Seven steps to GDPR

Strict new data-pro­cess­ing reg­u­la­tions come into force next year. Nik Rawl­in­son de­tails seven mea­sures that will help you pre­pare

PC Pro - - November 2017 Issue 277 -

Strict new data-pro­cess­ing reg­u­la­tions come into force next year. Here’s how to get ready.

The EU’s new Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR) comes into force in May 2018, cre­at­ing new rights and re­spon­si­bil­i­ties over the han­dling and pro­cess­ing of per­sonal data. All Bri­tish busi­nesses will be af­fected, as the UK will still be a mem­ber of the Union – and even af­ter the UK leaves, you’ll need to fol­low the rules if you want to of­fer any type of ser­vice to the EU mar­ket. In­deed, there’s a good chance that the GDPR will be adopted into UK law. So it makes a lot of sense to act sooner rather than later and get your busi­ness ready.

GDPR re­places the 1995 Data Pro­tec­tion Di­rec­tive, strength­en­ing in­di­vid­u­als’ data-pro­tec­tion rights and syn­chro­nis­ing those rights through­out the Euro­pean Union. Al­most all busi­nesses will have to up­date their pro­cesses to be com­pli­ant, but over­all it should be­come eas­ier for com­pa­nies out­side the EU to do busi­ness with the bloc, as there will only be one set of rules to fol­low.

The im­pact is so wide­spread, partly be­cause the GDPR cov­ers ev­ery­thing and any­thing that can be con­sid­ered per­sonal data. That doesn’t just mean pho­tos, spread­sheets and doc­u­ments, but things as ba­sic as names and so­cial net­work­ing posts. If you keep an

“The penal­ties for se­rial non-com­pli­ance are stiff, top­ping out at €20m or 4% of your com­pany’s an­nual world­wide turnover”

elec­tronic list of cus­tomers, you need to com­ply; like­wise, if your web­site logs vis­i­tors’ IP ad­dresses, you send out news­let­ters, you use a Euro­pean cloud ser­vice (or store EUrel­e­vant data on a non-EU cloud ser­vice, such as emails to and from EU cit­i­zens on a web­mail ser­vice), and so on. There are ex­cep­tions, but th­ese largely ap­ply to em­ploy­ment and na­tional se­cu­rity is­sues, or to in­di­vid­u­als pro­cess­ing data at home for per­sonal use.

The penal­ties for se­rial non­com­pli­ance are stiff, top­ping out at €20m or 4% of your com­pany’s an­nual world­wide turnover – whichever is greater. Th­ese seven steps should help you avoid fall­ing foul of the law, but the po­lit­i­cal sit­u­a­tion is still de­vel­op­ing with re­gard to post-Brexit rules: see the In­for­ma­tion Com­mis­sioner’s Of­fice’s over­view at pcpro. link/277gdpr for the most up-to­date in­for­ma­tion.

1 Fo­cus on Pri­vacy by De­sign

Make pri­vacy in­her­ent in ev­ery­thing that you de­sign, be it a process, a prod­uct or a web­site. That way, no fur­ther dat­apro­tec­tion mea­sures should be re­quired. Don’t as­sume that of­fload­ing your data to a third party is a way around this re­quire­ment, ei­ther: it’s your re­spon­si­bil­ity to make sure they’re com­pli­ant.

endthe Re­quire­mentsabil­ity en­cryp­tion,for users trans­parency,in­cludeto iden­tify end-to- and them­selves – when re­quired – with­out pass­ing non-es­sen­tial sen­si­tive data. That means that, for ex­am­ple, if you need some­one to prove that they’re over 18, they should be able to do so by some means other than en­ter­ing credit card de­tails. Any iden­ti­fy­ing data you col­lect should be anonymised, such as by “hash­ing” names at the point of cap­ture, so they’re rep­re­sented by long but unique strings of mean­ing­less data.

If you think the EU is be­ing un­fairly strict here, it isn’t: it’s play­ing catch-up. The US Fed­eral Trade Com­mis­sion rec­om­mended Pri­vacy by De­sign in 2012, two years af­ter it was unan­i­mously recog­nised as an es­sen­tial com­po­nent of pri­vacy pro­tec­tion at the an­nual con­fer­ence of In­ter­na­tional Data Pro­tec­tion and Pri­vacy Com­mis­sion­ers in Jerusalem.

2 En­sure you re­main ac­count­able

Adopt­ing pri­vacy-cen­tric busi­ness pro­cesses is cru­cial, but it’s not enough: you must also be able to prove that you’ve done so, if asked. That means doc­u­ment­ing the dis­cus­sions and

pro­cesses that con­trib­uted to your fi­nal im­ple­men­ta­tion. This is as much a pro­tec­tion for your­self as it is a way of re­as­sur­ing your cus­tomers, since it en­ables you to show that the avail­able pro­tec­tion mea­sures were con­sid­ered and in­cor­po­rated in your busi­ness.

