While it was the European Union that designed and enacted the General Data Protection Regulation (GDPR), its aims in ensuring data protection for all EU citizens and those living in EU countries, means that compliance is not a singularly EU matter. Its predecessor, the Data Protection Directive, moved aside for the launch of the GDPR in 2016, which then came into force in May 2018.
With fines of up to €20,0000 or 4% of annual global revenue, the penalties for non-compliance are severe. When those are then combined with the inevitable perception of a lack of due care and diligence for their customers’ personal data, it’s easy to see why GDPR compliance is not only a legal requirement but also makes good business sense.
What Does GDPR Compliance Mean?
Compliance with GDPR not only means following its requirements. It also means being able to demonstrate that there are policies and procedures in place to ensure the careful consideration of all points of client interaction.
Then, to ensure ongoing compliance that these are reviewed on a regular basis. At this point, it’s important to recognize that GDPR takes a very broad perspective on what personal data is. The individual’s IP address and cookie data require the same level of protection provided for their name, address, and birth date.
An additional complexity to the General Data Protection Regulation comes from the fact that many of the requirements are deliberately vague, leaving much to interpretation. For example, a company is required to provide a ‘reasonable’ level of protection for the data they process. However, the GDPR does not specify exactly what would constitute reasonable.
It takes the view that compliance would depend on the nature of the personal data and the volume of information being processed. The logic here is that the greater the data’s sensitivity, the greater the protection needed to prevent a data breach.
While this provides the European Union with leeway in issuing penalties for data breaches and non-compliance, it can create a major headache for small organizations in ensuring GDPR compliance. This is compounded by the requirements being based on the scale of data processing and not the business’s size.
For many companies, the specialized knowledge required results in either appointing an in-house data protection officer or seeking a third-party expert’s services to ensure GDPR compliance.
What is Required for GDPR Compliance?
Lawful Basis and Transparency
When an organization has over 250 employees, then the GDPR requires them to establish an up to date and detailed list of the processing which is undertaken. This should include details of why the processing is taking place, the type of data being processed, and details of who has access to it.
Then there should be information provided on what action has been taken to protect the data and when, if possible, it will be erased. Organizations need to be aware that the regulators may ask to see this list when they are assessing whether they are GDPR compliant.
A data protection impact assessment (DPIA) is a method of measuring the risk associated with personal data processing.
In doing this, organizations are provided with clarity in their obligations to the general data protection regulation by identifying and mitigating potential risks. Where it has been assessed that there is the potential for high risk through personal data processing, then the DPIA is a mandatory requirement to achieve the GDPR.
While not a legal requirement for other processing types, the DPIA does demonstrate good practice and evidence a serious intent for GDPR compliance.
The DPIA must be completed before the data processing commences and ideally during the planning stage of the project. Where a Data Protection Officer is employed by the organization, they should be consulted before and during the DPIA development to ensure that the proposed processing is considered to be legal.
The key principle of data protection is for it to be ‘by design and by default’. This, in turn, provides the ethos through which data security protocols are implemented. The phrase ‘appropriate technical and organizational measures’ are stated within the GDPR as being required to ensure both data privacy and protection. This may mean the implementation of data encryption, anonymizing, or the pseudeonymization of information.
On an organizational level, this may require limiting the volume of personal data collected and promptly deleting data that is no longer needed. It is essential that in implementing a data security policy, all staff members are both aware of it and follow its procedures.
Keeping records of staff training and their subsequent understanding and agreement to follow the policy is recommended, as is including a commitment to data privacy within the contract of employment.
Should there be a data breach resulting in personal data exposure, then a procedure should be in place, which can be implemented without delay. Data protection law states that there is a time limit of 72 hours for notifying the supervisory authority with the count down commencing at the point of becoming aware of the data breach.
Additional requirements to ensure GDPR compliance include keeping a time-based account of the actions taken to limit the potential risk to the European Union’s citizens and residents.
GDPR Accountability and Governance
With the purpose of the General Data Protection Regulation (GDPR) being to safeguard personal data, there needs to be the appointment of someone within an organization who takes overall responsibility for its implementation. It is generally recommended that a Data Protection Officer is appointed.
This is an individual who has expert knowledge of GDPR, data protection laws, and their implementation, and as such, they become an organization’s GDPR compliance point of contact.
If the organization is outside of the EU, then there is a requirement to appoint a representative within the country that the personal data is being collected. The role of this representative, usually from a law firm, consultancy, or private company, is to represent the organization regarding their obligations under the EU GDPR.
Details of the representative must be given to EU-based individuals whose data is being processed. This can be provided within the privacy notice or when advising them of the collection of data. It is also important that supervisory authorities can easily find the information within a website.
The appointment of a representative must be undertaken in writing and needs to details the terms of the relationship. However, it should be noted that having a representative does not affect the responsibility or liability of the organization under the legislation. So it cannot be seen as a quick solution for compliance with GDPR requirements.
At present, the General Data Protection Regulation does not provide guidance on what should happen regarding representatives when processing involves data subjects who reside in multiple European Union member states.
Data processing agreements are also required to be in place with any company with which personal data processing has been outsourced. This might include services such as cloud servers, email services, and analytical software. Many organizations now have a standard data protection agreement available for review, which clearly states each party’s rights and obligations to ensure GDPR compliance.
It is the organization’s responsibility to ensure that third-party suppliers are GDPR compliant, and as such, data privacy and the rights of their data subjects are taken seriously.
