Compliance Guide to GDPR, The General Data Protection Regulation
We are at a strange intersection in the ‘GDPR Preparedness’ timeline. Some organizations are so prepared as to put the rest of us to shame. Others are so unprepared that the very mention of the letters “GDPR” is met with blank stares.
Then there is the rest of us… The ones who know what GDPR is, have some idea of what is needed by the 25th May 2018 (when the directive becomes law across the European Union), yet find themselves so overwhelmed by the scope of what they face as to feel almost paralyzed. Thus begins a series of questions:
Where does one start? For that matter, where does one finish? What exactly does ‘being GDPR compliant’ look like? Am I going to face a massive fine?
These are all common questions that are floating around the business world, and there is very little help available. The lack of advice is based on two overriding factors:
- Nobody wants to provide guidance because, if they are wrong, then they’ve potentially left themselves legally vulnerable.
- Even the so-called “experts” have not got a clue what being fully compliant means in a real-world sense.
It is a sad idiosyncrasy of GDPR that those best placed to provide the guidance we need, are also the ones most reluctant to assist. So, let us see if I can help remedy the situation and give some of the real-world advice that is sorely lacking at the moment.
Step 1 – GDPR Overview, What is it All About?
On the 24th May 2016, the European Parliament voted The General Data Protection Regulation (GDPR) into law. After publication of the regulations, a two-year countdown leading up to 25th May 2018 immediately began. On that day, GDPR becomes law throughout the entire European Union, replacing all other digital data privacy laws and provisions that came before it.
The law intends to provide a consistent set of new rules concerning the protections afforded to citizens’ data – wherever that records may reside.
It also equips its citizens with the ability to query, alter and if needed, delete the personal information that references them from any system anywhere in the world. That is right folks, if you are in Bangladesh and you process the private information of an EU citizen, that data is protected under GDPR. “Why is that?” I hear you ask.
Well, EU GDPR 2018 is one of a couple of extraterritorial laws that have been passed in the past decade that affect international trade. These laws affect all jurisdictions everywhere and are expected to be enforced by local authorities regardless of the fact that they were enacted overseas.
For example, the Foreign Account Tax Compliance Act (FATCA) was passed in 2010 and requires all non-US financial institutions to identify assets belonging to US citizens and then report those assets to the U.S. Department of the Treasury (along with the identifies of the asset holders).
GDPR regulation is similar, in that it places a burden on all organizations everywhere to identify the data of EU citizens they hold and ensure that those details can be identified, updated and, if needed, deleted upon request by those citizens.
Easy right? After all, how much personal information can there be out there? Well, as it turns out, quite a bit.
Step 2 – Identifying What Data Falls (And Does Not Fall) Under The GDPR 2018
The GDPR protects two types of data – personal data and sensitive personal data.
Sensitive Personal Data is defined as details consisting of racial or ethnic origin, sexual orientation, political opinions, religious or philosophical beliefs, trade union membership(s), genetic or biometric data and health data.
Personal Data is defined as any information relating to an identified or identifiable natural person.
Sensitive Personal Data is straightforward as definitions go. It essentially identifies some of the most private data of an individual and ensures that that information is protected at the highest levels of discretion. The definition of Personal Data is, however, far more nebulous – and this appears to be by design.
Is my name considered personal data? Yes. How about my home address? Yes.
What about my communications with 3rd parties such as emails, social media, chats and text messages? Yes, yes and yes.
What about IP Addresses or GPS data? Yes – them too. Any information that could be used to trace back to a natural person can be classified as personal data regardless of the form it takes, and this is a huge issue.
Are you aware of just how much data will be reclassified as “personal” when the GDPR comes into force?
I cannot say that I am. Moreover, I am pretty sure you cannot either. In fact, the only thing I can say with any confidence is that if anyone tells you that they have an “all-encompassing” definition of what personal data is, then they have not got a clue what they are talking about.
Most consultants we have spoken to have hedged their bets and classified almost everything as “personal data” regardless of how unrealistic their interpretation may be. The operative assumption appears to be – the EU has not made their definition clear enough to enable concrete advice to be provided. Therefore all such information will be as generic as possible in order not to be exposed to potential legal repercussions.
Organizations that fail to implement the suggested data protection measures are facing two levels of GDPR penalties. Article 83 of the GDPR text defines how administrative fines will be applied.
Essentially, the GDPR fines and penalties for a specific organization will depend on a variety of factors including the nature, gravity, and duration of the infringement, the categories of data affected, the actions taken to prevent the infringement.
The list goes on.
