Are you GDPR compliant?
Having just relaunched my business, a couple of things have changed for Your Office Genie since we were last actively working. After revamping our home (our site) I realised that GDPR had come in since we initially launched the site in 2016 - best we get ourselves compliant ! I thought I would share what I had found - for any small businesses out there that still, a year on, are yet to undertake this work, or worse still believe that this does not apply to them.
What is GDPR?
The General Data Protection Regulation (GDPR) applies automatically to all 28 member states of the European Union, unlike a directive which demands member states to draft domestic laws to enforce its rules.
It came into effect on 25 May 2018 and it sets out to bolster the rights citizens of the EU have over their data which is held by companies.
Before its implementation, misuse of a person's data was punishable by a slap on the wrist. Now, mammoth fines are issued against companies which fail to comply by the regulation's standards. Companies that are found guilty of misusing data can be fined up to €20 million or 4% of the company's annual turnover, in worst case scenarios.
The regulation aims to give people greater power over their data and make companies more transparent in how they deal with people's data.
Does GDPR Apply to me?
ITPRO states that -
If you don't think you need to respect the GDPR legislation, you're unfortunately probably going to find yourself in hot water. Whether your business operates with clients in the EU or outside it, it's vital you respect the rules and make sure you're compliant with regulations.
Pretty much every business must comply with the EU’s data laws, even if they're based in the US. This is because most companies have at least some data belonging to EU citizens stored on their servers and it is those whom the data belongs to that is protected, not the business.
However, if you truly have no dealings with the EU, you can avoid having to comply using a traffic filter. By blocking any EU traffic to your website, you can make sure that only non-EU traffic is allowed to your website and only those outside Europe can enter their details onto your site.
It obviously a technique only relevant for businesses that do not need contact with EU citizens, such as US-based news sources. The LA Times is one company that has implemented this GDPR avoidance scheme.
Organisations have found that, since GDPR came into force on 25 May last year, compliance never was an overnight prospect, rather an ongoing one that requires a firm's data governance practices to be continuously reviewed. Indeed, various surveys have since emerged showing that a swathe of organisations do not consider themselves to be fully GDPR-compliant, particularly when it comes to fulfilling Subject Access Requests (SARs) for instance.
The Information Commissioner's Office (ICO), and its European counterparts will, in 2019, begin taking serious regulatory action as more violations emerge, and the small backlog of incidents in the back-end of 2018 are finally examined. Firms must, therefore, stay on their toes and ensure all aspects of their organisations are complying with the toughest set of data regulations ever construed.
That isn't to say the ICO and other regulators will hit you with the biggest fine possible. This is far from reality, with the UK data regulator admitting that any GDPR violations will be assessed and judged taking a wide variety of factors and contextual information into consideration. That means any measures your company takes to protect data and manage it properly will be marked in your favour if you suffer a breach.
But GDPR's everlasting nature, and the unpredictable threat landscape means your company's data practices must be examined and re-assessed in a timely way, as the regulations also move forwards and new aspects emerge through 'case law'.
The UK's departure from the EU might also complicate matters, with the Data Protection Act 2018, enshrining GDPR into UK law, coming into force.
And yet, according to the ICO, leaving the EU without a withdrawal deal may lead to widespread disruption, affecting data flow and international transfers. The UK regulator released extensive guidance to this effect, advising businesses what measures they can take to avoid disruption and carry on into April 2019 as smoothly as possible.
Under GDPR, companies need to ensure they are conducting themselves to the highest standards when handling personal data and sending communications. The regulations also outline specific precautions organisations must take, and changes to their organisational structure, which aim to promote best practice, as well as outlining the steps an organisation must take after suffering a breach.
While a great deal of GDPR concepts and notions are included in the now-defunct Data Protection Act (DPA) 1998, there are many new aspects and more rigorous standards that can catch out any company trying to get through compliance measures as fast as possible.
The ICO advocates that organisations use their present efforts in compliance as a starting point from which they can build on. But what precisely does compliance with GDPR mean?
