Management, compliance & auditing

A brief guide to GDPR compliance

Dimitar Kostadinov
May 28, 2018 by
Dimitar Kostadinov

The European Union (EU) has a new data protection law – the General Data Protection Regulation (henceforth "the GDPR" or "the Regulation") will replace the outdated EU Data Protection Directive (Directive 95/46/EC).

In essence, the EU is setting a new global standard concerning *privacy/data protection. In the wake of the Facebook scandal erupted in March 2018, and given the fact that the GDPR sets the bar so high, the Transatlantic Consumer Dialogue considered that "there is simply no reason for [Facebook] to provide less than the best legal standards currently available to protect the privacy of Facebook users." (Source: "Consumer groups urge Facebook to commit to global privacy rules" by A. Morse)

Despite Brexit, the UK will enshrine GDPR standards in its Data Protection Bill. This means that the UK data protection legislation will remain in line with one of the countries in the Union. As one government study shows, however, only 38% of the British firms were aware of the GDPR just over 100 days before 25th of May. Many U.S. companies are in the same position. This writing may be of some help to those who want to run a successful business that abides by the new EU data protection law.

Data Controller & Data Processor

The figure of data controller determines the purposes and means of the processing of personal data, whereas data processor processes personal data on behalf of the controller (Art. 4(7) and Art. 4(8) of the GDPR).

Sometimes it can be difficult to determine whether a certain entity is a controller or a processor. To illustrate, Google is a data controller when it comes to its most popular ad products, including AdMob, AdSense, AdWords, DoubleClick Ad Exchange (AdX) and DoubleClick for Publishers (DFP), but it operates as a data processor with respect to consumers that use tools such as Google Analytics, Google attribution offering, Ads Data Hub and DoubleClick Bid Manager. (See the full list here)

Curiously, for publishers who use Google ad products, Google remains a "co-controller" with regard to data they collect, and they must mention that when asking users for their consent.

Territorial Scope

Data controllers/processors

  • whose establishment is in the EU or "the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union" (See Google Spain (C-131/12) and Weltimmo (C-230/14) by the Court of Justice of the European Union (CJEU))
  • …that offer goods or services to EU citizens (factors to be considered: language, domain name, shipping method, payment method, currency, etc.)
  • …that monitor the online behavior of EU citizens living in the Union
  • …to which the Regulation applies "by virtue of public international law."

(Art. 3 of the GDPR)

Companies whose primary business is processing user data, such as Facebook and Google, will be most affected by the changes. Online retailers, banks, and insurers are also likely to make significant changes to ensure GDPR compliance.

Personal Data and Data Protection Principles

Art. 4(1): "'personal data' means any information relating to an identified or identifiable natural person ('data subject')."

The GDPR broadens the scope of personal data, as it includes now digital fingerprints such as IP addresses and cookies. In addition, genetic and biometric data is included in the category 'sensitive data.'

Sensitive data – Certain categories of data are given higher protection. These are an individual's data on racial and ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data, health data, information about person's sex life or sexual orientation, and criminal record information.

Healthcare organizations usually abide by higher standards of data protection.

Under the principles of Art. 5 of the GDPR, personal data must be:

  • processed lawfully/fairly/and in a transparent manner ('lawfulness/fairness/transparency')
  • collected for a specific, legitimate purpose(s) ('purpose limitation')
  • limited to what is necessary for the purposes of processing ('data minimization')
  • kept accurate ('accuracy')
  • kept for no longer than is necessary ('storage limitation')
  • processed in a secure manner ('integrity and confidentiality')

…and…

  • under the control and responsibility of a controller ('accountability')

Accountability is a new principle under the GDPR, which requires a company to documents its compliance.

When the Processing of Personal Data is Legal?

There are six legal bases for processing personal data in the GDPR (Art. 6):

  1. Consent given by the data subject, or the processing is necessary for:
  2. the performance of a contract
  3. the compliance with a legal obligation
  4. protection a vital interest
  5. the public interest or in the exercise of official authority; or
  6. the legitimate interests pursued by the entity (Note: Beware of the balancing test pertaining to this legal basis.)

Consent is the most popular precondition for lawful processing of EU citizens' personal data. For instance, when it comes to GDPR compliance, Facebook tries to focus on obtaining consent rather than adhering to the principle of data minimization.

The consent must be: verifiable, clearly distinguishable from other matters, and withdrawable. Note that processing of sensitive data requires explicit consent.

Vague or blanket consent will not be valid anymore. The choice to consent to the processing of their personal data should be presented to data subjects in plain language that is easy to understand; hence, ambiguous, term-laden, and long consent requests will cease to exist, at least in theory.