Step 3 – Appointing A GDPR Data Protection Officer (DPO)
Before you get started with the more technical aspects of GDPR implementation within your organization, you will need to appoint someone to spearhead your efforts in this area. That person is your DPO (Data Protection Officer). They will be the one who is ultimately responsible for the application and success of your GDPR EU strategy and will be the focal point for all issues.
At this point in most articles on GDPR, you will likely be reading some blurb about whether or not you need a DPO at all. My advice? Appoint one regardless. You will only truly appreciate the depth of the number of private records your organization stores if you turn your GDPR compliance plan into a full-blown project, and that project is going to need a leader.
Whomever you appoint is going to have a rather large task on their hands. Their responsibilities will include:
- Evangelizing GDPR key points and security awareness throughout the organization and educating staff on compliance;
- Ensuring that adequate training programs are implemented so that all staff involved in the processing of private records are prepared for GDPR and its implications;
- Conducting internal and external audits of systems and data management practices and, where necessary, prescribe remediation;
- Act as the primary point of contact and liaison between your organization and the various protection authorities in Europe;
- Ensuring that all activities conducted as part of your GDPR compliance efforts are adequately documented so that you are prepared for any potential external GDPR audit;
- Contacting data subjects as part of any access request processes you implement to ensure that they are informed about how their data is stored, managed and erased; and that they are aware of the existence of the supporting policies and procedures in place.
Step 4 – Getting Every Department On Board (The War Within)
The first thing you will notice after you have defined what personal data is, is that that data is spread out over an extensive area.
Your operations team will control some of it; your finance team will manage a whole separate part of it. Some departments will use redundant copies of it for their own purposes. And many teams will share common databases.
To form a coherent picture of your data assets and rally everyone to your banner, you are going to have to find some way of bringing order to this chaos. Your team can either view GDPR as overhead, a waste of resources, or it can choose to view it as an opportunity to bring order to a branch of data management policies and processes that your organization never had the time or the inclination to reform.
You’ll need to be measured in your approach:
- Start slowly. If you walk in with visions of doom and gloom about the possible negative consequences of not implementing GDPR reforms, you will lose potential allies. Instead, help your team view this as a chance for genuine inter-departmental co-operation on a scale that rarely occurs.
- Do not Expect Perfection. You will face fear. The kind of reluctance to act that can scupper projects. Ensure that everyone on the team knows that perfection is neither achievable nor desirable. Instead, coach your team to see GDPR as an ongoing process that provides you with a clearer view of your data assets over time. Your first steps may feel like they fall short, but they are an essential part of the process.
- Get Buy-In From The Top. If your organization is like most, then folks only move when they know that an initiative is backed at the highest levels. GDPR is no different. If your C-Level Execs are not pushing it, then nobody will follow. Get their buy-in, and all doors will open.
- Maintain A Positive Outlook. At the risk of sounding like an inspirational poster – GDPR is a journey, not a destination. It will be easy to lose drive and focus along the way. A positive approach to the task at hand will help drive people along the path and ensure a smoother ride to the 25th May deadline and beyond.
Step 5 – Finding The Data You Store And Identifying The Various Actors In Your Business
Whose personal data do you store?
If you are like most businesses, then you store records of your staff (Human Resources), your users (Sales and Operations) as well as those of your partners (Supply Chain and Support).
Each of these actors in your company typically requires different systems to store their records, and each of these systems has probably been in operation for some time. Some systems might be paper-based, some may be fully-automated (i.e., software-based) and some may be a combination of the two.
Either way, a comprehensive audit will have to be conducted to establish where the private records of each of the actors in your business is stored.
Once that exercise is complete, the real work begins.
A central tenet of the GDPR framework is consent. Essentially, this part of the GDPR legislation asks the question – On what basis, under the law, did I collect this personal data that I am storing? The GDPR provides a list of the types of justification that are considered appropriate:
- Explicit Consent – Where you are given a clear and unambiguous go-ahead by the data owner to store their records for a specific purpose.
- Contractual Obligation – Where you need the provision of personal data to fulfill your end of an agreement/contract.
- Vital Interests – Where you require the use of a natural person’s data to protect their life, and they are unable to provide explicit consent (very few organizations can claim this).
- Public Interest – Where you must use specific personal information in the exercise of an official task (even fewer organizations can claim this).
- Legitimate Interest – When you use certain personal information because you are certain that doing so would have a minimal data privacy impact, or where there is a compelling justification for the processing. You must balance your interests against the individual’s and if you could obtain their data by other, less intrusive, means then your basis for processing their records will be considered invalid (this is the most ‘legally flexible’ justification for processing data but also the one most fraught with potential pitfalls).
- Special/Criminal Interests – This information falls under the ‘sensitive personal data’ header and can only be legally processed by particular organizations.
