Online compliance check
Does your organization comply with the regulation?
Complying with GDPR, step by step
The implications of the GDPR are complex, so we have broken down the compliance process into three groups of measures that you should consider, subdivided into various areas of more detailed explanation. Just click on the bars in the diagram below to examine these areas at your convenience.
Some of the principles set out in the GDPR are a continuation of those set out in the existing Data Protection Directive, namely: fairness, lawfulness and transparency; limitation of purpose; data minimization; data quality; security, integrity and confidentiality.
The GDPR establishes a new accountability principle by making data controllers responsible for demonstrating compliance with the principles. As well, the GDPR adds new aspects to the existing data protection principles, as follows
Lawfulness, fairness and transparency – Personal data must now be processed in a transparent manner in relation to the data subject.
Limitation of purpose – With some caveats, archiving of personal data which is in the public interest will not be considered incompatible with the original processing purposes.
Storage – Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Accountability – The data controller becomes responsible for, and must be able to demonstrate, compliance with the principles.
+Organizational structure requirements
Under the GDPR, you must implement a wide range of measures in order to ensure that you reduce the risk of breaching the GDPR and to allow you to prove that you take data governance seriously. Among the necessary accountability measures are: Privacy Impact Assessments, audits, policy reviews, activity records and (potentially) appointing a data protection officer (DPO).
The GDPR introduces the obligation for certain organizations to appoint a Data Protection Officer (DPO). Organizations must appoint a staff member or an external consultant as its DPO.
If you are a marketer with a large consumer database, you will probably need to appoint a DPO; national data protection authorities are expected to provide guidance on who qualifies.
Your DPO will be responsible for monitoring compliance with the GDPR, advising you of your obligations, advising on when and how a privacy impact assessment should be carried out, and be the contact point for enquiries from national data protection authorities and individuals.
The concept of a one-stop shop allows an organization which is established in several EU countries to deal with only one national data protection authority , although the rules for determining which DPA should take this role, and how they would handle complaints, are complex in some cases.
+Processes, procedures and policies
The GDPR redefines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored otherwise processed”.
This is a broader definition than before and does not take into consideration whether the breach creates harm to the individual. If you suffer a data security breach, you must inform your national data protection authority immediately, or no later than 72 hours after discovering the breach.
However, you are exempted from notifying individuals if you have implemented appropriate technical and organizational measures to protect the personal data, such as encryption.
An important part of complying with the GDPR is privacy by design, i.e. designing each new process or product with privacy requirements front and center. This approach, while previously best practice, is now an explicit requirement.
A data protection impact assessment, also known as a privacy impact assessment (PIA), is intended to identify and minimize non-compliance risks.
The GDPR makes PIAs a formal requirement; specifically, controllers must ensure that a PIA has been run, before it begins, on any “high risk” processing activity.
If you operate internationally, your rules and processes for transferring data to non-EU jurisdictions will be a significant consideration, as the penalties for non-compliance or transfer of data to jurisdictions not recognized (by the European Commission) as having adequate data protection regulation will become much more severe under the GDPR.
+Awareness of data security
Now is the time to start explaining the need for GDPR compliance to your own employees. You may already need to start planning revised procedures to deal with the GDPR’s new transparency and individual rights provisions. This could have significant financial, IT and training implications.
+Accountability - technical measures
The GDPR makes controllers responsible for demonstrating compliance with its data protection principles, so you will need to make sure that you have clear policies in place to prove that you meet the required standards by regularly monitoring, reviewing and assessing your data processing procedures, building in safeguards, and ensuring that your staff are trained to understand their obligations – and be ready to demonstrate this at any time, when required to do so by your national data protection authority.
+Data breach – technical measures
You must prepare for data security breaches (defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored otherwise processed”) by putting clear policies and tested procedures in place so as to ensure that you can react to and notify any data breach where required.
Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
+Ensure data subject rights - technically
The GDPR strengthens the rights of data subjects , for example by adding the right to require information about data being processed about themselves, access to the data in certain circumstances, and correction of data which is wrong.
One of the main aims of the GDPR is to bolster the rights of individuals. As a result, the rules for dealing with subject access requests will change, and you will need to update your procedures to reflect this.
In general, you will not be allowed to charge for complying with a request; also, you will typically have only one month to comply (the current limit is 40 days).
