Are you GDPR compliant? The General Data Protection Regulation (GDPR) became EU law on 25 May 2018. Some companies are not sure if and how it applies to them, and others are scared, thinking that they will not be able to handle personal data any longer or will have to pay millions of Euros in fines. As always, the reality lies somewhere in between.
Non-compliance may create serious problems, but unless your company is mainly working with personal data, the measures you may need to take may not be as revolutionary as some of the doomsayers may say. Some things need to change. You cannot just carelessly collect personal data about people and use it for whatever you want without permission. But that may not be a bad thing. In the past, different countries had different data protection regulations; some were tough, while others were more lenient.
The GDPR is tougher in some areas but more flexible in others. The good news is that the GDPR intends that more or less the same legislation is valid across the EU, which means that, by implementing it, you can work with any European country without problems. However, in reality, a member state may implement additions to the GDPR, and GDPR may also be a moving target.
Our journey
At Gislen Software, we have been working on making our company GDPR-compliant over the last few months. Our company is located in India but works mainly with European clients. Therefore, we need to take GDPR very seriously. Thanks to our work, we believe we have learned a few things. We want to share some of our new knowledge in this article. It should be said at the outset that we have no legal expertise. We recommend that you use legal experts to assess your preparedness. But at the same time, it is good to get a reasonably good picture of what needs to be done for your company. Don’t just trust your lawyer to get GDPR compliant.
GDPR in short
Basically, GDPR requires any establishment anywhere in the world which sells products or services to individual EU/EEA subjects (whether they charge for this or not) must have a reason to collect, store and process personal data and can only use this data for purposes declared and which they either must store (for legal reasons or for being able to run their business) or which they have got explicit permission from the person to use. In addition, any individual about whom you store data has the right to request full details of all data you store, request changes, deletion or even export of the data in a standard format, if applicable.
You can’t keep personal data forever and must delete it once it is no longer relevant. In the case of a leak, you must inform the concerned data protection authority and possibly any person whose data has leaked within 72 hours of discovery. Overall, the GDPR is technology agnostic, has a broad definition of personal data and is based on self-assessed compliance.
The burden of proof is on the company. That means the data protection authorities don’t have to prove that you failed to follow GDPR. It is your responsibility to prove that your company is GDPR compliant. The data protection authorities have the right to warn or fine non-compliant companies.
Who has to be GDPR compliant?
Any establishment which provides products and services to the European Union or European Economic Area and collects or processes personal information, whether it charges for them or not, has to be GDPR compliant and covers personal data about people physically inside the European Union (i.e. it is not limited to European citizens or residents.
Any establishment interacting with a European or a non-European visiting Europe is covered, while any establishment interacting with a European or non-European outside the EU/EEA is not covered.
Note that person-to-person interaction is not covered, but an establishment that connects people with others is covered (social media, auction sites, etc.). Whether you are the prime owner of the data collected (controller) or a subcontractor (processor or sub-processor), GDPR applies to you, and you must still be GDPR compliant. However, the primary responsibility lies with the controller, who must establish a legal agreement with every processor. To make life easier, we recommend implementing a uniform process for personal data, treating everyone similarly, regardless of citizenship, residence or location.
What is Personal Data?
Personal data, as per the GDPR, is any data that uniquely identifies a physical person, their properties, and any actions/transactions related to that person. Personal data includes any data that can identify a physical person alone or combined and any attributes, actions, or transactions connected or linked to the same entity. Aggregated or anonymized data is not considered personal data.
Here are some examples of personal data: Name, email address (including sender/receiver of an email), mobile number, home address, and work address (if combined with any unique identification). Other forms of indirect unique identifiers include IP addresses and cookies. Suppose you have the address of a house in which many people live. In that case, it is not personal data, but if you combine that with something that makes it possible to identify one person (such as gender, age, hair colour, or car ownership), the set of data becomes personal data. This may be an issue when aggregating data. Sometimes, aggregated data is not aggregated sufficiently to ensure that it is not impossible to identify a unique person. GDPR then applies to the data.
Note that a person may be mentioned in an email or a document. A photo of a person who can be identified is personal data. Therefore, you also have to consider the content of unstructured information.
A third party may be mentioned in an email or a document. Documents that include personal data are covered. Websites that set cookies store IP addresses, accept data in forms, have user accounts, etc., are covered.
Reasons to store or process personal data
GDPR does not forbid you from storing and processing personal data. However, it says that you must have a reason to do so. Reasons to do so may be:
- There are laws in place which state that you must store data (such as bookkeeping laws)
- Your business needs to collect the data
- You have asked permission from the person to collect the data.
The last reason is the weakest. Getting permission from people in a dependent position, such as employees, may not be sufficient, as an employee may not be able to refuse or question the data collection. It may be better to justify storing the data because your business needs to store it. You may ask a customer for permission. Even so, you must still justify your reasons for collecting the data, and you are not allowed to use the data for reasons other than those for which permission has been given.
If you want to approach a prospect, you may collect data from a public source and send an email or call the person (since this is essential for your business). However, if you do this repeatedly without having asked for permission, it becomes a breach. Likewise, you may not need to ask permission to send an annual newsletter or similar to your clients.