It is pretty clear that most organizations will use Explicit Consent and Contractual Obligation as their two most common bases for consent since they are, typically, the main ways of gathering private details. However, reverse-engineering that consent weeks, months and, sometimes years, after that data was collected is going to take a lot more effort than people think.
Step 6 – Are You A Data Controller Or A Data Processor?
Once you have made an assessment and analyzed the records you use within your organization, you need to understand whether you are that data’s GDPR Controller or whether you are merely its Processor. The difference between the two will determine what your obligations are under the GDPR.
The operative difference between a GDPR Data Controller and a Data Processor is control. The GDPR text specifies that Controllers determine the “purposes and means of the processing of personal data” whereas Processors “process personal data on behalf of the Controller.” It is clear, therefore, that Controllers have far more significant responsibilities and legal obligations than Processors.
Data Controllers are the ones who acquire the data and are therefore responsible for ensuring that there was a clear basis for consent – that the data collected was the minimum amount needed for a specific purpose, that it is as accurate as possible, that it is stored as securely as possible and that it is purged or anonymized when it is no longer needed.
The Processors only use details provided by the Controllers, so there is the operative assumption that all the right checks listed above are in place. However, they still have some responsibilities, namely to “provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing data will meet the GDPR requirements and ensure the protection of the rights of the data subject.”
Step 7 – Determining A Data Retention Policy
If you are like most organizations, then the idea of archiving, anonymizing or outright deleting records is not something you’ve ever considered. Data is a valuable asset, why limit it?
Well, because now, if you do not, you are in violation of GDPR policy, that’s why. There are many questions to be asked:
- How long do I hold on to staff records after those employees have left the organization?
- How long do I hold on to client information once they have ceased to be a client?
- How long do I hold on to marketing records once the reason for its collection has passed?
The answer to all these questions is – It depends. And that is enormously unsatisfying.
Staff data retention varies from country to country within the European Union. There is no hard and fast rule that can be applied to all EU countries. But we do know is that once a member of staff has left your organization, a moment will be reached where their records can no longer be legally held by their former employer. The same is true for customers, partners, and suppliers.
Sales and Marketing information is another thing altogether. The GDPR data retention makes it clear that the reason for the collection of private information for marketing purposes must be made absolutely clear to the natural person at the outset and that only their explicit consent to provide you with this data will be considered legal. Once that consent is revoked or the narrow reason for the collection of their information has ceased to exist (such as a short-term marketing campaign) then those records must be deleted or anonymized in some fashion.
These are some uncomfortable truths that will need to be fully understood and internalized before you can move forward.
Step 8 – How to Prepare For Data Subject Access Requests (DSAR’s)
This is the customer/client/people-facing aspect of GDPR.
When the law comes into effect, individuals will be able to ask your organization to provide them with a list of the private content that you hold on them. These requests must be acknowledged immediately upon receipt, and the identity of the individual making the request needs to be established beyond any reasonable doubt. Once that is done, you have a one-month timeline to find their records and provide them to them in electronic form (unless they request other means).
That is the technical part of GDPR directive on data protection out of the way. But what about the operational implications of these requests?
Obviously, you will need to train all your front-line and customer-facing staff about what the GDPR data security is and how to handle these requests. But it goes beyond that. It involves “operationalizing” the entire process from start to finish. For example:
- Will you have a specific email address to handle all incoming DSAR’s?
- Should all your front-line staff redirect all incoming verbal DSAR’s requests to an online form system?
- Will there be a specific training program for all existing and incoming staff that covers this aspect of their jobs?
- Which individual/department will ultimately be responsible for ensuring that DSAR’s are responded to promptly?
- How many DSAR’s are we expecting on day 1, month 1, year 1?
If you are looking for one generic answer to the above questions, think again. The answers will vary based on your technology systems, internal circumstances and technical capabilities.
Step 9 – The Cop Out (aka – Get A Second And Third Opinion)
You are unlikely to get one solid opinion on what GDPR is and how you should apply it.
The views and opinions expressed above and purely my own and are based on my experiences as DPO and the implementation of General Data Protection Regulation 2018 rules within my organization.
It would be foolish to assume that any advice I give is appropriate for all organizations and I would, therefore, advise everyone considering their options regarding the implementation of GDPR requirements and rules to seek external advice. This advice can/should come in the form of legal counsel as well and potentially by engaging the services of a 3rd party audit firm.
The road ahead is unclear. I would advise everyone to acquire as much informed opinion as possible and develop their own GDPR compliance checklist.
Author: Adrian Camilleri, phoenixNAP’s Head of Operations in Europe