On May 25, 2018, a General Data Protection Regulation (GDPR) will be implemented in Europe.
This new application will harmonize legislation about data protection among the member of the EU states and determine the rights of every consumer in the EU. The customers will be able to ask What data do you have on me ?
to every legal entity exercising in the EU or having even one customer based in the EU. Companies should be able to extract that information.
However, those companies may be able to have unitary data protection concepts for their EU subsidiaries.
Today some local governments and corporations are already on the move for the upcoming european general data protection regulation.
GDPR is an all-time assessment, not a one-time precaution and it impacts all kinds of software and information systems.
Initial Know-How for data protection
What is the definition of personal data ?
According to law it means :
Any information relating to an identified or identifiable individual ; directly or indirectly, in particular by reference to an identification number (e.g. social security number) or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (e.g. name and first name, date of birth, biometrics data, fingerprints, DNA…)
Personal Data : definition, CNIL
The definition is wide, yet it implies that GDPR is applicable if and only if the data is established as personal. Otherwise, if the data is truly confirmed as “anonymised” there is no GDPR application.
How do you get started ?
You must identify what type of data you have, then file documentation according to them. It’s a long process that should be taken care of right now.
While inventorying the data you collected, it is important to know :
- Where you keep them
- Externalized or internalized
- Cloud, hard copies, server, Saas…
- Europe, US, Asia…
- What type of data do you own
- Personal,
- Public,
- Nominative,
- Sensitive…
- How you collected them
- Self-declared by the consumer,
- Behavioural,
- Opened…
- Why you collected them ?
- To provide service and adapted offers,
- For statistical purposes,
- To advertise…
- How are you going to use them ?
- Marketing
- Commercial
- Administrative purposes
- How long you are going to keep them
- Few weeks
- Few months
- Few years…
- Who can access them ?
- Everyone
- The data controller and/or the data processor
- No one…
Once identified it is crucial to share the “why” And “how” to your customers. Reassure them on “what” you have on them and “where” you stock that data in order to erase the information right away if asked.
Privacy by Design
In short,
privacy by designmeans that each new service or business process that makes use of personal data must take the protection of such data into consideration. An organization needs to be able to show that they have adequate security in place and that compliance is monitored. In practice, this means that an IT department must take privacy into account during the whole life cycle of the system or process development.Privacy by Default
Privacy by Defaultsimply means that the strictest privacy settings automatically apply once a customer acquires a new product or service. In other words, no manual change to the privacy settings should be required on the part of the user. There is also a temporal element to this principle, as personal information must by default only be kept for the amount of time necessary to provide the product or service.
“Data Protection by Design and by Default“, EU Data Protection Regulation
Handling Personal Data
Handling data is any kind of transfer or transformation of personal data. Thus the Data Controller and the Data Processor are both subject to the general data protection regulation (Art.4 (2)) .
The Data Controller represents the entity which determines the purpose and the means of the processing of personal data (Art.4 (7)).
The Data Processor represents the entity which processes personal data on behalf of the controller (Art.4 (8)).
In other words, the first one selects the needed data while the second follows the guidelines to collect them. Once the GDPR will be implemented, the responsibility will be shared between those two parties. Make sure that any data processor you are working with follows correctly the GDPR assessment (erasure, accessibility, storage…) or you may be in a personal data breach (Art.4 (12)).
Beware of Sensitive data
Beware of sensitive data (bank, health…). If your company uses this type of data on a large scale. You will then need a Data Protection Officer, extern or intern to your company. This officer is there for guidance to have a proper data protecting assessment. Many EU countries already have a legislation in place to qualify the nature of a sensitive data
and the way to collect, store, retrieve them from a certified and secured database.
Consent is rule
‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes
Art.4 (11)
The customer must be fully aware and see accurate information on all relevant issues. Such as :
- The nature of the data processed
- The purpose of processing
- The Identity of the controller
- The identity of any other recipient of the data
That information should be explicit, unequivocal, easy to find and highlighted before collecting any personal data. The customer must understand the essence of your activity.
The implementation of this consent rule is a valuable proof of your commitment to data protection regulation. Failure to comply with this consent requirement puts you in a non-compliance situation.
More about consent here.
Breach assessing the situation
When and how are you considered in breach ?
You are in breach whenever you have a violation of security leading to an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed Art.4 (12).
In other words, as soon as your personal data is compromised due to a failure of security. You are in breach.
How to prepare yourself for data breach ?
- Train your team/employee and raise their awareness and knowledge on data protection
- Prove what good you have done for general data protection regulation
- Check customer consent at any scale
- Know your GDPR
- Know how to identify a breach to prevent high penalties
Penalty, don’t learn the hard way
Penalties include, among other things, a pecuniary form. The amount depends on how you managed your breach. It can go up to 4 % of worldwide companies’ turnover.
Three criteria enter into consideration when there is a penalty involved
- Time in which you managed the breach (especially the time to clog the breach)
- The extent of the security breach.
- The notification to the GDPR authority.
That is why it is important to know where you keep and store personal data. To be able to extract or erase it as “fast” as possible. Control your data in order to apply erasure. It’s the main criteria of the regulation. Also, it’s a way to prove your commitment to the GDPR application.
How to manage data breaches
They are at least two actions to undertake :
- Inform within 72 hours the competent Data Protection Authority (DPA) after having identified the data breach.
- Notify your customers. It is required if the breach is likely to cause a damage on their rights and freedoms.
Right-to-be-forgotten and data control
What does this imply ?
- Request from customers to the Data Controllers to erase the data they hold about them
- The exercise of this right is possible only under certain circumstances :
the purposes for which the data was collected cease to exist, or the personal data is not anymore relevant for the purposes, etc. - The customers will be able to administer their data more easily thanks to Data Portability. Note on this subject, the article 20 “right to data portability” does not mention an automatic erasure of the data following the use of the right of portability. Moreover the user can very well use it several times to go to different responsible for treatment. Nevertheless nothing prevents him from using his right to erase (article 17 “right to erasure”) if he wishes it once he has retrieved his info.
How can you prove your commitment to GDPR ?
Thereby, implementing GDPR will be easier if all information about customers is recorded in one single database available for different systems that process customer data, especially regarding :
- Consent and proof of consent
- Limitation of processing purposes
- Right to erasure and right to be forgotten
- Right to data portability
Informed consumer
measures
- Technical and organizational security measures for automatic decisions, including profiling
Remember, if asked all information should be given back simply and made accessible to the customer.
To Sum Up
If your company has any kind of activity in the EU or even one user in the EU. You should follow general data protection regulations.
Prepare yourself for 2018 by doing implementation studies now, make things automatic, act fast with authority to be in the best position for the general data protection regulation in 2018. You will need a balance between business enablement, data security and data protection.
While implementing, legal requirements (other than GDPR) should be acknowledged and carried out depending on which country (EU member) you operate from. Flexibility is your focus and it does not imply a burden to business-related purposes.
Three key elements to remember :
- Proof of commitment to the General Data protection regulation
- Consent and proof of consent
- Instant erasure of personal data when asked