Done nothing for GDPR? It's never too late...
Updated 23th May 2018.
GDPR means it's a new era for EU citizens. This new EU data protection law aims at ensuring that processing of personal data is fair and lawful. It is designed to give effect to the fundamental right to privacy.
The first points I want to make is that GDPR is a good thing:
- GDPR is about businesses handling your personal data better. Take a look at the Qwant video to remind you of what goes on behind the scenes of web usage.
- GDPR is about good business practice. Everything you will be required to apply to personal data, you should also apply to business data. It won't cost you more as you can have one set of procedures instead of two.
- For IT departments who actually care about data protection but are not able to translate to words that management can understand, it's a blessing, but IT doesn't solve GDPR alone (and encrypting all is not the answer to GDPR).
Introduction to GDPR
To keep this post short, GDPR is mainly the enforcement of 6 data privacy principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitations
- Integrity and confidentiality
In addition, you need to justify why you hold Personal Data under what are called the lawful bases for processing. These are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:
- (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- (d) Vital interests: the processing is necessary to protect someone's life.
- (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.
Between you and I, I would have chosen a different order, because consent is the last thing you want to rely on, since consent can be withdrawn. Legitimate interest needs to be justified, so it needs to be carefully used.
Rumours
You may have heard that:
- You have to send an email for re-consent as everyone is doing it. THIS IS WRONG WRONG WRONG. DON'T DO IT UNLESS...
- Don't do it. Don't send an email unless you got professional advice and that you are 100% sure you need to
- There are 6 lawful basis for processing data, and consent is one of them.
- In a business context, it could ePrivacy that rules, not GDPR
- If you have no consent, you CANNOT ask for re-consent, because you don't have it in the first place.
- If you need to, remember that consent shouldn't be bribed: same colour for all choices, no incentive.
- Normally, you should only need to send an update to your privacy policy, for which no consent is required since it's not marketing.
- In case of a breach, you have 72 hours to report. It's true in some cases.
- Typical question I hear often: "what if the breach happens at the start of a long bank holiday?"
- How about forgetting about the long week-end? Can you handle a breach if it occurs on a week-day? Start working on it now!
- When you put your mind in the privacy and protection mode, you will realise a lot of the work goes into preventing the breach and assessing the effect of the breach.
- If you have taken some time to delete information no longer needed, it will not be part of the breach.
- Your business have one month to respond to someone for whom you hold personal data. It's true.
- You need to ensure the request actually qualifies as a subject access request;
- It can be about commercial activity, but it also applies to job candidates, staff and former staff members who are also "data-subjects" under GDPR.
- Your business need to know what the data is made of and where the data is located (data inventory), what is legitimate, how long should it be kept for.
- The data storage location is important (EU-EEA or not). It's true.
- The logic is: GDPR applies to all EEA businesses, so they should all be safe to work with (assuming 100% of EEA businesses comply). Countries outside may not have the same privacy legal frameworks, so data may be less under control;
- Personal data can leave the EEA, under certain conditions;
- Privacy shield (an agreement between the EU and the US) does not guarantee GDPR compliance. It doesn't because:
- Privacy Shield is based on the Directive that is superseded by GDPR;
- Privacy Shield lacks transparency;
- Max Shrems is -rightly- after it LINK ;
- There are businesses in Europe who care about your privacy, so in the absence of adequate response, feel free to work with a company like ours.
- You may need to appoint a data protection officer. It's true.
- But, you don't always need to:
- According to the IAPP, there is a shortage of 28,000 in the EU alone, for the businesses that actually require one;
- Good ones are very difficult to source, skills would be a combination of technology, data privacy, legal;
- if your business is well run, it will almost be obvious if you need one or not, but please read the regulation before asking the question;
- If in doubt, I'd keep it simple: have someone, or a group of staff members, to be the "Privacy Champions"; train them and listen to them.
