The General Data Protection Regulation (GDPR) EU 2016/679 came into full force earlier this year - 25th May 2018. Since being published in the Official Journal of the European Union, back in May of 2016, a lot has been done by industries and organisations across the EU and EEA, but a lot more still needs to be done. The general feel is that this regulation was heavily undermined and to some extent taken for granted. Many of the smaller organisations took and are still taking a ‘look and wait’ attitude. But take note, the law is in full force and effect, and enforcement efforts will slowly ramp up. Even though the Supervisory Authorities have wide powers including investigative, corrective, authorisation and advisory powers, your data subjects (e.g. customers, clients, employees, processors and suppliers) – both past and current – also have the power and the right to lodge a complaint if and when they feel aggrieved by an organisation’s handling of personally identifiable data.
Whatever its nature and size, the organisation is legally obliged to be in compliance with the GDPR and any national implementing laws and subsidiary legislation. With a few simple steps, an organisation or business can understand to what extent it should move towards GDPR compliance.
The first step is to understand what personally identifiable data is being processed, how the organisation is requesting and collecting personal data through its various business operations, as well as the purpose(s) behind such processing. Through this data map analysis, the Organisation places itself in a position to clearly understand the types of personal data it collects and whether it falls within scope of the GDPR. The second step is to clearly understand what practices and procedures are in place in order to process this data and identify what efforts are required to fully come in line with the GDPR. Whilst the current security measures an organisation has in place may seem to be sufficient in practice, in reality, it may want to consider additional security measures to further mitigate the risks. At the same time it would be addressing its GDPR obligations. In doing so the organisation should always take into account the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Once it is clearly understood what personal data is being processed, and how and why it is being processed, the next important step is for the Organisation to have a clear understanding whether it needs to formally appoint a DPO, as per Article 37 of the Regulation, or whether appointing a Privacy Executive would suffice. Remember that, irrespective of the decision to appoint a DPO or not, the Organisation is legally bound to comply with the GDPR and is legally liable to any fines and penalties if found to be non-compliant.
In addition to this, it should now be also clear whether the Organisation is acting as a Data Controller in that it is acting in its own capacity to determine the purposes, means and extent of the collection of personal data. On the other hand, if the Organisation is carrying out various activities on behalf of another entity (normally abiding by strict instructions and parameters), then it would be acting as a Data Processor. However, the decision is not always so clear cut. Many entities and organisations may be acting as both a Data Controller and a Data Processor. The daunting task is to identify which processes and activities are being carried out as a Data Controller for which it would be considered the primary owner of the data, and which are those being carried out as a Data Processor.
By way of example, imagine a business entity providing outsourced payroll services for a large Corporation. The business entity would be carrying out such tasks and activities in line with some criteria and parameters dictated by the Corporation. Such parameters could include which category of employees, how are the procedures going to be carried out, what security measures are to be put in place, as well as with whom to communicate such data. (Keep in mind that in many cases, the payroll service providers would mainly carry out such services according to best practice and therefore many of these ‘instructions’ would be a given). But what if this business entity also provides other non-payroll services to other clients? What about the data pertaining to its own employees? What about the data collected for the marketing purposes? In the majority of these cases, the business entity would be acting as a Data Controller in its own right.
In accordance with Article 6.1 of the GDPR, all organisations have to provide and have a lawful basis to request, collect and process personal data. Processing is acceptable only if at least one of the following applies:
- It is based on the consent obtained from the individual data subject(s);
- It is necessary to comply with some legal obligation;
- It is necessary for the performance of a contract obligation between the organisation and the data subject(s) or in order to take steps at the request of the data subject prior to entering into a contract;
- It is necessary to protect the vital interests of the data subject or of another natural person;
- It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- It is considered as a business legitimate interest to achieve organisational goals and objectives.
An important factor that needs taking care of is that all privacy policies and notices are updated in accordance with GDPR requirements. The GDPR does not only give guidance as to the minimum requirements in terms of the information to be provided in such policies and notices but also directs organisations of how such information is to be presented. Amongst other things, Article 13 of the GDPR clearly states that such notices and privacy policies should include information pertaining to what personal data is collected, how it is being used, and what security measures are in place to protect such data whilst being used and stored, for how long that data shall be retained, and whether it will be shared with any third parties within the EU, EEA, or with other third countries. The policy and notice should also include the rights of the data subjects and what each individual can or should do to easily exercise their rights.
Document and audit
An organisation is not only obliged to be in compliance of the Regulation but it is also required to show (and prove) such compliance. It is therefore imperative that an organisation documents well all aspects of its business that could impact personally identifiable information pertaining to its various data subjects. Furthermore, it is advisable that each organisation develops a well-documented compliance program so that all areas are looked into, reviewed and updated on an ongoing basis, as necessary. In this way, from a GDPR aspect, the organisation is ensuring that it remains in compliance of the Regulation but is automatically carrying out a continuous improvement exercise.