The right to be forgotten (‘erasure’ in the terminology of the GDPR) allows individuals to require your data controllers to erase their personal data without undue delay in certain situations, for instance where there is a problem with the underlying legality of the processing, or where they withdraw consent.
Third parties with whom you share individuals’ data are also covered by these rules.
The GDPR defines profiling as “any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict certain aspects concerning that natural person’s performance at work, economic situations, health, personal preferences, interests, reliability, behaviour, location or movement”; however, there is some ambiguity about how data subjects’ right not to be subject to decisions based on profiling will be enforced.
The GDPR introduces a new right to data portability, which goes beyond individuals’ right to require that you provide their data in a commonly used electronic form this and requires that the controller provide information in a structured, commonly used and machine-readable form.
There are some limits to this rule, for instance it only applies to personal data processed by automated means.
As part of its aim to bolster the rights of individuals, the European Commission is also granting a right to restrict certain processing and a right to object to personal data being processed for direct marketing purposes, including profiling activities for direct marketing purposes.
Once an individual objects, their data must not be processed for direct marketing any further and the individual’s contact details should be added to an in-house suppression file.
Organizations must inform individuals about their right to object to the processing of their data in a way which is explicit and separate from other information which they must also provide to individuals.
+Communicating privacy info (consents, fair processing notices)
You may need to review how you seek, obtain and record consent; a data subject’s consent to processing of their personal data must be as easy to withdraw as to give, and must also be a positive indication of agreement to personal data being processed – it cannot be inferred from silence, pre-ticked boxes or inactivity.
The GDPR grants special protections when it comes to the handling of personal data pertaining to children, particularly in relation to commercial internet services like social networking.
Online, parental prior consent is required for use personal data for anyone under 13 years of age; Member States can set their own rules for those aged 13 to 15. If they choose not to, parental consent is required for children under 16 years of age.
As a result, you should start thinking about how to implement robust systems to verify individuals’ ages and to gather parents’ or guardians’ consent to process such data.
Consent must be verifiable, and when collecting children’s data your privacy notice must be written in language that children will understand.
The GDPR will probably increase the range of things you have to tell data subjects , for instance your legal basis for processing their data, your data retention periods and their right to complain to their national data protection authority if they think there is a problem with the way you are handling their data; note that the GDPR requires this information to be provided in concise, clear language.
+Data security (integrity and confidentiality)
The GDPR sets out data security principles similar to those in the current directive, including: fairness, lawfulness and transparency; purpose limitation; data minimization; data quality; security, integrity and confidentiality.
You must ensure that personal data is processed in a manner that ensures its security, including protection against unauthorized or unlawful processing, and against accidental loss, destruction or damage: “The organisation and any outsourced service provider shall implement appropriate technical and organisational measures, to ensure a level of security appropriate to the risk”.
The regulation suggests a number of security measures which can be used to achieve data protection, including: pseudonymization and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data; the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring personal data processing security.
The GDPR specifies encryption as one approach that can help to ensure compliance with some of its obligations. To quote from the regulation:
Article 32 – Security of processing
“1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controllers and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (a) the pseudonymisation and encryption of personal data […]”
Article 34 – Communication of a personal data breach to the data subject
“3. The communication to the data subject referred to in paragraph 1 shall not be required if any of the following conditions are met: (a) controller has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption […]”
+Data documentation, legal basis and audit
You should document what personal data you hold, where it came from and with whom you share it.
If you have inaccurate personal data and have shared this with another organization, the GDPR requires that you tell the other organization about the inaccuracy so that it can correct its own records. To do this may require an information audit across your organization or within particular business areas. This will also help you to comply with the GDPR’s accountability principle.
Under the GDPR, you should examine how you process personal data and identify the legal basis on which you carry out and document these processes.
This is necessary because some individuals’ rights will be modified by the GDPR depending on your legal basis for processing their personal data. One example is that people will have a stronger right to have their data deleted where you use consent as your legal basis for processing. However, consent is just one of a number of different ways of legitimizing processing activity and may not be the best (as it can be withdrawn).
Join our GDPR webinar
Talk to our experts about how the new General Data Protection Regulation will affect your business. ESET is hosting webinars to explain the issues around the GDPR. These webinars are free to attend: just sign up below and we’ll invite you to the next event.