A quick primer on GDPR
Almost five years ago, beginning on May 25th, 2018, the General Data Protection Regulation (GDPR) went into effect for the European Union’s European Economic Area (EEA).
At its core, the GDPR is legislation that aims at regulating any personal data that could possibly identify an individual as a distinct “data subject”.
The GDPR has been a huge benefit to consumers within the EEA, as it has brought about a seismic shift towards consumer protection when it comes to data privacy. This consent-based model of data collection grants certain enshrined data rights, such as the right of access to personal data, the right of erasure (also known as the more controversial “right to be forgotten”), and has enabled consumers to make purchases online with greater confidence.
Many businesses, on the other hand, are still struggling to adhere to the often convoluted and labyrinthine regulations of the GDPR, with varying degrees of success.
Companies are expected to have a clear understanding of GDPR, implement policies and procedures that comply with the regulation, and provide adequate resources and training to their staff. Additionally, companies must be able to demonstrate that they have taken steps to ensure GDPR compliance and remain compliant over time. All of this takes a significant amount of time, effort, and resources, which can be difficult for businesses to achieve.
Not only does the eleven-chapter GDPR apply to organizations within the EEA, but its extraterritorial reach means that any organization that seeks to make a transaction – including an exchange of data for something in return such as a white paper, eBook, or marketing material – with a ‘data subject’ (including citizens, residents, and visitors of the EU) must abide by the relatively new legal framework.
In short: if your organization does any business within the European Economic Area (EEA), then the General Data Protection Regulation (GDPR) applies to any transactions made with individuals within the EEA.
Even if you comply with the EU-US Privacy Shield, which has a similar scope to the GDPR, you must still be aware of the full extent of the GDPR’s rules in order to fully comply with EU data subjects.
But what if you only do business nationally, and you’re located in the U.S.? It is still highly beneficial to become familiar with the European GDPR and its implications, as many countries have taken steps to introduce similar regulations based on the GDPR. The most notable example of this is the California Consumer Privacy Act (CCPA), which was implemented in 2018. Understanding the GDPR and its related regulations will provide a strong foundation to better understand the regulations that are currently in effect, as well as those that may be introduced in the future.
This GDPR compliance plan simplifies the complex legal-speak of the GDPR and explains how it applies directly to your organization—so that you can stay one step ahead of the law and avoid any fees or fines associated with noncompliance.
The fines and penalties for non-compliance with the GDPR can be extensive and significant, with some tech industry experts describing the GDPR as the “privacy equivalent of SOX”.
Compliance with the law is mandatory for both US companies doing business in the EU and EU companies, and noncompliance with SOX statutes could result in significant fines and fees.
Image courtesy of: statista.com
Conduct an audit of your customer base for EU personal data
Conducting an audit of your current customer base to determine if you need to comply with the GDPR or similar legislation is essential and should not be overlooked. This audit involves scrubbing your databases to identify any EU customers, making it an integral initial step in determining whether or not you need to comply with the GDPR.
Parquet Development offers complimentary audits of various types; if you’re interested in having your organization and tech-stack audited for GDPR compliance, don’t hesitate to reach out.
This audit must include where your data is stored and who that data belongs to, to determine whether or not “the processing activities are related to offering goods or services to such data subjects [in the EEA] irrespective of whether connected to a payment.”
Some crucial questions to answer include:
- Where is your data stored?
- Why are some personal data being processed?
- What is the legal basis for processing this data?
- How long is this data retained?
- Who has access to personal data?
- Who should have access to this data moving forward?
- What technical controls do you have in place?
- How much duplicate personal data exists?
If you don’t know the answers to these questions, you may need to conduct a DPIAs or Data Protection Impact Assessment (many online resources can help you with this, such as the GRPR.eu), as it may be hard to move forward with a plan of action without knowing what’s going on with your data, so it’s important to answer these questions first before you go on with this checklist.
If you do know the answers to these questions, and you do find that you have even contact with data subjects within the EEA, then move on to the next step. If you’ve scrubbed through your data but couldn’t find any data link to persons in the EU, but you think you will in the future have contact, dealings or transactions with people or entities within the EEA, then continue on as well.
Audit your service providers
Yes, even your service providers’ compliance with GDPR matters. In fact, it’s where a lot of US companies have trouble with the law.
