The procrastinator’s guide to GDPR compliance
If you're among the companies that have yet to get their data house in order, contributor Doc Sheldon can help you avoid possible stumbling blocks.
Enforcement of the General Data Protection Regulation (GDPR) is now active, and it seems that the vast majority of websites — at least those outside the EU — still haven’t yet taken any measures to comply.
There are a few possible reasons for this, involving everything from ignorance to misconceptions to an expectation that it couldn’t be enforced outside the EU. That’s probably understandable given that the GDPR is a very new piece of legislation. Like many such sweeping regulations, it will evolve over time. Through case law and regulatory guidance, aspects will be clarified, fine-tuned or expanded, making it more effective.
Consequently, much of what you’ll read about it, here and elsewhere, should be taken with a grain of salt. Each business is different, so what is correct for one business can be wrong for another. I am neither an attorney nor a specialist in international law, so I recommend you seek professional advice to guide you in any area that seems unclear.
In this article, I’ll outline some aspects of GDPR that are most likely to trip you up as you play catch-up in the GDPR compliance game. Hopefully, becoming aware of these potential points of failure will help you along the way and answer any questions you may have.
Compliance with the GDPR is essentially no more than an exercise in common sense and common decency, supported by documented policies and procedures.
The bottom line is that it mandates that you be transparent and honest with data subjects, protecting their personal data at rest, in transit and during processing and keeping thorough records. If you’re developing a new product, privacy should be part of the design from the start. And of course, you need to ensure that your processors do the same.
Here’s a quick review of the stumbling blocks that can trip you up if you’re not careful.
1. Lack of awareness
Ensure that the key people in your organization are aware of how GDPR will affect the way you do business. If your organization is large or quite complex, it’s more likely you’ll need to bring significant resources to bear.
The requirements of the regulation are different from what your people are accustomed to, so some retraining is called for. One major difference is that it clearly establishes that personal data is the exclusive property of the data subject, in perpetuity. Additionally, the regulation considers the data subject’s IP address to be personal data. This last is what is causing many businesses to scramble frantically to revamp the way they handle data.
2. Not having a handle on the information you control
To properly manage the personal data you hold, you’ll first need to document it. An inventory should be your starting point.
Here are the main points to cover:
- Identify all the personal data you hold.
- Determine when and where you acquired it.
- Find out where and how it is stored and protected
- Detail who it is shared with, how it is shared and for what purposes.
As part of (B.) above, you need to identify and document the lawful basis under which you gather and process information under the GDPR.
Different data won’t necessarily all be acquired on the same legal basis. There are six lawful bases for collecting and processing personal data:
- Consent: The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Contract: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Legal Obligation: Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Vital Interests: Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Public Task: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Legitimate Interests: Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The GDPR holds accountability as an important principle, and it requires organizations to be able to demonstrate how they comply, via effective, documented policies and procedures.
3. Failing to properly get and document consent
If the consents you already have weren’t acquired in a manner that fully complies with the GDPR standards, you’ll likely need to renew them. This will apply to email lists you acquired pre-GDPR, as well as to any other data you acquire in future.
If you decide you need to renew consents, the safest way to do that — at least where website tracking is concerned — is to simply void any cookie recognitions on your site and treat all site visitors from then on as if they were new users. That will help ensure all the personal data you collect is acquired in full compliance with the regulation.
4. Not effectively communicating privacy information
Avoid verbose legalese. The GDPR specifically requires data controllers to communicate clearly and concisely, so data subjects can easily understand what they’re being told.
5. Failing to honor data subjects’ rights
Check your policies and procedures to ensure they take into account all the rights that data subjects have. These include:
- You must give them a way to request information about what data you hold on them.
- You must come up with a way of providing them with a copy of the data you possess, and if the subject requests, correct or delete it.
- If a data subject asks, you must suspend processing. (Processing is defined as: “collection, recording, organisation [sic], structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.)
- And you should be sure to outline how they can lodge a complaint if they feel their rights aren’t being properly protected.
Incorporate the handling of these requests into your standard procedures and ensure you’re able to respond within the required time frames.
6. Mishandling children’s data
Determine what system you need to establish to verify the age of data subjects and to obtain parental or guardian approval before processing any data of children.
7. Being unprepared for a data breach
Document and follow adequate procedures for data breach detection, reporting and investigation. A failure to comply with data breach issues is probably where some of the largest fines will be encountered under GDPR.
Know your responsibilities and ensure you have procedures in place for rapid deployment. There are very strict requirements regarding notification of both the supervisory authority and affected data subjects in the event of a data breach.
8. Failing to conduct Data Protection Impact Assessments
Include procedures for Data Protection Impact Assessment (DPIA) in your plans whenever you’re launching a new product or undertaking a new initiative that involves data. Be sure to decide when and how to implement it.
9. Not appointing a representative or Data Protection Officer
Every enterprise should have someone designated as their primary representative. If your business has a presence in an EU member-state, then you’ll likely designate someone at that location as your representative.
If your organization carries out cross-border processing (operates in more than one EU member-state), you should select the location of your lead data protection supervisory authority. (Article 29 Working Party guidelines can be helpful in determining this.)
If you have no EU presence, then you may decide to select a location in which to nominate a representative. This individual will be located within your lead data protection supervisory authority’s jurisdiction and may also serve as your Data Protection Officer (DPO) if one is required or you voluntarily decide to appoint one.
The representative (or DPO, if applicable) will act as the primary contact for both data subjects and the supervisory authority but will not be personally responsible under the GDPR for the fulfillment of the organization’s compliance responsibilities. Those responsibilities remain with the data controller and data processor(s).
The big picture
Here is a mindmap, courtesy of GDPR Mentor, which provides a handy visual reference to the many facets of the GDPR.