The General Data Protection Regulation (GDPR) becomes effective on the 25th of May 2018. It represents a major shift in the way data is treated; it is significant that in the midst of their current troubles Facebook are now suggesting that it is the gold standard to which their global operations should adhere. There is much in this, just as there is much in the GDPR which we, as individuals, should applaud. That said, many organisations will face considerable upheaval in order to meet its requirements.
We have already written at some length about the GDPR however it is of such importance that we are dedicating a series of further papers to exploring its impact in greater detail. In this first paper, we will explore the operational impact of the GDPR.
Discussing operational impact is akin to discussing the length of a piece of string, there is no one-size-fits-all answer. The GDPR concerns itself with the use of data, and nearly all organisations use data in one way or another. An allotment association will have a list of members, with contact details. That is personal data. If you are Facebook (sorry but they are an excellent example) you hold an enormous amount of both personal and sensitive personal data. The impact of the GDPR on your operations is going to be equally varied.
We have identified 10 areas where the GDPR compliance is likely to impact upon the operation of your organisation. Contact us to discuss these or any other GDPR-related concerns.
Cybersecurity and Data Breach Notification.
All organisations have a legal obligation to protect individuals data. Under the GDPR those obligations are stated far more explicitly. If you hold personal or sensitive personal data, and you almost certainly do (staff records for instance), you have to take appropriate steps to ensure its safety and to mitigate against potential breaches.
Are your firewalls up to date and sufficiently monitored? If you outsource this responsibility you should be meeting with your current provider and ensuring that they are fully up to date with current risks and the GDPR (see Vendor Management below).
If you handle these functions in-house have you given sufficient support to the staff responsible? The GDPR makes specific reference to where they believe those responsible should sit in the company structure and blaming a junior member of staff with insufficient seniority will not sit well with the ICO.
Monitoring and logging of internal and external activity is seriously boring but serious nonetheless. Generally, this is an automated function however you may have to prove that there was sufficient oversight of this function – that’s more staff time to be allocated.
Where you have identified personal or sensitive data is it appropriate to ensure that it is stored in an encrypted format? Our answer is “yes”; there is no good reason not to. Personal data is anything that would allow an individual to be identified; sensitive personal data is that which might be injurious to an individual were it released. That might be health status, former criminal convictions or financial information. Where a data breach involves such data it must be notified to the ICO within a reasonable timescale typically no longer than 72 hours.
Mandatory requirement for a Data Protection Officer (DPO)
What is a DPO? The ICO helpfully provides this description: “DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority”.
It is mandatory to appoint a DPO for public authorities and organisations whose core activity involve large scale, systematic data processing or surveillance. Other organisations can appoint a DPO should they wish. If you choose to appoint a DPO be aware that you have also committed to adhering to all the obligations that go along with it – it is, therefore, a decision to be taken carefully. The explanation of this obligation is lengthy and complex, check the ICO guidance here or speak to us for further clarification.
What constitutes consent is changing markedly under the GDPR. Prior to its introduction, consent could be obtained by a simple tick box exercise, or relying on implied consent – you didn’t actively opt out. From May 2018 this will no longer be sufficient.
Obtaining consent for data processing is not a simple process. Your privacy notice must be very clear about the data you collect and hold, what you do with it and your lawful reasons for doing so. You will have to obtain consent for different data uses separately for each data subject. The individual whose data you hold can withdraw their consent at any time, to individual processing activities or to all data processing. These changes to consent alone will impose a notable impact to many organisations.
Do you currently have a mechanism to obtain and if necessary update consent? How will you handle requests to withdraw consent? Can you cope with the ramifications of consent being withdrawn? Consent must be informed and if it isn’t, or can be shown to be insufficiently informed, you will find yourself in breach of the GDPR.
Cross-border data transfer
This is one of the areas where you may really feel the GDPR’s impact. Buried in the regulations are considerable restrictions on moving data across borders. The reason for these restrictions are self-evident in the logic of the GDPR; in aiming to set a Europe-wide standard for data protection, the EU is concerned to ensure that these protections are not evaded by moving data outside the EU’s sphere of influence. The practical upshot of this is a series of restrictions designed to ensure that individuals rights to data protection are enforceable across borders, either by the use of international treaties or by binding contracts. The ICO guidance can be found here.
There are exceptions (derogations in EU-speak) to this rule but these notwithstanding, if your business requires the international sharing of individual’s data, this is an area where you will need to tread very carefully. If you have any concerns in this area, ask us.