Also, silence, pre-ticked boxes or inactivity should not constitute valid consent, either. When users need to tick a box or agree over the phone, this is the so-called positive choice.

Children under 16 cannot give lawful consent; however, member states could lower this age to 13.

User Control and User Rights

One of the goals of the GDPR – yet a major challenge – is to give back consumers the control over their data.

Controllers need to inform data subjects of their rights:

  • Subject access request – data subjects have the right to ask a data collector or even employer for the data he/she collects about them (for example, methods used, content, who has access, etc.). Unless this request represents an unusual difficulty, the latter has 30 days to assort this information, which may range from performance reviews, disciplinary records, and computer access logs to job interviews or recordings of phone calls and video footage. In addition, the information must not include any other employee's personal information.
  • Categories of data that are exceptions to this rule are: health records, personal data that bear a relation to criminal justice and taxation, confidential communications with lawyers, documents that reveal current management problems, and trade secrets.

This procedure is free of charge, but controllers still have the right to charge a fee or refuse to execute excessive and unfounded requests.

  • Right to object – in certain situations (e.g., processing of personal data for direct marketing purposes, which may include an activity called 'profiling') data subjects may prohibit specific data processing operations. You can also object to decisions of significant effect that are based solely on automated decision-making.
  • One third of the organizations report that they would not be able to explain to their users how exactly their algorithms make decisions in the context of automated processing (source: Crowd Research report).
  • Right to rectification/erasure – in cases where the data is incomplete or incorrect
  • Right to restriction – in cases where the processing does not match data protection measures set out in the Regulation, data subjects may request the blocking of the processing of their personal data
  • Right to erasure (aka "right to be forgotten") – one of the hallmarks of the new EU data protection rules. Provided that personal data is no longer necessary concerning the purposes for which it was collected, or consent has been withdrawn, the data subject could request this data to be erased.
  • Almost two-thirds of respondents to a Solix survey admit they do not know how to implement "the right to be forgotten," because they are not sure whether they can purge users' personal data for good.
  • Right to data portability – data subjects may submit a request to their data controller to ask him to pile up their personal data in a machine-readable form so that they can transfer it to another controller. The machine-readable format enables easy reuse of the same data set if you want to change the data controller, for instance, in a situation where you want to change your telecom by transferring your data.

Tips to Become GDPR Compliant

Map Your Data

To ensure your GDPR compliance will not be problematic, it is best to gather a team comprised of lawyers, IT technicians, and data security experts. They need to figure out:

  1. What kind of data is being processed?
  2. Where is this data stored?
  3. How is the processing handled?

Analyze the full spectrum of your data – categories, legal bases for processing, methods of

processing, entities who have access, and security measures.

All of the organization's plans and policies – e.g., data protection plan, BOYD policy, incident response plan and business continuity plan – must conform to the GDPR norms. For example, the majority of employees are allowed to install personal apps on devices used for work purposes. That could be counterproductive if those apps access and store personal data and there are no measures to ensure GDPR compliance. Consequently, you need to fix your BOYD policy.

Inspect your vendors and know what security policies and material measures they have in place. Research what kind of user data your vendors have access to. Some of them may like to capture unnecessary data such as IP details in full, which would help them build a complete picture of users' browsing habits. The bad news is that revising contracts and relationships with each vendor is a time-consuming process.

You have to able to describe user data-related processes such as content management, user registration, business intelligence, and analytics (in accordance with the principle of 'accountability'). Be able to report your GDPR compliance progress – for the sake of demonstration, and in accordance to article 30 of the GDPR, your company must complete the record of processing activities (RoPA). In essence, that is to make an inventory of risky applications.

Risk Assessment

You need to understand not only what kind of data you store, but also understand the risks around it. Shed some light on shadow IT that may collect and store personal information, because its very presence may expose your company to dangers of non-compliance. To be effective, a risk assessment should also set out techniques designed to mitigate existing risks.

Take

Matt Fisher's advice; IT thought leader and senior vice president at Snow Software, on how to commence with the risk assessment:

"Getting started [on the risk assessment] is the biggest obstacle. As a first course of action, organizations must get a full picture of their entire IT infrastructure and inventory all applications in their estates. This, coupled with specific insight about which applications can process personal data, dramatically minimizes the scope of the project as well as the time spent on it. Suddenly, the impossible becomes possible."

(Source: "General Data Protection Regulation (GDPR) requirements, deadlines, and facts" by Michael Nadeau)

Risk identification is to be logically followed by risk mitigation.

Processing activities must be compliant with the data protection principles set out in the Regulation.

Address User Rights and Give Users Control

You should be able to effectively handle customer complaints and queries, especially those associated with the data subjects' rights set forth in the Regulation.

