1. What is the GDPR?
Since the mid-1990s, European legislation that protects the confidentiality of personal data has been mainly based on the European Directive 95/46 / EC: the Data Protection Directive.
The objective of the General Data Protection Regulation (GDPR) is to protect all citizens of the EU against privacy breaches in an increasingly data-based world (internet, social networks, e-commerce, IoT, big data, cloud …), very different from when the 1995 directive was established.
The General Data Protection Regulation will replace local data protection laws in all EU countries on 25 May 2018.
The GDPR will have a major impact on the way organisations collect and process personal data.
« Personal data » means data which directly or indirectly identifies or makes it possible for an individual to identify himself or herself in relation to his / her private, professional or public life, such as names, identification numbers, location data and online identifiers, regardless of whether these data belong to clients, employees or other individuals.
2. Why should we care?
All large and small organisations that deal with information about individuals will have to adapt quickly. Organisations violating the GDPR may be fined up to 4% of their annual worldwide turnover or 20 million euros (the highest amount retained).
Organizations have a lot of work to do to get into compliance by May 25, 2018.
3. Important changes to the confidentiality rules
The objectives of the GDPR can be broken down into six tasks and key obligations for any organization that processes EU data:
a) Privacy rights:
The GDPR improves the rights of those concerned in the EU.
For example, it codified and clarified the ability of data subjects to request access to their information and to erase it. In addition, organizations should facilitate access to personal data, with clear and easily understandable information about treatment. The provision of this information will enable the persons concerned to understand how their data are used.
b) Security of personal data:
Organisations will now be required to report data violations to regulatory authorities within 72 hours and, in high-risk scenarios, to follow this notification by notifying those whose data may have been compromised.
Organisations have an obligation to take security measures: even if you do not have a data breach, you can still be in violation of the regulations if you do not take proactive measures.
Organisations will need to implement technical and organisational measures (staff training, internal auditing of processing activities, review of HR policies, internal data protection policies, etc.) in order to ensure an appropriate level of risk including where appropriate:
- Anonymization or pseudo-anonymisation and the encryption of personal data
- The ability to maintain the confidentiality, integrity, availability and ongoing resilience of processing systems and services
- The possibility of restoring timely availability and access to personal data in the event of a physical or technical incident
- A process to regularly test and evaluate the effectiveness of technical and organisational measures to ensure the safety of treatment
c) Legality and consent:
The processing of personal data will be lawful only if one of the six factors listed in the GDPR is at stake (for example, if it is necessary for the execution of a contract or if it is required for one other regulatory reason).
Consent is also one of these factors, but under the GDPR, consent will be even more difficult to demonstrate.Consent must be explicit for sensitive data. The data controller must be able to demonstrate that the consent has been given. The conditions for obtaining consent have been strengthened and companies will no longer be able to use illegible and unlimited terms and conditions.
d) Accountability:
Organisations should expect regulators to exercise their powers of access to data and premises and, more generally, be able to demonstrate compliance with GDPR principles relating to personal data. Mechanisms to provide this evidence – including the conduct of data protection impact assessments, compliance with codes of conduct and proactive certification search through approved mechanisms – will be available but not been fully defined.
e) Confidentiality and security by design:
It will be mandatory when designing a new system, process, service, etc. which deals with personal data to ensure that data protection considerations are taken into account at the early stages of the design process. In addition, organisations must be able to prove that they have done so. Secondly, when the system, process, service, etc. to design includes choices for the individual on the number of personal data he shares with others, the default setting must be the most privacy-friendly.
f) Increased territorial scope (extraterritorial applicability)
The new principle of extraterritoriality in the GDPR states that even if an enterprise does not have a physical presence in the EU but collects data on the relevant EU persons – for example through a website – all requirements of the GDPR are in effect. In other words, the new law will extend outside the EU. This will particularly affect e-commerce companies and other businesses in the cloud.
4. How to prepare?
a) Create a data inventory
The regulation will require that the personal data held, will be documented and indicate where they originate, where they are transferred and how they are secured throughout their life cycle. Begin by making an inventory of all the data flows as well as the data treatments to which you engage.