On top of this, any staff who might han­dle per­sonal data must be ad­e­quately trained; you’ll need to de­vise and im­ple­ment a ro­bust in­ter­nal data-pro­tec­tion pol­icy that com­plies with ev­ery as­pect of GDPR.

If you have more than 250 staff mem­bers then some ad­di­tional re­quire­ments ap­ply: you will need to re­tain writ­ten in­ter­nal records of all data-pro­cess­ing ac­tiv­i­ties, de­scrip­tions of tech­ni­cal and or­gan­i­sa­tional se­cu­rity mea­sures, and doc­u­men­ta­tion of any safe­guards ap­pli­ca­ble to data­trans­fer mech­a­nisms, among other de­tails. Th­ese may be re­quested by a Su­per­vi­sory Au­thor­ity to check your com­pli­ance, so the more de­tailed and ex­ten­sive your records, the bet­ter.

Per­form­ing a Data Pro­tec­tion Im­pact As­sess­ment (DPIA) will help you as­sem­ble this doc­u­men­ta­tion, and spot any po­ten­tial weak­nesses in your data-pro­tec­tion mea­sures. The In­for­ma­tion Com­mis­sioner’s Of­fice rec­om­mends con­duct­ing a DPIA when­ever new tech­nolo­gies are used to process in­for­ma­tion in a way that could place in­di­vid­u­als’ pri­vacy rights at risk, such as rolling out large-scale CCTV de­ploy­ments.

The DPIA should in­clude as­sess­ments of the risks to in­di­vid­u­als, the ne­ces­sity of data pro­cess­ing and re­ten­tion, any mea­sures you have em­ployed to min­imise the risks, and a de­scrip­tion of your pro­cess­ing op­er­a­tions and their pur­poses.

3 Ask for ac­tive con­sent

It’s no longer safe to make any as­sump­tion where con­sent is con­cerned. If you’re de­sign­ing an opt-in form, web-store check­out or data-col­lec­tion mech­a­nism, be sure to ex­plain clearly what a user is opt­ing into and how the data will be used – and make sure that the ac­tion of opt­ing in is ac­tive, rather than pas­sive, as GDPR doesn’t al­low you to rely on pre-ticked boxes, or as­sume that a fail­ure to opt out im­plies con­sent. More­over, any con­di­tions must be de­tailed sep­a­rately from reg­u­lar terms and con­di­tions, so that they are more ob­vi­ous.

This ap­plies in­ter­nally, too: em­ploy­ers must ob­tain ac­tive con­sent from their em­ploy­ees when adding their de­tails to in­ter­nal data­bases. This means you may have to up­date your in­duc­tion pro­cesses.

This doesn’t nec­es­sar­ily mean start­ing again from scratch. The In­for­ma­tion Com­mis­sioner’s Of­fice

“Un­der GDPR, cit­i­zens and cus­tomers will have a right to con­test your use of their data, or to re­voke their con­sent to it”

has re­quire­dor Act] GDPR.”rely refresh de­clare­don con­sents pre­vi­ous­lyHow­ever,to ex­ist­ing au­to­mat­i­cal­lythatin prepa­ra­tion“you if granted[Datayou are con­tinue Pro­tec­tion ‘repa­per’not con­sent­for the to forto mustbe an pro­cessed,“make in­di­vid­ual’ssure youit data will mee­ton be­ing the spe­cific,GDPR stan­dard gran­u­lar, clear, prom­i­nent, opt-in, prop­erly doc­u­mented and eas­ily with­drawn.” If you have any doubts, it’s safest to con­tact ev­ery sub­ject cur­rently on your data­base to re­quest GDPR­com­pli­ant con­sent for you to con­tinue pro­cess­ing their data.

4 Keep your users in­formed

Un­der GDPR, cit­i­zens and cus­tomers will have a right to con­test your use of their data, or to re­voke their con­sent to it. If you haven’t al­ready, you will need to nom­i­nate (or hire) a data con­troller and data-pro­tec­tion of­fi­cer to han­dle th­ese in­ter­ac­tions, and make their con­tact de­tails pub­lic.

Th­ese de­tails must also be avail­able to the Su­per­vi­sory Au­thor­ity of each mem­ber state. This is an in­de­pen­dent body that in­ves­ti­gates com­plaints on be­half of Euro­pean cit­i­zens, which will li­aise with Su­per­vi­sory Au­thor­i­ties in

other mem­ber states, which to­gether are over­seen by the Euro­pean Data Pro­tec­tion Board.