There are some special clauses related to sensitive data. If you collect medical data or information about someone’s political or religious views, this data may need to be protected much stricter.
Data Protection Officer
Public authorities must always appoint Data Protection Officers, and any establishment where personal data collection, processing, and storage are essential parts of the business must also do that.
A data protection officer must:
- Educate and train the staff of the company in the compliance requirements and how to process data
- Audit to ensure compliance and address issues proactively
- Be the contact person for the Data Protection organisations
- Monitor performance
- Maintain records of all data processing activities
- Interface with people whose data is stored, inform them about their rights and how the organisation protects their personal information.
- Have expert knowledge of data protection law and practices.
Representative in the EU/EEA
Sometimes, a company outside the EU/EEA has a representative inside the EU. This is described in Article 27 and Recital 80. As we understand, this is not required in all cases, but some member states seem to take a different view, so it is wise to investigate this carefully.
Keeping records
Unless the company is small (less than 250 people) and if data processing is not a core activity, keeping records of what is being done regarding GDPR is compulsory. Records about permission received to store data and requests to view, edit, delete, or export data must be stored. Note that data about requests to delete may need to be stored even after data has been deleted but can not be used for any purpose other than to prove compliance.
How to get GDPR compliant?
You must map your data (not just in computer systems, but in physical form). For each data set, you must explain why you need it, how long you will keep it, what measures you have to protect it, etc.
Keep in mind that personal data may exist on staff devices. The company provided laptops and personal BYOD such as mobile phones. Data may exist in cloud-based personal services such as Skype and DropBox. You need to map all such data.
It may be possible for a small company to manage this. But what would you do if an employee leaves? Can you ensure that all data is deleted? What happens if a laptop is stolen? Was it encrypted? Are you ensuring data is erased from hard disks before a laptop is reused or scrapped? These are examples of how GDPR compliance will demand new policies, procedures, and technical solutions.
Note that compliance is not verified, but you must be GDPR compliant. If you are reported to a Data Protection Authority in the EU, you must show your compliance, not theirs, to prove your lack of compliance. Compliance is not optional.
Transparency
Basically, for all such data, the company must be transparent with what data it collects and how it is processed. They have to explain WHY there is a need to collect the data, which can be for legal reasons or because it is needed to run the business (such as a customer database or contact details for an invoice, etc.), and explicit permission.
Explicit permission means explicit. It is no longer possible to have implicit opt-in for setting cookies, so the user must accept that a website sets cookies before any cookies are set.
All persons you have personal data about have a right to request –
- details of all data stored about him/her (without charge)
- changes to incorrect data
- deletion (or anonymisation) of data about him/herself (unless there are laws which force you to continue to keep them)
- export the data in a standard format (whenever applicable)
Suppose the reason you store data is based on legal compliance. In that case, you may not be allowed to delete data until the law allows you to do so, e.g. you may, for legal reasons, have to store supplier or customer invoices for a particular time. Still, a client may even, in this case, request that you don’t use the data for marketing or sales.
No legal language
One important aspect is that having a data policy written in legal language is not enough. GDPR requires that you communicate clearly why you store data and what you do with it.
Obligation to report
If you know about a data leak, you must inform the relevant authority in the country of the EU subject (and possibly the person also) within 72 hours. This may be tough during long holidays, and you may have to consider your preparedness. If you know about a data breach in the afternoon on the Thursday before Easter, you must still report the violation by Easter Sunday afternoon at the latest. Christmas and other religious holidays present challenges similar to bank and public holidays.
Consequences of non-compliance
The data protection authorities will now have the right to warn or fine non-compliant establishments. Fines can be as high as €20M or 4% of global revenue, whichever is higher.
Note that this applies to establishments selling products or services to the EU where personal information is collected or processed. The EU obviously may not have jurisdiction for transactions outside of the EU, so any data about EU citizens initiated when they travel outside the EU would, as far as we understand, be exempted, at least if that establishment has no business in Europe.
However, if a European establishment provides personal data to non-EU, the former is considered a controller and the Indian company a processor. For such work, GDPR demands an agreement between the two establishments to establish responsibility and accountability. This is particularly true for third countries.
There is an agreement between the USA and Europe. However, for outsourcing to India, a contract must satisfy EU standard clauses. It is essential to understand that even non-EU establishments dealing with EU citizens must be GDPR compliant.
Need for processor agreements.
You would also need a processor agreement with any third party involved with your websites, such as the hosting company, Google Analytics or any other tracking company. The same applies to any subcontractor or partner with whom you share personal data about your employees, customers or clients.
More information
The GDPR is found here! The recitals, which are sometimes easier to understand, are found here!
Standard agreements may be helpful if you work with a company outside the EU or if you are a company outside the EU that deals with European clients and, in the process, accesses or processes personal data. Find out here!
You may find more info here! (This is for the UK. But the principles are more or less the same for the entire EU/EEA)
Conclusions
In this article, we have covered GDPR and what you need to think of to become GDPR compliant. GDPR may not be very cumbersome for many companies, but compliance may still mean a substantial amount of work if your company handles a lot of personal data. If you need help ensuring your IT systems are GDPR compliant, we would be happy to help you. Here, you can find details of our software development services. In future articles, we plan to give some detailed advice – mainly on how to make your website GDPR compliant.