And since there is significant risk in noncompliance with your 3rd party providers, and it’s easy to overlook, this is a critical step toward full compliance with the law.
Review your terms and conditions and agreements with your 3rd party service providers that process and/or collect personal data on behalf of your organization.
They are under law required just as you are to be compliant with GDPR, so things are in order in your house but if you use a 3rd party to collect personal data, and they are not in you could face serious consequences.
To learn about Salesforce’s approach to GDPR, see this article. Salesforce also helpfully provides a Trailhead on “European Union Privacy Law Basics,” if you’re interested in furthering your understanding of this critical topic.
Enshrined Rights of the GDPR
The GDPR’s two novel rights are:
- the right of erasure or the right to be forgotten &
- the right to portability of an individual’s data.
Articles 15-22 of GDPR extensively cover the data subject’s rights, those rights also include three which are important to know:
- the right to access and receive a copy of personal data,
- the right to rectification and restriction of processing &
- the right to object to processing including automated processing and profiling.
Studying these fundamental rights established by the GDPR will prove beneficial in the long term for maintaining compliance with the legislation.
Data controllers and data processors
These are two distinct categories; you need to know which one your organization falls under.
According to the GDPR guidelines, a data processor is a company that processes personal data on behalf of a data controller. Simple as that.
A data controller is a business that determines the ‘why’ and the ‘how’ of customer data processing. Your company may in fact be both a data controller and a data processor. Both, however, are responsible for GDPR compliance but have different implications for that compliance.
Further complicating matters, it’s possible for a controller to have many different data processors, and those processors can even have sub-processors. This includes your email vendor, cloud storage provider, and any other subcontractor that has access to personal data.
Under the GDPR, the data controller—which is usually your organization, except under special cases mentioned above (as you could be both controller and processor at the same time)—is responsible for the actions of any data processors that you work with.
It is essential to exercise caution when selecting a processor for the processing of data concerning EU data subjects and to enter into agreements with a data processor that you trust.
A data processing agreement (a standard agreement template can be found here) should regulate the relationship between a controller and a processor, as well as any sub-processors that a data processor may use. Articles 28 (concerning processors) and 82 (Right to compensation and liability) of the GDPR detail what these agreements and/or contracts should cover.
How to collect data legally? It’s all about consent
According to the GDPR, consent is the only legal basis that can be used to justify the processing of a data subject’s personal data. Additionally, other justifications for the processing of personal data may be found in Article 6 of the GDPR.
By processing data on the basis of consent, however, there are extra duties involved. At last, Article 12 requires you to provide transparent information about your activities viz. your data subjects.
This means, at the very least, updating your privacy policy, as well as ensuring you are processing data in a “concise, transparent, intelligible and easily accessible form, using clear and plain language” (especially so when processing the personal data of children).
Data breaches and how to handle them
Data breaches can not only have devastating effects on your business but can also incur significant costs. The importance of strong data and device encryption, regular and mandatory password resets, two-factor authentication, and the use of virtual private networks (VPNs) cannot be overstated, and this is yet another reason why.
Not only will these operational securities (opsec) tactics help mitigate your exposure to the risk of malicious hacks, as well as possible fines that stem from security breaches. They are general best practices to reduce vulnerabilities when running a business in today’s challenging landscape.
Articles 33 and 34 detail your obligations and duties should any data subjects’ personal data be exposed, whether due to an accident or a malicious attack.
Article 33 states that subjects should be notified of a breach of data “not later than 72 hours after having become aware of it”, while Article 34 states that if a leak of personal information is “likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.”
In other words, once you become aware of a breach, a controller has approximately three days to relay news of the leak to EU data subjects who may be affected, without hesitation, especially if the breach is likely to be injurious to the rights of the people involved, or else you as the controller could be fined.
Keep your reputation in mind
Not only can a data breach be costly by having to update all your security practices, purchase new platforms or software and spend money and time training employees, but the GDPR fines can also be tremendously expensive—more than even merely monetarily.
A serious data breach combined with noncompliance with the GDPR statutes listed above can damage your company’s reputation, and provide your competition with an undue advantage. Competitors may be counting on you to fail in order to swiftly position themselves ahead of you in the market. In the end, this can be even more costly than the fines themselves.
However, if you are not only compliant with the GDPR in all areas, but also have excellent opsec, you have a leg up in the battle between both you and hackers and you and your business competitors.
