GDPR - What is it and How to Comply.

Adopted on the 27th April 2016 there were a large amount of changes to the 1995 General Data Protection Regulation (GDPR) which become enforceable on the 25th May but what does it mean? And how can you stay compliant? We discuss the changes and a 5 point plan to becoming compliant.

What is GDPR?

The GDPR is an EU regulation which addresses the export of personal data outside the EU by aiming to help residents take back control over their personal data and simplify regulations for international business. 

Key Changes.

The changes to the GDPR are complicated in some places but we will outline them below:

Data Subject Rights. 

Breach notification. 
A breach notification must be made ‘without undue delay’ and within 72 hours of a data breach that ‘results in a risk for the rights and freedoms of an individual’ 

Rights to Access. 
Data subjects will have the right to to obtain confirmation as to whether their personal data is being processed. The controller must provide details of where data is being used and for what purpose and also provide free electronic copies of the data in question. 

Rights to Access. 
Data subjects will have the right to to obtain confirmation as to whether their personal data is being processed. The controller must provide details of where data is being used and for what purpose and also provide free electronic copies of the data in question. 

Right to be Forgotten. 
Data subjects will now have the right to request their data is deleted and that any processing on said data is stopped. This includes data held by third parties. 

Right to Data Portability
Allows individuals to obtain and reuse their personal data across different services by allowing them to move, copy or transfer data from one environment to another in a secure way. It can be used by consumers to understand their spending habits or to obtain a better deal using applications or services. 

Privacy by Design. 
This states that the design process of new systems and legislation must consider data protection and user privacy from the start of the design process. This includes building new IT systems, developing legislation, using data for new purposes. Companies must integrate privacy policies into existing project management and risk assessment methods. 

Data Protection Officers. 
You must appoint a Data Protection Officer (DPO) if:

  • If you are a public authority
  • If you carry out regular, large scale systematic monitoring of individuals such as online behaviour tracking.
  • If your core activities include large scale processing of special categories of data such as criminal convictions. 

You can also appoint a DPO voluntarily should you wish to however the requirements of the position and tasks still apply. 

 The DPO is not liable for your data protection compliance. It is the controller or processor that is responsible. The DPO does however help you with data protection obligations by fulfilling international record keeping requirements. 

The DPO:

  • Must be appointed because of professional qualities such as knowledge of data protection law and policies. 
  • May be hired internally or externally.
  • Must provide their contact details to the DPA and must be contactable by staff.
  • Must report to the highest level of management.
  • Must not carry out other tasks that could count as a conflict of interests.
  • Must have the correct resources and training provided.

Appointed DPO’s and internal record keeping will replace the current system of notifications to the local DPAs. 

Increased Scope. 
The GDPR will now apply to all companies processing personal data residing in the EU regardless of where the company resides and regardless of whether payment was required.  The GDPR was previously ambiguous and the topic has arisen in a number of high profile court cases. 

Organisations in breach of the GDPR may be fined is up to 4% of their annual turnover or up to €20 million (whichever is greater) for the most serious mistakes such as violating the privacy of design concept or not having customer consent to process data.  There are tiered fines for a variety of different infringements such as 2% for not having records in order. These fines apply to controllers and processors and even clouds need to consider GDPR. 

The request for consent must now be given in a clear and easily accessible form. The form cannot include pre-ticked boxes.  The form must divulge the purpose for data processing and name any third party controllers or processors. It must be as easy to to withdraw consent and controllers and processors must keep evidence of consent. 

Now we understand the changes to the GDPR, how do we go about compliance? Here is a handy 5 point plan to help you:

1. Establish your framework and understand the legal implications. 
The first step is to make sure your management and staff understand the changes and gain their support for compliance. Hire your DPO and allow them to audit your company and start to incorporate data protection risk into your corporate management. 

2. Create your plan. 
You will need to document your process. Start a data discovery process and document all your steps and discoveries. This will allow you to identify the scope of your project and identify areas that do not meet the standard. It also aids your company in proving your work to the DPA should you make any mistakes. 

3. Understand your data. 
Once your inventory is underway you will be able to classify your data, who has access to it and the processes needed to protect it. You can also map data flows into, within and out of your organisation.

4. Develop your policies. 
Starting with your most critical data develop operation policies, processes and procedures:

  • Create your record of personal data processing from your inventory and data flow maps; Article 30 documentation. 
  • Ensure consent quality meets new requirements.
  • Bring policies and privacy to GDPR standards.
  • Review and update customer and supplier contracts.
  • Make plans for how to handle data access requests within the allotted time scale. 
  • Secure all personal data.
  • Make sure procedures are in place for detecting, reporting and investigating breaches of personal data. 
  • Ensure all data transfer mechanisms are compliant. 

5. Rinse and repeat. 
As you find your way through this process you will most likely find new things which will need processing from the beginning. Continue your record keeping of all GDPR work. Integrate privacy by design standards by considering this when building new systems and procedures. 

This is a very complicated change of rules and care must be taken not to miss small details as the penalties are heavy. For those needing more detailed information, the Information Commissioner's Office offers a fantastically detailed guide to the regulations. 


Photo credit to Dennis van der Heijden