Data protection law hasn’t undergone a significant update since the EU brought in legislation in 1995 – just six years after the birth of the World Wide Web. But GDPR is about to shake things up.
Now, 23 years later, the new law – known as the General Data Protection Regulation – will replace that aged directive on May 25 in a move that, according to the UK’s Information Commissioner’s Office, signals an “evolution” rather than a “revolution” for data protection.
GDPR is intended to strengthen and unify data protection law in the digital age. It means that any organisation – large or small – processing or controlling data in the European Union must comply with the legislation, which will be transposed into the national laws of each member state. Brexit doesn’t change this reality.
Organisations that commit serious infringements – such as repeatedly failing to seek customer consent to process data – will face fines of up to €20m (£17.7m) or 4% of their worldwide annual revenue, whichever is higher.
But despite the alarmist tone about GDPR coming from opportunist salespeople, the best advice for many organisations is to keep calm and carry on. Most organisations are already dealing with EU citizen data, and are required to comply with the existing 1995 data protection directive. It means that the infrastructure to handle GDPR is largely in place already.
GDPR is an opportunity to carry out a quality audit to get rid of bad practices and inappropriate procedures.
What you need to know
If your organisation is a public authority or body, or you deal with sensitive data on a large scale, or data processing is core to your operations involving “regular and systematic monitoring”, then you will need to hire a data protection officer (DPO). The DPO must be independent and should report directly to senior management. Tip: create an information protection unit (IPU) where legal experts and information security specialists from the IT department can work together.
Help the DPO run an “information asset audit”. In other words, map your data to determine which department is getting access to which data and for what purpose. Ensure good communication between the IPU and all internal functions, especially IT and marketing. Try to see the DPO as a figure who enables an organisation to function, rather than as just a compliance officer. The DPO can help you adopt “privacy-by-design” principles at the time of developing new applications and services relevant to your customers.
Once you have completed the data asset audit, the DPO will help you find the appropriate “legal basis” for processing in each case, and adapt procedures accordingly. Run “data protection impact assessments” every time data processing is considered highly risky.
Be careful with the way you seek permission to process someone’s data. Let the IPU revise your “notice and consent” forms. Explain in simple terms to customers what data you are collecting and how you are using that information. Give people an easy way to opt in to their data being collected and stored, and check the accuracy of their information. And remember to exercise their rights: access, rectification, erasure, restriction of processing and right to object. Find ways that allow people to access their data in digital form under “data portability” rights.
Let the IPU revise your internal and external information management and security procedures. You need to be sure that your IT providers – such as those offering cloud services – are GDPR compliant, and that high information security standards are adopted all along your data supply chain.
Revise data transfer and sharing agreements. Use “binding corporate rules” when appropriate. If you operate in various EU countries, make sure you know who your lead data protection authority is; you can ask for help on this from the independent data protection advisory board, the Article 29 Working Party.
Train your employees to handle data appropriately. From customer support service, to HR staff, up to the strategic intelligence unit, all employees must understand some basic lessons about information security and data subject rights contained in GDPR.
Keep a log of all the decisions you take and be ready to explain and provide evidence of full compliance at any time. Be prepared for the day after your organisation has suffered a data breach. You will have 72 hours before being required to notify the data protection authority and the media. Remember that GDPR is about managing risks and fostering an accountability culture; if correctly implemented, it will help you protect your reputation and your precious information.
Remember GDPR is not a choice between privacy or innovation: it’s about privacy and innovation. See it as an opportunity to stop storing data for future use and to better understand what data you need to retain. GDPR is an opportunity to reduce the risk of being the victim of a data scandal caused by poor privacy practices.
Foster dialogue within your sector to identify best practices and set new standards. Ask your data protection authority for advice and let your IPU learn from others and share their achievements and concerns. GDPR promotes the creation of codes of conduct and certification programs. GDPR is about improving industry standards – you are definitely not alone.
GDPR isn’t something organisations should fear as the clock ticks down to May 25. Take the right steps to build on your existing data-processing frameworks – the rest should be a breeze.