What is GDPR?
The General Data Protection Regulation (GDPR) is a new legal framework introduced by the European Union (EU) in May 2016. The framework focuses on data protection, and all companies doing business with individuals located in the EU must comply with the provisions outlined within.
GDPR will go into effect on May 25th 2018. This new regulation shares some similarities with the Data Protection Act (DPA) of 1998, but introduces new requirements that organisations must adhere to when dealing with data and privacy of users.
For both service suppliers and providers, the GDPR framework is going to play a major role in ensuring data security and privacy practices are maintained with the utmost priority. Penalties which were previously a slap on the wrist now have the ability to severely impact an organisation.
There is a vast amount of information to review and the documentation around GDPR is still expanding. A great location to review GDPR is the Information Commissioner's Office (ICO) website, which covers a vast array of information regarding the framework. We can’t go over every single section in this post, but here are a few areas to cover.
The first step to becoming GDPR compliant is to understand how you and your systems interact with data. Under the new framework, working with user data falls under the category of data controllers and processors. These definitions are similar in the DPA, and if you are currently affected by the DPA there is a high likelihood that the GDPR will further impact your organisation. If you fall into one of these categories, there are new requirements introduced which affect approaches and decisions. At VIX, a common impact we face is when we process data on behalf of data controllers. With the introduction of GDPR, controllers face further obligations to ensure that contracted processors are taking the necessary steps towards compliance. We do the hard work to make this simple for our clients, giving them the peace of mind to focus on delivering great services to their customers or users.
Many of the main responsibilities to be upheld in the GDPR already exist within organisations based off of existing acts, such as the Data Protection Act (DPA), and simple due care and diligence. Ensuring the data practices are followed thoroughly is the first step to preparing for GDPR, since penalties for breaches of these practices will significantly increase. Any work already done to ensure compliance with the DPA will provide a solid footing for GDPR compliance.
All new services developed should be implemented using a “data protection and privacy by design” approach. When dealing with personal data, privacy and security protections should be built into products from the start. Unfortunately for digital service providers, this might mean that existing systems need to be re-assessed to ensure compliance. By building applications today with best data practices, there will not be as much work to do to achieve compliance from May 2018. We see this as an opportunity for organisations to iterate on their current practices to achieve compliance and deliver better experiences for their users.
Just like most security related topics, reducing the surface of concern is a good way to prepare. By only processing the data required for a service to operate, compliance is made easier and there is less risk of breach. With trending shifts towards Big Data, service providers are storing lots of data that may never be significant or create value, this data should be assessed to determine whether it is useful and otherwise should be discarded. In addition to this, under the new GDPR guidelines a lawful basis must be established, and ideally documented, for storing data and the intention of processing it. It’s not acceptable to have personal user information stored with the hope that it may become useful, whilst remaining a liability in the event of a security breach.
Data Flow and Tracking
As a data processor you will be responsible for maintaining records of personal data and processing activities. Additionally, organisations will need to understand how their data flows between systems, is it used by other services and where are those services hosted. Assessing your current data practices now and paying particular attention to where data is stored, i.e. inside the EU. In the event of a breach, organisations may face significantly increased legal liability and responsibilities, such as having to report the breach within 72 hours from the point of detection.
Roles and Responsibilities
Some organisations may require a dedicated person or team to manage personal data. These individuals are tasked with ensuring compliance with the GDPR, and are typically known as data protection officers. Depending on the organisation and interests, this role may be taken on additionally in partnership with another role such as an Information Security Officer. It is important that organisations are prepared for their legal requirements and start filling this role if required. There are a few requirements when selecting appropriate DPOs, such as ensuring no conflicts of interest, along with the appropriate governance and ability to report directly to the highest level of management.
You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
Information you hold
You should start to document any personal data you hold, who you share it with and where it came from. This may take the form of an audit.
Communicating privacy information
You will need to review your current privacy policies and make the necessary changes to implement GDPR.
You should check any procedures you have to ensure they cover the rights individuals have.
Subject access requests
Your procedures should reflect how you will handle requests within new timescales.
Legal basis for processing personal data
You should assess all the various types of data you handle, identify your legal basis and document it.
How are you seeking and recording consent? You need to assess whether this meets GDPR compliance and if you need to make changes.
Can you identify user’s ages or do you need a system in place. This will also need to include guardian/parental consent for minors.
You will need to ensure you have the right procedures to detect, report and investigates any breaches in personal data.
Protection impact Assessment
You will need to familiarise your organisation with the guidance ICO has created on Privacy Impact Assessments and work out how you will implement them.
Data protection officers
You will need to implement a Data Protection Officer or someone to take responsibility and how they will sit within your organisations structure.
If you operate internationally, you should determine which data protection supervisory you come under.
We think that the GDPR is a great opportunity for organisations to re-assess their digital strategy and build better services. Although it might be difficult for some, data privacy is a user right, and service providers should want to do the right thing. The GDPR shares this point of view, and hopefully will ensure the users of tomorrow do not face the data breaches of today.