For example, verify that the data subject has given his / her consent or that you can prove that you have a legitimate interest in processing this data. Companies often assume that they must obtain the consent of data subjects to process their data. However, consent is only one of many ways of legitimising processing activity. If you rely on consent, verify that your documents and contracts are adequate and verify that the consent is given freely. You will bear the burden of proof.
b) Establish a data breach response procedure
Make sure you have the procedures and processes in place to detect, report and investigate a data breach. Establish clear policies and procedures to ensure that you can respond quickly and notify the authorities and in some cases the persons concerned in a timely manner.
c) Establish an accountability framework
Make sure you have clear policies in place to prove that you meet the required standards. Establish a culture of monitoring, reviewing, and evaluating your data processing procedures to minimise the processing and retention of data and to establish safeguards.
Check that your staff is trained to understand their obligations.
d) Embracing privacy and security by design (Privacy and security by design)
Make sure that confidentiality is incorporated into any new treatment or product that is deployed. This should be thought of at the beginning of the process to allow for structured evaluation and systematic validation. Implementing confidentiality « on purpose » can both demonstrate compliance and create a competitive advantage.
e) Analyze the legal basis on which you use the personal data
Check your terms & conditions and privacy policies. The GDPR requires that the information provided be written in plain language. Your policies must be transparent and easily accessible.
f) Take into account the rights of data subjects
Prepare for the individuals concerned to exercise their rights under the GDPR, such as the right to data transfer and the right to erase (rights to be forgotten).
g) If you are a supplier to others
In the past, only data controllers were considered responsible for data processing activities, but the GDPR extends accountability to all organisations that use personal data.
The GDPR also covers any organisation that provides data processing services to the data controller, which means that even organisations that are purely service providers who work with personal data, should limit their actions to what is necessary in light of the purposes for which they are processed (data minimization).
Check if your contract documentation is adequate and, for existing contracts, check who pays for the change in services due to changes in laws or regulations. If you obtain or provide data processing services from a third party, it is very important to identify and document your respective responsibilities.
h) Cross-border data transfers
For all international data transfers, including intra-group transfers, it is important to ensure that you have a legitimate basis for transferring personal data to jurisdictions that are not recognised as having adequate data protection.
5. Cost or opportunity?
At first glance, the GDPR is a regulatory constraint for businesses.
But by investing appropriately in your GDPR project, you can create additional value for your business.
It is important to make sure your clients feel safe. The fact that customers are increasingly concerned about the disclosure of personal data creates a new opportunity for businesses. If you can establish a sense of security and trust with your customers by giving them a guarantee that their information is secure, this can give you a competitive edge.
The answer is also found in the personal data itself. You surely heard the phrase now overused « Data is the new oil ».
Very often, the data remain in the systems. They are stored, but not exploited because in raw, unconsolidated and hardly accessible formats.
It is only when different departments in a company begin to share or have easy access to relevant consolidated information that they can innovate and begin to improve performance, reduce costs and do better fact-based planning rather than hypotheses.
A GDPR project is an opportunity to enhance the data stored in the company. When inventorying data, an analysis can be conducted in order to make the best use of the information available and to improve its ability to make relevant decisions in its activity.
6. How can we help you prepare?
Our multidisciplinary team of experts in cyber security and data privacy, change managers, lawyers and business managers can help you understand the impact of the GDPR on your company, prepare a compliance action plan that will consider all the aspects: legal, human, process, business, technological and generate value for your business.
Examples of tasks we can perform:
- Assessing the impact of data protection (DPIA) on your business
- Inventory of flows of all personal data processed and classification of confidentiality
- Assessing the maturity of data protection and its impact on business processes, projects, systems and business
- Implementation of a data protection program (Iso27001, NIST, …) in order to take appropriate information security measures to ensure the confidentiality, integrity, availability and resilience of data processing systems and services
- Legal analysis of compliance with data protection legislation
- Drafting of legal documents: contracts with subcontractors, contracts with customers, general conditions, privacy rules, …
For more information, contact us:
IT-as-a-Service Consulting
18 avenue Jean XXIII, 1330 Rixensart – Belgium Tel: +32 2 318.12.71 web: www.itaasc.com email: gdpr@itaasc.com