This is another area where the GDPR could have a considerable impact on the operation of your organisation. GDPR makes it harder to have a decision-making or other profiling operation that does not involve human decision making. In short, the computer is no longer allowed to say no.
For brevity, we will link to the ICO guidance and checklist here. If your business or organisation currently performs automated profiling you will need to address this as a matter of urgency. It may be that you already have a provision in place to allow decision referral to a member of staff, but you will need to be certain that your procedures are wholly in keeping with the GDPR. This will also cover matters such as specific, informed consent and you may need to make information about the processing much more explicit.
RTBF and data transfer
The Right To Be Forgotten is now enshrined in the GDPR. It is properly known as the right to erasure and is enshrined in Article 17 of the GDPR.
Space precludes listing the full guidance which can be found here. As an organisation, you need to establish how you will deal with requests for erasure. Will they be automated, accessed via a secure portal for instance? Will each request need to be reviewed by a member of staff? Can you deal with such requests within the 30 days allowed? Small companies that do not process data as a core activity will most likely be unaffected. On the other hand, a large organisation that process large volumes of personal data could find itself struggling unless it takes steps to ensure that it has put in place procedures and personnel.
The right to data transfer (right to data portability) exists to allow a data subject to request their data in a common, machine-readable format, so that they may reuse it, for instance, to obtain quotes on a price comparison website. Where not unreasonable, you may be requested to transfer the individual’s data directly to a third party. As with other rights, a request for data transfer must be actioned within one month of receipt except in specific circumstances. Guidance on the provisions of Article 29 can be found here.
In theory, vendor management is simple: if you use third parties to process data on your behalf, you have an obligation to ensure that they too are GDPR compliant. This is a task for the Data Controller, they must ensure the third-party’s compliance and ensure that there is a contract between their company and the third party that sets compliance in writing.
In this way, the GDPR doesn’t just impose duties on your organisation, it obliges you to ensure that all of your third-party suppliers who handle your data are compliant. Need examples? Payroll management companies, accountancy firms, email providers… In the connected workplace most organisations have many third party service vendors and you need to establish who is handling personal or sensitive data and ensure that they are doing so in a fully compliant matter.
Where an organisation handles a lot a data and uses many third-party vendors this obligation under the GDPR may well prove to have one of the more significant impacts on operations.
Pseudonymisation is the process whereby personal data is rendered partially anonymous at the individual level. This is done by separating the personal information from key facets that enable it to be linked to an identifiable individual. There are various reasons for doing this; it is an aspect of Privacy by Design (PbD), it allows a certain amount of processing beyond the originally stated reasons for collecting the data. It does not exempt an organisation from its duties of care under the GDPR and should not be assumed to be in itself a sufficient safeguard. Pseudonymisation is not an alternative to encryption of personal or sensitive data, rather it is a technique that should be designed into systems to better protect personal data.
Pseudonymised data is not truly anonymous as it is a given that further, identifying data is still held by the organisation, the process of pseudonymisation simply splits these factors from the data to be processed.
We will cover pseudonymisation in a separate paper shortly.
Codes of Conduct and Certification.
The EU and the ICO do not offer either certification or publish codes of conduct in respect of the GDPR, they do however fully endorse and encourage their use.
Public adherence to an established code or system of certification may well be beneficial as a clear statement of your efforts to achieve and maintain GDPR compliance. The organisations behind the codes or certification may provide assistance and advice to help you maintain your organisation’s compliance. While this route may not suit all companies to whom the GDPR applies, it is likely that there are many who could benefit from actively being seen to have membership.
Consequences of GDPR violation
We can keep this brief as it has been the subject of much press coverage, some of it unhelpful. The ICO can levy fines of up to €20 million or 4% of global annual turnover, a substantial penalty. However in order to attract that level of opprobrium a company would have to engage in egregious breaches of the GDPR and fail entirely to put them right. There is no apparent advantage to breaching the GDPR and many compelling reasons to comply and to be seen to be complying.
Like any major operational change, all organisations will rely on their staff to make the changes and to make them work. It’s not our place to suggest how you handle your staff but it is worth remembering that these days poor practice or blatant GDPR breaches can be reported and publicised with ease, thanks to an increased interest in individuals rights to privacy and to the near-instant reach of social media. You may think that the ICO won’t find out about breaches or failures to comply, but can you be certain?