Privacy Rights Under GDPR
Data subjects have a wide range of rights with regards to their data privacy under the General Data Protection Regulation, from requesting copies of their personal data through to asking that their information is deleted. This then makes it essential for every organization which comes under the scope of GDPR to meet requests within the timescales stated in the legislation.
For most requests, organizations have a period of one calendar month to review and either take action or provide feedback to the data subject’s request. With GDPR not requiring that the requests are made in a particular format or by a stated delivery mechanism, it becomes essential that all staff can recognize requests and ensure that they are acted upon.
These ‘data subject access requests’ mean that it is essential that organizations know where their collected data is at all times, along with the scope of the personal data collected. Additionally, they need to understand how the information is being used, by whom, and when. If data subjects do find an error, then it must be corrected. If the customer opts to invoke their “right to be forgotten,” the company must erase their data, and if they do not like how their personal data is being collected and used, they can object.
Data privacy rights can be one of the most challenging aspects of GDPR compliance and implementation for a business. It requires a level of transparency that organizations are not used to providing. No longer can a business hide what they know or class it as proprietary and confidential information, inaccessible to the very people that the data belongs to.
GDPR Compliance and the Concept of Consent
GDPR requires that organizations implement a consent system that must be completely unambiguous and requires a clear opt-in. The use of pre-selected opt-in boxes has been specifically banned, and there need to be consent options for the processing of personal data in different ways.
The GDPR requires that for compliance to be achieved, this consent must be separate from any other terms and conditions. In addition, consent should not normally be a stipulation for signing up for a service.
Records then need to be kept demonstrating that consent was obtained. In addition to this, data subjects also need to be advised of their right to withdraw that consent and be provided an easy way in which to do that.
When is consent appropriate?
Consent is one of the lawful bases for processing defined within the GDPR; however, there may be situations where it is difficult to get, and then an alternative solution is needed. It needs to be considered that consent is only appropriate if it provides the data subjects with choice and control over how their personal data is used.
If EU citizens cannot be provided with genuine choice, then it would be inappropriate to give the impression that they have a genuine basis on which to provide their consent.
Organizations should also be aware that where consent is made a requirement to access a service, it is likely to have been achieved in a way that is considered unlawful under the regulation.
What is valid consent?
When implementing processes to obtain consent while ensuring GDPR compliance, the consent must be given freely with ongoing choice and control over how the personal data is processed. Key points to consider include:
- It should be obvious to an individual that they are giving consent
- There must be a positive action taken by an individual to opt-in
- Consent requests must be clearly stated as being so
- Consent requests should be standalone and, in particular, be separate from other terms and conditions
- Consent requests should be made in simple terms and be both brief and user-friendly
- Information that must be provided includes the Data Controller’s name, the purpose of the processing, and details on how the data will be processed
- Consent must be confirmed in words and not by any other action
Recording and Managing GDPR Consent
Obtaining consent is the first step in ensuring GDPR compliance. Once this is achieved, then there is then the requirement to keep accurate records that provide evidence of that consent, including, who gave it, when it was given, by what means, and what the individual was told at the point of giving it.
Preference management tools can be an effective way to provide individuals with control over how their personal data is used while also meeting the General Data Protection Regulations’ requirements. These tools enable organizations to only communicate with their customers at a time and via a preferred method. This means that the recipient is now in control of how and when their personal data is being processed.
However, businesses should be aware that the trust that is then established is vital in maintaining the relationship with the client. A breach of data privacy or the disregarding of the terms of their consent is likely to not only be a non-compliance of the data protection law. Still, it will also result in the loss of the client’s confidence and trust in the organization.
After collecting preferences, it is then essential to keep those consents under review. When clients in the European Union are able to update their own preferences, when they desire, along with confirming contact details and preferences, then the accuracy of the personal data will be improved. In addition, this functionality also provides clear evidence of how the organization is striving to ensure GDPR compliance through the method that consent is obtained.
The Costs Associated with GDPR Compliance Implementation
The volume of personal data being processed and requiring GDPR compliance will vary enormously from one business to the next. And it is this volume of processing rather than the size of the operation, which will influence the costs associated with GDPR implementation.
For those businesses that are based within a European Union country or have a branch located there, then there will be fees to be paid to that countries Information Commissioners Office.
For example, there are three different tiers of fees in the UK that range from £40 to £2,900. The fee scaling is designed to reflect the risks posed by personal data processing, the risk to data privacy, and the potential for data breaches. The three tiers relate to how many staff members there are, the annual turnover, and then the type of organization it is. The revenue achieved through the payment of GDPR fees is used to fund the Information Commission Offices in each EU country, while fines are passed directly to the relevant government body.
What does need to be recognized is that GDPR compliance requires a continual review of how personal data is held and processed.
So, while the majority of costs will be associated with the initial implementation, there will be the ongoing expense to ensure that any new processing meets GDPR requirements along with the deletion of data, which is no longer needed. In addition to this is the staff time and training, which will be necessary to recognize and act on data subjects’ requests.
Ten Step Process to GDPR Compliance Implementation
- Assess what data you have, and map business process flows
- Assess what data you need, list and categorize personal data within process flows
- Assess what you must keep and what can be deleted
- Assess how long you must keep the data for and decide on the basis for processing
- Identify who has access to the data and review third party processors for GDPR compliance
- Identify who the data is shared with and define subject access procedures
- Assess the security of the data and review security and training requirements
- Identify where the data is stored and implement staff awareness training
- Consider how data security is tested and publish privacy notices and policies
- Consider if a Data Protection Officer is needed and conduct data protection impact assessments