Here we look at the basics, so you know what to do and tick them off your extensive GDPR checklist.
IT and data governance
Audit all the information your organisation holds: You must set up a list of the personal data you hold and arrange it by type, i.e. names, addresses, phone numbers, and so on. You must also provide a source for each separate piece of information documented.
Establish how you store data, and who it's shared with: This could be a list of internal databases, but could also include offline stores and third-party storage providers. You must establish which parties you share your data with so that if you need to delete or amend that data, you can inform an associate organisation that they must also update their records.
Document how data is processed: Organisations will need to outline all processing activities, including keeping the name and contact details of the data processors, as well as the categories of processing carried out - and the transfers of personal data to an 'adequate' third country (one that is outside the European Economic Area, but whose data protection measures are deemed adequate for data transfers) or international organisation.
Refresh existing consents if necessary: Consent must be given freely, as well as being specific, informed and unambiguous; hinging on a positive opt-in. Under GDPR, you can't rely on pre-ticked boxes or opt-outs, nor bundle in consent with agreement to other terms and conditions. You must explain clearly and specifically why you're collecting certain data and what that data will be used for, plus which third-party controllers will be able to use that consent. You also need to make clear that users can withdraw their consent down the line, and make it easy for them to do so.
You should also keep consents separate - if you're asking users to agree for you to do different things with their data, you'll need to ask for their consent to each of these things. Although you won't necessarily need to refresh all existing consents gathered pre-GDPR, if you rely on consent to process data, you will have to ensure existing user consents meet these higher GDPR standards, or be ready to re-consent them.
Maintaining your customers' rights
Respect new and existing rights: You should examine your procedures to ensure they cover the new and existing rights customers have - including how you plan to delete personal data, or provide data on request.
Fulfilling Subject Access Requests (SARs): People's requests to access the data you hold on them must be fulfilled within a month, instead of 40 days, and data must be provided in a structured, commonly-used format, and you cannot charge a fee. Consider implementing a system for users to easily access their own data online, to reduce the pressure on staff handling a large number of SARs.
Right to rectification, restriction, and erasure: The new legislation outlines how users have more control over their personal data. The key to respecting these rights lies in understanding how your organisation plans to handle the flow of requests to amend any data inaccuracies, to comply with a demand that you stop processing someone's data, and to erase any personal data you hold on a subject, or move it to another organisation at their request.
Internal awareness and accountability
Implement staff training: A great many data breaches are inadvertent, and involve a degree of human error by staff with access to internal systems. Training all your staff to be aware of how GDPR affects their daily work not only maximises your organisation's chances of full compliance, but minimises any risk of suffering data loss or theft.
Educate decision-makers: Setting up an accountability and governance framework, involving executives and senior members of staff in your organisation, is key to compliance. Involving senior staff is not only important in budgeting for the compliance process, but for identifying the areas that may be at risk, and ensuring each department has a specific readiness plan to execute.
Appoint a Data Protection Officer (DPO): Your organisation must designate a DPO with the responsibility for data protection compliance if you carry out regular and systematic monitoring of individuals at scale, or large-scale processing of special categories of data, such as health records. The DPO must have the right knowledge, support and authority to carry out their duties effectively.
Carry out a Data Protection Impact Assessment (DPIA): DPIAs are mandatory for certain organisations in cases where a new technology is being deployed, a profiling operation is likely to affect customers, or where there is processing of special categories of data on a large scale. DPIAs help to should establish how risky certain data processing activities are. Your organisation should consider where DPIAs are necessary, if at all, and how you run the process. The ICO has some useful advice about when and how to perform one.
Reporting data breaches: Any breaches involving personal data must be reported to the ICO within 72 hours - including what data has been lost, any consequences, and what countermeasures you've taken. Any loss in non-encrypted personal data must also be communicated to the data subjects involved. It's vital to cooperate with authorities as fully as possible to both minimise the scope for suffering penalties, and to ensure your reputation does not suffer any undue damage.
So after all of that - if you think that you might need a hand with this why not give Your Office Genie a shout and we will get you GDPR compliant in no time.