- There are big fines. It's a favourite among the scaremongers that want to sell you encryption software etc.
- The business may be fined if it does not comply. It's true.
- The purpose of GDPR to me is to encourage business to clean up their database and tidy up the way they work thus avoiding the fines.
- There are many examples of companies that are reckless with your data. I'll be blunt, but I don't think they deserve to be in business until they behave differently.
- There are gamblers asking on every post: "what will the data protection authority go for at first?"
- Read their past annual reports, they are full of facts that will help you thinking of scenarios you may not have considered;
- Past reports are facts, not speculation
- Do your GDPR work properly and you'll be "fine", not "fined".
- The regulation piece is long and complicated. It is long, but it's a well written piece and reading it should be the starting point. In addition, White & Case have written a great piece to explain, so worth reading too (Note that I am not referring you to a law firm, but to a well-articulated explanation of GDPR).
- The "new constraints" will prevent you from doing business. It's not true.
- They are not "new constraints". The privacy principles have been in existence for quite some time. If you never cared, bad luck, but don't blame the regulation.
- People have new rights under the GDPR: It's true;
- the right to receive a copy of and/or access the personal data that your business hold about them, together with other information about the processing of their personal data;
- the right to request that any inaccurate data that is held about them is corrected, or if your business has incomplete information they may request that your business update the information so it is complete;
- the right, in certain circumstances, to request that your business erase their personal data;
- the right, in certain circumstances, to request that your business no longer process their personal data for particular purposes, or object to your business' use of their personal data or the way in which your business process it;
- the right, in certain circumstances, to transfer their personal data to another organisation;
- the right to object to automated decision making and/or profiling; and
- the right to complain to the Data Protection Commissioner.
- Encryption solve the problem: it's incorrect.
- Read again, because the regulation does not say that.
- Encryption can contribute to securing some of the data, but doesn't prevent from -you having it in the first place.
- You need to know your data flow to know what to encrypt.
You will probably hear a lot less:
- about the reputation damage.
- about your larger clients that will ask for reassurance and answers from your business.
- Personal data is not the same as "PII - Personal Identifiable Information". Personal data is broader, and the whole point of GDPR is to control what is not easily identifiable but could lead to identify someone.
Setting a goal?
After reading the regulation, I came to the conclusion that 72h was the goal to reach to demonstrate compliance: prepare for a data breach.
Because when you do, you probably solve 90% of the compliance.
I acknowledge you want to avoid the breach, but if the breach occurs you'll be glad you have listened to my advice, let me explain:
If there is a breach, you need to demonstrate you took all measures to prevent it. Demonstrate means "document" (Article 30). A breach is not necessarily someone hacking your company network. It could be a staff member losing their briefcase with a laptop or not in it.
What type of documentation is needed?
- Knowledge of the data you handle (data mapping)
- Once you have done a data mapping,
- you will know if you have a lawful reason to hold the data in the first place;
- you will know what data has disappeared;
- you will know the location of the data and if located outside the EU, ensuring it meets the regulation's requirements
- Knowledge of how long data should be legally kept for
- Once you have set a record retention policy, you will be glad to know that the data deleted when no longer needed will not be included in the breach.
- Knowledge of the computers and other type of data assets
- Once you have done an inventory of assets, you should know the security measures in place to make the content useless to anyone not meant to access it;
- Rules
- Once you have introduced policies and procedures, the privacy and protection rules will give staff a clear direction.
- Security
- Once you have taken measures to secure the data, some breach risks will be reduced.
- Shared knowledge within the organisation
- Once you have trained people, they will be more privacy conscious and that will help a lot.
- The training records will help the justification.
- Future proof
- Once you have introduced the concept of "privacy by design", new projects you conduct will be meeting the requirements of GDPR eg "Privacy first".
- Consent
- Once you have listed the legal or legitimate interest to collect data, you can focus on ensuring you have consent for the rest.
