Seven steps to GDPR

The EU’s new General Data Protection Regulation (GDPR) comes into force in May 2018, creating new rights and responsibilities over the handling and processing of personal data. All British businesses will be affected, as the UK will still be a member of the Union — and even after the UK leaves, you’ll need to follow the rules if you want to offer any type of service to the EU market. Indeed, there’s a good chance that the GDPR will be adopted into UK law. So it makes a lot of sense to act sooner rather than later and get your business ready.

What is GDPR?

GDPR replaces the 1995 Data Protection Directive, strengthening individuals’ data-protection rights and synchronising those rights throughout the European Union. Almost all businesses will have to update their processes to be compliant, but overall it should become easier for companies outside the EU to do business with the bloc, as there will only be one set of rules to follow.

The impact is so widespread, partly because the GDPR covers everything and anything that can be considered personal data. That doesn’t just mean photos, spreadsheets and documents, but things as basic as names and social networking posts. If you keep an electronic list of customers, you need to comply; likewise, if your website logs visitors’ IP addresses, you send out newsletters, you use a European cloud service (or store EU-relevant data on a non-EU cloud service, such as emails to and from EU citizens on a webmail service), and so on. There are exceptions, but these largely apply to employment and national security issues, or to individuals processing data at home for personal use.

The penalties for serial non-compliance are stiff, topping out at €20m or 4{dbfcf201b6c5c222e259d4f2fe846e83faab30e5cf4cea18302fdf949135a1d7} of your company’s annual worldwide turnover – whichever is greater. These seven steps should help you avoid falling foul of the law, but the political situation is still developing with regard to post-Brexit rules: see the Information Commissioner’s Office’s overview for the most up-to-date information.

Focus on Privacy by Design

Make privacy inherent in everything that you design, be it a process, a product or a website. That way, no further data-protection measures should be required. Don’t assume that offloading your data to a third party is a way around this requirement, either: it’s your responsibility to make sure they’re compliant.

Requirements include end-to-end encryption, transparency, and the ability for users to identify themselves – when required – without passing non-essential sensitive data. That means that, for example, if you need someone to prove that they’re over 18, they should be able to do so by some means other than entering credit card details. Any identifying data you collect should be anonymised, such as by “hashing” names at the point of capture, so they’re represented by long but unique strings of meaningless data.

If you think the EU is being unfairly strict here, it isn’t: it’s playing catch-up. The US Federal Trade Commission recommended Privacy by Design in 2012, two years after it was unanimously recognised as an essential component of privacy protection at the annual conference of International Data Protection and Privacy Commissioners in Jerusalem.

Ensure you remain accountable

Adopting privacy-centric business processes is crucial, but it’s not enough: you must also be able to prove that you’ve done so, if asked. That means documenting the discussions and processes that contributed to your final implementation. This is as much a protection for yourself as it is a way of reassuring your customers, since it enables you to show that the available protection measures were considered and incorporated in your business.

On top of this, any staff who might handle personal data must be adequately trained; you’ll need to devise and implement a robust internal data-protection policy that complies with every aspect of GDPR.

If you have more than 250 staff members then some additional requirements apply: you will need to retain written internal records of all data-processing activities, descriptions of technical and organisational security measures, and documentation of any safeguards applicable to data-transfer mechanisms, among other details. These may be requested by a Supervisory Authority to check your compliance, so the more detailed and extensive your records, the better.

Performing a Data Protection Impact Assessment (DPIA) will help you assemble this documentation, and spot any potential weaknesses in your data-protection measures. The Information Commissioner’s Office recommends conducting a DPIA whenever new technologies are used to process information in a way that could place individuals’ privacy rights at risk, such as rolling out large-scale CCTV deployments.

The DPIA should include assessments of the risks to individuals, the necessity of data processing and retention, any measures you have employed to minimise the risks, and a description of your processing operations and their purposes.

Ask for active consent

It’s no longer safe to make any assumption where consent is concerned. If you’re designing an opt-in form, web-store checkout or data-collection mechanism, be sure to explain clearly what a user is opting into and how the data will be used – and make sure that the action of opting in is active, rather than passive, as GDPR doesn’t allow you to rely on pre-ticked boxes, or assume that a failure to opt out implies consent. Moreover, any conditions must be detailed separately from regular terms and conditions, so that they are more obvious.

This applies internally, too: employers must obtain active consent from their employees when adding their details to internal databases. This means you may have to update your induction processes.

This doesn’t necessarily mean starting again from scratch. The Information Commissioner’s Office has declared that “you are not required to automatically ‘repaper’ or refresh existing [Data Protection Act] consents in preparation for the GDPR.” However, if you continue to rely on previously granted consent for an individual’s data to be processed, you must “make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.”

If you have any doubts, it’s safest to contact every subject currently on your database to request GDPR-compliant consent for you to continue processing their data.

Original article source:

Sharing is caring!

Leave a Reply

Your email address will not be published. Required fields are marked *