The GDPR defines all businesses that deal with personal data as “controllers” or “processors”.
controller: “natural or legal person, public authority, agency or other body that alone or jointly with others determines the purposes and means of processing personal data”.
Processor: “a natural or legal person, public authority, agency or other body that processes personal data on behalf of the Controller”.
In other words, a controller controls how and why personal data is processed, while the processor actually processes the data on behalf of the controller. So while this definition ultimately makes the controller responsible for ensuring that the processor complies with the law, the processor still has an obligation to comply with the rules and maintain detailed records of the personal data that is processed.
In short: no matter what definition your business may fall into, if you deal with EU residents, you must comply with the GDPR.
What are some of the new requirements and regulations that businesses need to follow?
- AgreementOrganizations will be required to obtain the individual’s consent to access and store their personal data in an easily understandable and easy-to-use form and to explain how that personal data will be used. It should be equally easy for the individual to withdraw that consent.
- notice of infringementOrganizations must notify the supervisory authority within 72 hours of a data breach being detected.
- Territorial ScopeThe rules apply to any company that collects and/or processes personal data of an EU resident, regardless of where the organizations are located or where they physically process the data.
- right of entryOrganizations must be able to provide electronic copies of all personal data records to the person making the request, and explain what data is processed, the purpose of that processing, and where that data is stored. The data must be exportable in a “commonly used and machine readable format” so that one can transfer it to another data controller.
- right to be forgottenEU residents should be able to request that their personal data be erased and/or stopped being shared with third parties, and those third parties should also stop processing it.
- privacy by designIt is now a legal requirement that data privacy and security are considered from the start of any new project, and the provisions built into any such new products or services.
- data protection officer: Both the data controller and processor will need to appoint a data protection officer or DPO to manage compliance. It applies only to companies “whose core activities involve processing operations that require regular and systematic monitoring of large-scale data subjects or special categories of data or data relating to criminal convictions and crimes.”
So what does it mean to “follow GDPR”? If this applies to your business, it is very important that you seek appropriate counseling or legal advice in the matter; In the meantime, we have compiled a high-level list of some of the changes that may need to be implemented to be GDPR-compliant.
While we are getting down on the wire with an effective date of May 25, 2018, it is not too late to educate our team on the requirements and implications of the GDPR. Sales, marketing, support, human resources, legal, finance amongst so many departments can have access to the data. Key leaders on each team must be aware of the rules and knowledgeable about the requirements, and how their team may be affected.
There are many agencies or consultants offering individual or webinar-based training sessions; If you’re feeling overwhelmed or confused, it’s a good idea to seek professional help or advice.
As mentioned above, not all companies will be required to have a DPO on staff or retainer. However, if managing, processing or monitoring data is the “core activity” of your business, this may apply to you. The DPO will have a number of responsibilities to ensure GDPR compliance, including:
- Overseeing specific processes such as data protection impact assessments
- Maintaining data and data processing audit trails to ensure compliance
- Maintaining all data inventory
- Ensuring employee awareness and training of employees
- Liaison and cooperation with officials
To understand your liabilities and the need to fix any holes, you will need to undergo a data audit throughout your organization to identify all sources and types of data. It will be a huge task, but probably one of the more important things you will need to do. Here are some suggestions on where to start:
- identification of who Do you collect data from?
- identification of who Have access to this data?
- identification of where Do you keep their data?
- identification of Why Do you collect this data?
- identification of how long is Who do you keep their data for?
- identification of How data being processed?
Once you have the answers to these questions, you can branch further:
- What Do we share this data with third parties?
- Why Do we share this data with third parties?
- How Do we share this data with third parties?
- do Do our third parties share this data with other parties again?
- How Do we protect data?
- What information is being collected?
- Who is collecting it?
- How is it collected?
- Why is it being collected?
- How will it be used?
- With whom will it be shared?
- What effect will this have on the person?
- How long will personal data be kept?
Organizations will need to obtain an individual’s consent to use and store their personal data. The regulation also requires that this consent is obtained through an easy-to-access and easy-to-understand form that also explains how their data may be used. It will also be important to obtain affirmative consent from the guardian of any child under the age of 16.
You will also need to provide a simple mechanism for which individuals can withdraw their consent at any time.
The Information Commissioner’s Office has published some detailed instructions on how you can obtain, record, manage and verify the consent of an individual.
In addition to the legal and financial implications of a data breach, GDPR also has strict requirements to ensure that proper procedures are in place to detect, investigate, and report any breaches. It also includes:
- Implementing data protection procedures and measures and ensuring timely testing of these measures
- Notify data protection authority within 72 hours of occurrence of any data breach
- Notifying affected persons after the occurrence of a high-risk data breach
Under the right of access and the right to be forgotten, organizations must be able to respond to an individual’s personal data request in a timely manner (usually within 30 days). Compliance in this area is widespread, and organizations will be able to demonstrate that they can accommodate the following:
- Ability to respond to personal data inquiries
- Ability to provide access to personal data records
- Ability to access and update personal data records when requested
- Ability to delete any person’s data at any time, at their request
- Confirm that no data has been collected in excess of the minimum required for processing
- Confirm that no data is retained for more than the minimum period required for processing
- Confirm that no personal data is sold
- Confirm that any personal data is not used by the controller or their processor for any other purpose than was originally defined and agreed upon
In addition to proving that they can easily access and provide data upon an individual’s request, organizations must also comply with providing that data in a format that is transferable and machine-readable. so that the data can be easily ported to other data. controller, if desired.
If your organization processes data in a way that poses a high risk to the “rights and freedoms” of individuals, that organization must complete a Privacy Impact Assessment (PIA), which will analyze how the personal data will be collected, used, processed and shared. The involvement of a DPO may be necessary at this stage.
Privacy by Design or Privacy by Default requires that all new programs or processes be designed with privacy in mind at all times. This means that any existing and new programs or processes need to be planned, designed and executed with GDPR compliance and data protection provisions. This means that all personal data collected should only be collected for the specific purpose that it is needed, and is maintained in a secure environment.
GDPR rules and requirements are complex, and trying to figure out where to start can be overwhelming. If you think this might affect you, you can start with appointing a DPO or GDPR “owner” within your organization, and find out where you may be most vulnerable. Want to do a full data audit. Depending on the results of this audit, you may need to seek additional legal or advisory advice to ensure that you are ready – and fully compliant – by May 25.