Two years ago, life changed for all EU organizations that deal with public data. In May 2018, the new principles of privacy had entered the stage – the new data privacy regulation GDPR, posing huge fines for organizations that fail to align with the new data processing rules.
During the GDPR’s first year of enforcement, nearly 100 organizations have been fined for non-compliance with the regulation. Namely, last year, Google paid 50 million EUR for collecting personal data from users without providing an adequate level of transparency on data processing.
GDPR: What Has Changed for Companies
According to the GDPR, personal data is any information (email, photo, social media posts, name, medical data, IP address, etc.) related to a person that can be used for direct or indirect identification.
The GDPR enforces organizations to take documented steps to limit access to all personal data and take necessary measures to decrease data-related security breaches. Otherwise, they will be met with severe financial penalties.
Under GDPR, individuals have the right to inquire about the erasure of their data when it’s no longer necessary, or consent is withdrawn. They can also request that their data be transferred to another controller.
Complying with these new rights is a technical and legal challenge for companies dealing with data processing.
Besides developing new policies and setting up training on maintaining privacy rights requests, companies must implement procedural and system changes to align with these new regulations. Companies can lawfully process users’ data based on one of these legal grounds:
- Legitimate interests;
- Public interest;
- Vital interest;
- Legal obligations;
- Contractual necessity;
- Consent.
Scope: Is GDPR applicable to my company?
The GDPR applies to all EU companies that deal with data processing. Even if you are located outside of the EU and process the personal data in the EU connected with selling goods, services, or behavior monitoring, you also must comply with the GDPR.
What Companies Should Do for GDPR Compliance Today
Here are the main practical steps companies must take to comply with the GDPR.
1. Define the DPA to adhere to
If your company is located in the EU, you need to determine which Data Protection Authority (DPA) in the EU will be your lead DPA. If you are a subject to the GDPR but do not have an EU establishment, you must appoint a single data protection representative in the EU.
2. Assign Data Protection Officers (DPOs)
The appointment of a Data Protection Officer (DPO) is the requirement of the GDPR. DPO is an independent expert with corresponding knowledge and reports to senior management. You can’t assign a member of your IT department for this role, as it creates a conflict of interest.
3. Start mapping your data
The GDPR requires to maintain a record of data processing activities by creating a data map or data flow analysis. Data mapping is also an essential practical step that helps to identify gaps in current compliance. Your IT experts or departments will be involved in the compliance process by providing questionnaires, information about security and ongoing maintenance measures, data storage, and vendors that process personal data via implementing data mapping tools.
4. Stick to the accountability principles
It is critical to review IT systems and procedures to ensure that you meet the GDPR requirements for privacy by design and by default. Besides, you should set up your system so that your organization processes only the minimum of personal data.
5. Complete the PIA
If there is a chance that using new technologies and processing data will result in a high risk to users, your organization must complete the Privacy Impact Assessments (PIAs). Get input from your IT team on the data security, storage, and retention and data security measures taken.
6. Develop transparent consent and notice policies
Organizations must provide detailed privacy information to individuals about how their data will be used. It should be as transparent as possible, specified, and limited.
Then the user decides to give his/her consent as a legal ground for data processing. Separate consent is needed for different processing activities.
Organizations should set up their systems so that users can withdraw consent at any time, and the company must stop processing personal information.
7. Choose the right software for compliance management
An appropriate GRC solution will simplify the GDPR compliance process by ensuring automation and a holistic approach. With the help of the tool, you will be able to manage privacy and personal data, receive guidelines on requirements and related actions tailored to your specific needs, access the predefined target objects in the GDPR context, and list processing activities. Besides, you will be able to carry out Data Protection Impact Assessment (DPIA) in the solution and track implementation and maintenance of GDPR compliance.
8. Strengthen Information Security
Controllers and processors must take proper steps, both organizational and technical, to maintain better IT security and protect data from unauthorized processing of personal data and accidental loss or damage to personal data.
9. Upgrade Incident Response Plans
Incident Response Plans help to detect and report data breaches effectively. Besides, you must test the plan via regular IT security audits and penetration tests.
10. Report on Information Security
The GDPR requires that the IT professionals report every personal data breach during the 72 hours after the occurrence. Besides, if there’s a risk that a data breach may pose a high risk to affected parties, the company must notify them ASAP.
11. Ensure proper vendor management
Under the GDPR, you need to set a vendor management program that will ensure that no personal data is transferred to the third parties you are cooperating with and that your vendors increase their IT security. All of this should be documented appropriately, and all your vendor contracts must be updated to include proper notices.
12. Beware the restrictions on profiling
If your organization conducts profiling or any other automated decision-making process, the GDPR is likely to impose restrictions on these activities, unless you do so based on contract performance or with the individual’s explicit consent. If none of these apply, you may need to introduce human intervention to eliminate 100% automation and fall outside the restriction scope.
13. Stop international data transfers
The GDPR restricts any transfers of personal data to countries outside the European Economic Area. Your IT team must ensure that all data transactions outside the EEA are reflected in the data map; and that the company uses an appropriate transfer solution to allow for the transfer of personal data.
Final word
GDPR has become a burning issue for all data processors at the very start. Today, compliance with the data privacy regulation can be achieved in due diligence with the help of automated compliance solutions that will help maintain a holistic approach and enable implementation of multiple standards if necessary.