Documenting the record of data processing
According to Article 30 of the GDPR, data controllers must retain records of their processing activities, which must include:
- the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative, and the data protection officer;
- the purposes of the processing;
- a description of the categories of data subjects and of the categories of personal data;
- the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
- where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1), the documentation of suitable safeguards;
- where possible, the envisaged time limits for the erasure of the different categories of data;
- where possible, a general description of the technical and organizational security measures referred to in Article 32(1).
This means that you must record the justification for processing the personal data of data subjects, the types of data involved, and if and when the data is transferred to a third country or international organization.
When active consent is the legal basis for the capture of data, for example, in marketing lists and email opt-ins, you must demonstrate how consent was obtained.
Consent must be unambiguously and freely given by a data subject—which means it requires a statement or clear affirmative act. It cannot be simply implied or passive—as with an auto opt-in—but must always be given freely with active intent.
This prevents any misunderstanding that the data subject has indeed consented to the granular processing action in question.
Educating your employees
Not only does the GDPR apply to your consumers’ data, but the law also covers your employees’ data as well. You should apply the same standards that you apply to EU data subjects to your own employees.
Staff should be trained on GDPR compliance, how to appropriately handle consumer data, how to respond to any related requests, and must be made aware of their rights regarding privacy through a staff privacy policy.
Your HR department should also review all staff contracts, data storage, and anything related to employee data to ensure that internal data procedural protection is GDPR compliant.
Data Protection Officers
In some cases, perhaps if your company is very large, recruiting a Data Protection Officer (DPO) may be necessary. The GDPR mentions employee training only once and it is in regard to implementing a DPO position for your organization.
Even if you don’t appoint a Data Protection Officer, you should still train your staff on data protection; all businesses should train their staff on GDPR compliance. The guidelines on when a DPO is mandatory can be found in Article 37 of the GDPR, and Article 38 explicates what a DPO actually does.
The GDPR impacts almost every facet of operational teams within your business. It may be good practice in some cases to proactively appoint a DPO so that you can centralize all the work of internal and external GDPR compliance under a single stakeholder.
This ensures it becomes one person’s responsibility rather than having several meetings and sets of training hours, several people working on compliance in various areas, or holding many people accountable, rather than just one who holds all the data “keys” so to speak, for full compliance with the GDPR.
Data retention policies
A data retention policy is a fundamental element of the GDPR, so having a documented policy is not only recommended, but required.
Despite the seemingly strict GDPR guidelines on data retention periods, there are numerous exceptions to these limitations, and currently, there is no definitive legislation on how long data can be stored.
Rather than relying on statutory deadlines, organizations should set their own data retention policies based on what is beneficial to their business and what can be justified in the event of an audit; the only requirement is that there is documentation and justification for the period of time the data is being kept.
Data should not be held any longer than is necessary, and shouldn’t be kept for future uses if you don’t have a present need for it. But so long as your data retention purposes still apply, you can continue to store data.
It’s also wise to consider your legal requirements to retain data. For example, when data is subject to taxes or audits, or to comply with defined standards, there will be extra data retention guidelines to follow.
When the data is no longer required or an internal deadline has been met, you can either delete it or anonymize/pseudonymize it so that it can no longer be linked to an individual.
Ongoing compliance with the GDPR
The GDPR can affect and touch almost every moving part of your business provided you process or control the data of EU data subjects. But this means, fortunately, that your competitors are subject to the same rules and regulations.
Cohesively collaborating on cross-team training and working together to achieve a shared goal is essential for effective compliance with the GDPR.
Even after achieving a certain standard of compliance with the law, your organization must remain vigilant of any updates and GDPR compliance news, and be ready to swiftly adjust to changes in the regulations as your organization expands its operations in the EEA.
If such changes do occur, further resources may need to be employed, which could include hiring a part-time or full-time Data Protection Officer (DPO), depending on the organization’s needs.
It may take some time to fully comprehend the regulation, but this plan should have provided you with a comprehensive overview of the essential components of the GDPR compliance process, and how it could affect your business specifically, as it can have a huge impact on global companies or companies that interact with customers in the EEA.
If you’re unsure about how to make your organization—or tech stack—compliant with GDPR policies, don’t hesitate to reach out. Our experts will provide you with the guidance and advice necessary to ensure that your organization is operating within the legal parameters of GDPR regulations.