Please take a quick look at the 6 principles again, and try to figure out what principle you'll be able to comply with by documenting.
Planning
Because I am a good guy, I'll share some tips to speed up.
Becoming conscious
GDPR should not be seen as a burden. It may be short-term, but your business will benefit in the long-term.
Senior management must think differently. I honestly think that if the business approach is not lead by example from senior management, it will fail. The company must adopt a "privacy first" type attitude.
GDPR is an opportunity to broadcast to the world that your business actually cares about the people it deals with. It's a Customer Relationship opportunity.
Inventory
There are several inventories to carry out:
- Staff and contractors
- You need to know who to train and who use what
- IT equipment
- You need to know what is on them and if they are protected properly
- Systems
- What database do you use to manage your business?
- Can you easily extract the data if someone for whom you store data requests the data?
- Network diagrams
- You need to know that the data is transfered securely in your organisation.
- Non IT
- GDPR applies to non-IT too, so it's a good time to check what is stored in the filing cabinets.
- Suppliers
- You need to ensure that suppliers with whom you share personal data with, are handling your data to GDPR standards;
- If a non-EEA based supplier "should be OK" because they are a large company, don't take their word for granted: if they are quiet or refer to Privacy Shield, beware.
- Clients
- If you are a data processor, you need to keep a record for all systems supplied to clients
- Procedures & Policies
- If there are outdated (or non-existent) procedures, it's time to review.
- Set a company retention policies
- It needs to be done to ensure you keep information for the right length of time. Do not delete data for the sake of it. Conversations need to take place in the business. I see a lot of data being deleting for no good reason.
Rather than trying to isolate things that handle personal data, do an inclusive inventory using a tool like Bizoneo and filter afterwards. Also, identify the location of each piece of the inventory.
Bizoneo allow the centralisation of the inventory. When the inventory is complete, you can assign people in the organisation to investigate each piece one by one. Once again, the advantage of the database is that multiple people can maintain data, and all the data is stored in place, making it very easy for the person in charge of data protection to review the gaps.
Data mapping
You will draw diagrams of the data workflow. You can use Powerpoint to start, but there are dedicated tools for this such as Pencil or Visio.
In the diagram, there are start and end actions. In between, you need to put a block for each action, arrows to show the flow, and with each block, how the data is stored.
The diagram will also be split by responsibility, so each block is under the responsibility of a "process owner".
(The diagram will be replaced shortly by a better example)
Gap analysis
From the diagram and the inventory, you will be able to document "data-points". This will help you identify if the personal data should be there or not, as you need to justify its presence.
At that stage, it should be clearer what to do. If not, that's when you can get a truly knowledgeable person to help.
You can read the whole GDPR, but start by looking at the 6 principles and the lawfulness of processing.
The key additional things to worry about are:
- Does data leave the EEA? If so, what measures are in place to ensure compliance (Article 44 to 50)?
- Do you have consent from people when the other 5 lawful criteria are not met?
- Can you make sure you know how to get and communicate the relevant data to the data-subject in case of a subject access request, in electronic format?
- What to do if there is a breach?
- Are there security measures in place? Oh, wait, this is one of the 6 principles...
Privacy policies
Under GDPR, the privacy policy describes in details how your business handles personal data. You will probably need multiple privacy policy: HR, clients, prospects,
Privacy policies are the conclusion of the inventory carried out.
It's also why it's much easier for businesses that have used a tool such as Bizoneo to write theirs and keep them up to date.
How to choose someone to help?
Have a conversation with the person. Gauge their experience handling data and their ability to understand your business.
Conclusion
Go on, take a deep breath and go for it.
Going the GDPR compliance way will -in the medium to long run- give your business an extra competitive advantage: caring about privacy.
No need to call "Ghostbusters"... But if you are still confused, why not talk to a specialist (a real one)? It will cost you some money, but you will be well equiped.
- Claude Saulnier
Brand Ambassador - Bizoneo