It is a Saturday afternoon in the beginning of June, and your phone rings. Camilla from your outsourcing partner tells you that last night hackers breached your server security and stole your data. You check your watch. The breach happened some 13 hours ago, leaving you with 59 hours to report to the Data Protection Agency that data from thousands of customers, suppliers, and employees have been compromised. During this time, you will also need to stop the leak and ensure that it does not happen again. The consequences of not meeting the GDPR demands could be a fine of up to 20 million Euros.
The actual impact of the GDPR still eludes a lot of people, and consequently a scenario such as the one above easily results in a racing heart and a shortness of breath for many business leaders. Understandably so, as a great deal of informational articles on the GDPR focus on the risks of punishment rather than the potential to meet the actual demands. Fortunately, it is not the big murky waters it might seem, and businesses could even benefit from the need to take a good look at the various systems and programs in use in their organisation.
The GDPR is a regulatory directive meant to ensure that the personal data of citizens in the EU is kept private. The law is instated on May 25th of this year, prompting the need for all businesses to be able to document exactly which information is held on employees, customers, suppliers, business partners, and other contacts. Furthermore, you must always be able to state the need for each specific bit of information on your Data Subjects, the people rendering information to you.
Information that might be used to identify a given person is regarded as personal. This includes information such as a full name, a social security number, an address, a phone number, and an email address.
Distinguishing between sensitive personal data and personal data that will not identify a Data Subject is tricky. For instance, a first name is not identifying in and of itself, but if the person in question is the sole owner of this name, making the name personally identifying data.
The use and processing of data
Consent is at the core of data processing and it is a pillar of the GDPR in the future. Designing processes and the supporting systems in a transparent way to allow for a minimized and configurable use of personal data will be paramount for the future work of setting up the system landscape.
Generally, you are free to use any collected data for any legal purpose, so long as your Data Subject has given consent for these specific purposes. The right to have data deleted is, however, an integral part of the GDPR, meaning that in an instance of a Data Subject withdrawing their consent for a specific process or purpose, you must delete their data as fast as possible.
Data Subjects can demand access to the information obtained by you, and a business must within a single month gather and supply a complete data set clearly showing which information has been collected on the Data Subject as well as what it is or has been used for.
Gathering and applying lots of data is easy, but the GDPR requires you to always be able to defend (documented) the need for i.e. a social security number for a specific purpose. Consequently, businesses are forced to consider carefully any wish to re-apply data for new uses. Considerations and decisions are to be logged in a policy explaining and clarifying your efforts to be compliant with the GDPR.
Data can be freely stored anywhere in the world, if you can document the compliance with the GDPR, and there may be good reasons for storing data in India or Brazil. But outside the EU it may prove difficult to enforce third parties’ compliance with the GDPR, since these businesses are not subject to EU legislation.
A breach in data security leaves a window of 72 hours from finding the breach to notifying the DPA, and if you cannot comply with this you are required to document the reasons why. If a breach leads to the compromising of personal data you are required to inform the persons in question as soon as possible.
Meeting the demands
The GDPR is largely considered a legal step, and indeed you may need legal assistance to create a business’ GDPR policy. But there is also plenty of more practical work such as mapping and documenting systems and processes that do not need legal attention. Obtaining a clear view of your processes and recognising the contexts in which personal data is registered, where and how it is store, as well as why and for what it is applied, becomes paramount with the GDPR.
The punishment for not complying with the GDPR gets a lot of attention, and perhaps you worry as you realise that your organisation simply cannot be compliant within the time frame. If this is the case, you must be able to diligently document your work to rectify this. Make it clear that you are aware of the coming changes and are working towards being compliant.
Being GDPR compliant is not simply meeting the demands on May the 25th, it is being compliant in each new step you take in your business henceforth.
In case you are still unsure of the consequences of the GDPR for your specific organisation, you might consider getting assistance from an external consultant to detect your needs and oversee the process of implementing new processes, if need be.
Be sure to check back to our blog as we delve into the various GDPR demands and their impact on your business during the next few months.