Under the GDPR data controllers always have to provide users with the option to opt out of all communications. Give users control and the option to opt out: place an "unsubscribe" box right next to the "subscribe" one where these variants appear on your website.

Be Transparent

Regulators appreciate transparency. For example, create noticeable links to your terms and conditions and privacy policy.

Employ Organizational and Technical Measures that Include Data Protection by Design and by Default

Certain security measures and techniques must exist in the product/service that data controllers offer from the very first stages of their development. Encryption and pseudonymization are common examples of such measure. Moreover, they allow developers to apply core data protection principles, such as data minimization, in practice.

Interestingly, there are more similarities between HIPAA and the GDPR than you may think, as both acts aspire to regulate the whole life cycle of personal information: collection-processing-storage-destruction. Nevertheless, the GDPR will likely not supersede legal requirements on data retention and maintenance that ensue from specific laws, such as HIPAA health record requirements.

Address Data Breaches As Quickly As Possible

Under the GDPR, data processors are liable for data breaches or non-compliance. Data breaches are to be reported to authorities and users within 72 hours of finding out about the incident. Under Art. 33 (2): "The processor shall notify the controller without undue delay after becoming aware of a personal data breach."

All facts show that most data breaches are detected by third parties, such as customers or law enforcement. An incident response plan and a business continuity plan are some organizational tools that will help you observe the GDPR data breach obligations.

Hire a Data Protection Officer (DPO)

Small businesses usually do not have the resources or expertise to meet the new rules. Lack of staff with GDPR experience and insufficient budget are among the reasons most often cited as an argument for the poor and slow implementation of GDPR norms. Also, employees tend to underestimate the effort and time needed for full GDPR compliance. IT and information security teams most often have the responsibility to make their organizations GDPR compliant, but GDPR rules envisage no restrains with respect the DPO working only for a particular organization; therefore, a DPO could be a consultant who works for multiple organizations.

A DPO is a role that is compatible with more known positions such as the one of the internal regulator or auditor. Its main goal is to make sure that the company use equipment, as well as people knowing how to use it, that complies in practice with the GDPR requirements.

Companies that process/store large amounts of personal data, monitor citizens on a regular basis, or are a public authority, are required to designate a DPO to guide and oversee the entire data security strategy and GDPR compliance.

https://www.statista.com/chart/13515/measures-in-preparation-for-gdpr/ / CC BY-ND 4.0

Conclusion

As many as 52% of the companies participating in a new survey conducted by Propeller Insights think they will be fined for non-compliance. Regulators will probably show some leniency towards small businesses as long as some real effort in the implementation of best GDPR practices is evident. Nonetheless, while good will of regulators is a factor of volatile nature, the fines are real and hefty.

Let us not forget how Facebook was fined €110 million in May 2017 for linking user data of users' Facebook accounts to the same users' WhatsApp accounts (i.e., a Facebook-owned messaging app). According to the new rules, violations of the GDPR data protection obligations may result in fines up to €20 million or 4% of a company's annual global revenue – whichever is higher. For the sake of illustration, Facebook could be liable for the astounding 1.6 billion penalty, were it to be found non-compliant with the GDPR in 2016. This sum is based on the $40 billion annual revenue of the company in 2016. One last example – the gravest penalty for a hypothetical GDPR violation by The New York Times might reach the staggering €56 million.

In addition to fines, data protection authorities (DPAs) can impose corrective actions when necessary, with ban on data processing and a temporary/definitive limitation on data processing activities being the most common ones.

An Ovum report reflects on the fear of some 85% of American companies that the GDPR will put them at a competitive disadvantage with their European counterparts. Many consumers assure they will not condone careless behavior regarding their personal data on the part of data controllers. Now, combine that with the fact that in the event of a data breach 62% of consumers would blame the company that stores their data, not the cybercriminals, according to an RSA Data Privacy & Security Report. This is so mostly because data subjects feel that there are kept in the dark concerning how companies deal with their consumer data – "As consumers become better informed, they expect more transparency and responsiveness from the stewards of their data [,]" the report says.

Data privacy is very important in Europe. Consumers would trust and respect much more a company that exercises great care when processing their personal information. Now it is the right time for organizations to promote themselves based on their excellence in implementing the best privacy practices. For instance, the German supermarket Edeka chose to make some privacy elements – cookies notifications and a link to their "Privacy Policy" (Datenschutzhinweisen) – bigger than their company logo. This is a real-life embodiment of data protection as an advertisement.

The GDPR comes into effect on 25 May 2018.

*For the purpose of this article, the terms 'data protection' and 'privacy' are used interchangeably.

Sources

Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.