Along­side your con­tact in­for­ma­tion, you’ll need to pro­vide a plain-lan­guage ex­pla­na­tion of how cus­tomer data is used, in­clud­ing the pur­pose of data col­lec­tion, any in­ter­ests that the con­troller, col­lec­tor or third party processor might have, who will re­ceive the data, whether it’s be­ing trans­ferred to an ex­ter­nal agent and so on. The full list of no­ti­fi­ca­tions can be found on the ICO web­site (

Some ad­di­tional obli­ga­tions ap­ply if you didn’t ob­tain the data di­rectly from the sub­ject – for ex­am­ple, if you have pur­chased a mail­ing list. In th­ese in­stances, you must also no­tify sub­jects of the cat­e­gories of per­sonal data you are col­lect­ing and how you came by their in­for­ma­tion.

5 Be pre­pared to delete your data

The GDPR em­bod­ies a “right to era­sure” in place of the “right to be for­got­ten” that al­ready ap­plies within the Euro­pean Union. In spe­cific sit­u­a­tions, sub­jects can re­quest that their de­tails be re­moved from your data­base en­tirely.

This might hap­pen if a cus­tomer with­draws their con­sent to fur­ther pro­cess­ing of their data. It in­cludes cases where the data was ob­tained or pro­cessed un­law­fully, or where the use for which it was orig­i­nally gath­ered no longer ap­plies.

There are a limited set of valid grounds for re­fus­ing such a re­quest. Th­ese in­clude pub­lic health or archival pur­poses, both of which must be in the pub­lic in­ter­est (which is dis­tinct from be­ing merely “in­ter­est­ing to the pub­lic”). You can also keep per­sonal data in de­fence of le­gal claims, in or­der to com­ply with a le­gal re­ten­tion obli­ga­tion or to per­form tasks re­quired of an of­fi­cial au­thor­ity.

Clearly, how­ever, in most cases you will have to com­ply with era­sure re­quests, so make sure that your sys­tems al­low you to eas­ily iden­tify and re­move in­di­vid­u­als’ data. If you have made the data avail­able to a third party, the onus is on you to make sure that they also com­ply with the era­sure re­quest – un­less they can claim one of the valid de­fences.

6 Be care­ful when us­ing al­go­rithms

A lot of de­ci­sions – par­tic­u­larly on­line – are now au­to­mated. The GDPR re­quires that a de­ci­sion which pro­duces a le­gal ef­fect or sim­i­lar must not be based on au­to­mated pro­cess­ing, un­less that pro­cess­ing is ab­so­lutely nec­es­sary and is au­tho­rised by law. The cus­tomer must also have given their ex­plicit con­sent.

This ob­vi­ously has im­pli­ca­tions for busi­nesses sell­ing prod­ucts on­line, but those aren’t the only ones who need to take heed. All sorts of pro­fil­ing ac­tiv­ity falls un­der the realm of the GDPR if it’s used to an­a­lyse move­ments (which might ap­ply to a map­ping ser­vice or so­cial net­work), per­for­mance at work (which would ap­ply to any em­ployer), health (which could in­clude sports clubs), per­sonal pref­er­ences and so on.

In short, when­ever you in­tend to use an al­go­rithm to an­a­lyse data re­lat­ing to an in­di­vid­ual, be aware that you can’t use that data to make de­ci­sions with le­gal im­pli­ca­tions – un­less the in­di­vid­ual has specif­i­cally given you per­mis­sion to do so. 7

Au­dit your data With less than a year to go be­fore im­ple­men­ta­tion, now is the time to au­dit your data-col­lec­tion and pro­cess­ing ac­tiv­i­ties, and up­date them if re­quired. In par­tic­u­lar, check whether any of the third-party providers you rely on are sit­u­ated out­side the Euro­pean Union, as GDPR restricts the trans­fer of in­for­ma­tion be­yond the bloc’s bor­ders.

And re­mem­ber that once the UK com­pletes its exit from the EU, it will it­self be an ex­ter­nal na­tion. It’s hoped that the Euro­pean Com­mis­sion will agree that Bri­tain en­sures an ad­e­quate level of pro­tec­tion to per­mit EU mem­ber states to trans­fer per­sonal data to Bri­tish com­pa­nies. If it doesn’t, how­ever, then that’s bad news for any busi­ness that cur­rently serves the EU main­land: the only op­tion then may be to find a way to set up shop within the EU it­self. Keep­ing a close eye on the le­gal sit­u­a­tion be­tween now and then is ab­so­lutely es­sen­tial; again, the ICO’s ded­i­cated GDPR pages ( are an es­sen­tial book­mark.

“You can’t use data to make de­ci­sions with le­gal im­pli­ca­tions – un­less the in­di­vid­ual has specif­i­cally given you per­mis­sion”

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.