Well, we’re a month in, and the world hasn’t ended yet! It’s hard to believe that GDPR came into effect less than 30 days ago, and all the time spent on preparation and panic (for many) has finally come to an end.
By now, most businesses will have got the basics in place to ensure compliance with the EU regulation and will now be looking at how they can integrate GDPR compliance within their business processes going forward. And that’s what we want to talk about today.
There are 10 major operational areas that GDPR will effect within your business, and this post is the first in a two-part series designed to look at each one. We’ll be giving you some friendly tips on making these changes simply, without having to rip out your entire infrastructure and start again.
Cyber Security and Data Breach Notification
Since GDPR is so centred around data management and control, it’s not surprising that it also puts heavy emphasis on cyber security for businesses and enforces a minimum data breach notification period. On the cyber security side of things, it is less prescriptive on exactly how organisations should protect their data.
Rather, under Article 32, GDPR states that controllers and processors are required to “implement appropriate technical and organizational measures” taking into account “the state of the art and the costs of implementation” and “the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.”
However, it does provide some suggestions around what kind of defences should be employed, including:
- Pseudonymisation and encryption of personal data.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
Many businesses will have at least some of these measures in place already, if nothing more than as part of a disaster recovery strategy. So realistically, bringing cyber security standards up to scratch shouldn’t be too challenging.
When we look at the data breach notification side of things, however, we start to see some changes. Under GDPR, all businesses are now required to notify their Supervisory Authority (in the UK that’s the ICO) within 72 hours of the breach being discovered.
The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data”. The Guidelines add that this includes even an incident that results in personal data being only temporarily lost or unavailable.
As soon as you discover a personal data breach within your business, the clock starts ticking, and you have just three days to let the ICO know:
- The nature of the personal data breach, including the number and categories of data subjects and personal data records affected
- The data protection officer’s contact information
- The likely consequences of the personal data breach
- Your plan for addressing the breach, including any mitigation efforts
If you don’t have all of this information right away, they will allow you to provide it in stages, as long as the initial notification is within the 72-hour window. If you miss this deadline, you have to provide a ‘reasoned justification’ for the delay.
Data Protection Officers
All businesses who handle personal data of any sort (which is every business), is either designated a data controller or a data processor. The difference is largely in what you do with the data, with data processors usually being the third parties handling data belonging to other businesses.
However, whatever type of business you are, it is likely you will have to appoint a Data Protection Officer (DPO) in order to comply with GDPR. The DPO’s responsibilities are all outlined in Article 39 of GDPR, but include:
- Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws.
- Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits.
- Advising, with regards to data protection, impact assessments when required under Article 35.
- Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data.
- Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.
The GDPR specifically removes the ability of businesses to rely on implicit ‘opt-out’ consent, instead requiring ‘a statement or a clear affirmative action’. This means documentation procedures for any data gathering activities – from marketing to recruitment – will need to be reviewed and updated in rigorous detail.
It also restricts the ability of children to consent to data processing without parental authorisation and requires explicit consent for the processing of certain ‘special categories’ of personal data, which includes racial or ethnic origin, political opinions, religious or philosophical beliefs and trade union memberships.
Cross-Border Data Transfers
For any business who works internationally, GDPR poses an extra issue. While the regulation does permit personal data transfers to other countries or international organisations, it is only if they themselves are subject to GDPR and comply with a strict set of conditions.
GDPR also allows for data transfers to countries, provided their legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs). Derogations are also permitted under limited additional circumstances.
Since previous data protection rules were put in place, technological advancements have allowed organisations to gather a huge range of personal data and analyse it.
The most common reason for this is market research, where the business will gather and analyse data, draw conclusions and then take action, such as targeted marketing campaigns and price differentiation strategies.
Under the GDPR, this is classified as ‘profiling’.
- Automated processing of personal data.
- Using that personal data to evaluate certain personal aspects relating to a natural person.
This has become a commonplace practice, however, the GDPR imposes many different restrictions on the automated processing of data and the decisions made using that data.
If your actions are deemed as profiling, then you are required to ensure the data subjects rights ‘to be informed of the consequences’ of decisions made, have been met. In other words, you need to ensure you word your consent forms carefully if you intend to gather and process data for profiling later on, and you can’t use data you have gathered without this previous step.
That’s it for part 1 of this article. Stay tuned for part 2, where we will discuss how you can manage vendors effectively, the best way to anonymise data and the consequences for violating GDPR, both unintentionally and maliciously.
In the meantime, if you have any questions about how to implement these changes, or want to ensure your business is GDPR compliant through expert GDPR consultancy, just get in touch with us today for your free, no obligation consultation.