25 May 2018, the General Data Protection Regulation (GDPR) deadline, is less than 200 days away.
GDPR is becoming the most crucial regulation through EU’s data privacy legislations, the due date is right around the corner and the penalties for non-compliance are severe (€ 20m or 4% of global annual turnover).
As the attention to the regulation is at the top, there is now a growing concern about GDPR compliancy by all organizations that are affected by it.
GDPR will increase privacy for individuals and organizations must implement capabilities to ensure appropriate rights and adequate protection to safeguard the privacy of those individuals whose data they control.
Companies have a general obligation to implement technical and organizational measures to show that they have considered and integrated data protection into their processing activities (ICO).
In a series of blog posts, in collaboration with CDI-Partners, we will walk you through the main topics and challenges of GDPR and provide you with some tips on how to address these topics.
In this first blog, let us focus on some GDPR buzz-words and explain their meaning.
In the subsequent blogs, we will dive into deeper details on 3 steps to take to get your company closer to GDPR compliance.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Identify the lawful basis for processing activities in the GDPR, document it and update the privacy notice to explain it.
That is a mouthful of words... It is clear that the EU regulatory organization wanted to formulate processing in its most all-encompassing way possible to prevent future discussions on whether someone is or is not processing data.
The new accountability principle in Article 5(2) requires companies to demonstrate that they comply with the principles and states explicitly that this is their responsibility. Companies must implement appropriate technical and organizational measures that ensure and demonstrate that they comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
In a world of hosting, outsourcing, cloud-computing and so forth, accountability of data protection needed to be clearly addressed in an unambiguous way. The non-judicial way to say the same is: whenever you are the key stakeholder for having the personal data of individuals stored, it doesn’t matter whether you do this yourself or have it outsourced, hosted or put in the cloud: you are accountable to protect this personal data from any thinkable data breach as stated in the GDPR. You have to ensure that any party you work with to process/manage the personal data you wish to process offers the same guarantees and implements the same GDPR compliant measures as if you would do it yourself.
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Public authorities and employers will need to take particular care to ensure that consent is freely given.
Here again, the GDPR leaves little to no room for interpretation: you can no longer assume implicit use of obtained personal (identifiable) information you obtained for a specific purpose.
A schoolbook example: an online bookstore (web-shop) asks for your birthdate.
First of all: the birthdate must be optional because you do not need someone’s age to sell him/her a book. In that case the birthdate must not be blocking to order the book!
Second: If you wish to obtain the birthdate you have to indicate to what purpose. Suppose you wish to offer similar books which people of similar age would like as well, you may ask and solely use this information to that purpose. The online user must express his consent to this use.
Third: If you wish to use his/her birthdate to send a discount voucher each year to thank him/her for his loyalty, this is another consent that has to be given by the online user.
Being transparent and providing accessible information to individuals about how you will use their personal data is a key element of GDPR. The most common way to provide this information is in a privacy notice. The GDPR says that the information you provide to people about how you process their personal data must be (1) concise, transparent, intelligible and easily accessible; (2) written in clear and plain language; (3) free of charge.
With the transparency regulation, GDPR wants to achieve that companies can no longer obscure their privacy implementation in tedious and complex formulations that only professionals would understand. Also, privacy statements in hard to read (small) text that span multiple pages have to become practices of the past.
Hope you liked the first blog article on becoming more GDPR aware and prepare for your company’s readiness.
In the next blog, we'll dive into the first of three steps to get closer to GDPR compliance: Managing Information.