an external advisor, but it is very important that he takes responsibility for your data protection compliance and has the necessary knowledge and experience to do it right.
12. International operations.
If your company or entity operates in more than one EU Member State, you must determine your main data protection supervisory authority and document this situation. The principal regulator is the supervisory authority that must be located in the country of your principal business location (your head office). Your main place of business is where your central administration in the EU is or where decisions about the purpose and the means of processing are taken and implemented.
Take this new GDPR as an opportunity to review your data protection procedures and update them. Many things have changed in the world since the original DPA, and it’s time to revamp your policies to keep up with today’s cyber security requirements and make your customers feel protected.