The 25th of May 2018 will bring significant changes to all companies located or simply doing business in Europe. If only they process personal data – information allowing to identify an individual such as names or telephone numbers – compliance with the new General Data Protection Regulation (GDPR) will be obligatory. The main goal behind it is to give EU citizens back control over their data. Nowadays, despite existing regulations in place, many of us are simply now aware where and what for our data is collected. This is bound to change.
With 4 months short of the end of the transition period, still a lot of companies have not finished internal compliance projects or are yet to start. And they better do – failing to do so might result in significant fines, as high as 20mn EUR or 4% of global turnover, not to mention lawsuits that individuals are entitled to.
Let’s take a brief look at the GDPR and what it will mean in practice especially for software solutions.
On a high level, GDPR consists of data processing rules and rights for EU citizens, which in turn means data processing organizations (data controllers or data processors, dealing with data on behalf of data controllers) need to assure internal compliance.
Data processing will now need to be done in line with seven GDPR guiding principles:
Under the lawfulness principle there will need to be a lawful basis – set of which is listed in the regulation – to start processing data in the first place. In order for the processing to be valid, consent will need to be explicit and on the opt-in basis rather than having the fields checked by default, with the individual agreeing to each processing purpose separately and not in bulk.
The transparency principle calls for all consents to be easy-to-understand.
Accuracy principle will require the data controller to keep the data up-to-date and accurate.
Minimization of data principle will not only require the data processing party to minimize data collection only to what is relevant for processing, concentrating on the minimal set of data, but also assuring that data is kept no longer than necessary.
Purpose limitation principle will require the data only to be used for the processing purposes they were collected for, with each new purpose requiring an additional consent.
Security principle obliges data controllers to take on necessary measures assuring security and protecting data from unauthorized access, loss, damage and destruction.
Accountability principle will in addition mean that an organization needs to assure and demonstrate compliance with the GDPR on demand of supervisory bodies set up in a given country.
Right to erasure (to be forgotten), access to data or objecting/restricting processing are among rights granted to individuals that in various forms have been existing for some time now. What is new is the portability of data right, in theory allowing one to get one’s data and move it over to a different service provider hassle-free. Implementation of it might be a struggle though, since no common standards have been defined.
Who needs to comply?
The GDPR is applicable if only the data processing party is located in the EU or does business here from overseas. Therefore, organizations based outside EU are also affected. Importantly, processing of all kinds of personal data needs to be compliant, spanning from business-related data on clients to internal HR data sets.
On top of it, data can be stored in different forms and processing of plain text personal data is clearly covered by the GDPR. Pseudonymized data (defined as “data that can no longer be attributed to a specific data subject without the use of additional information”) and anonymized data (“data rendered anonymous in such a way that the data subject is not or no longer identifiable”) can benefit from more relaxed treatment under some conditions. The former requires the “additional information” – allowing to identify an individual – to be kept separately, while the latter is free to be used should the exact conditions for anonymization be met.
End-to-end GDPR preparation will require that companies take actions in a few dimensions. Overall, organizational-level processes and governance will need to be adjusted to accommodate the new duties. Dimension of special significance to Goyello and its Customers is the software solutions space and the GDPR’s impact on it.
Organizational-level and process implications
Public organizations or private ones mainly dealing with data processing will need to appoint a Data Protection Officer (DPO). Main responsibilities of this position include assuring compliance with the regulations through assisting and monitoring internal record keeping. Smaller companies will be able to share such a person. The DPO will also be of help in notifying regulatory bodies about data breaches, which needs to happen within 72 hours of becoming aware of that fact.
According to the GDPR, prior to starting certain kinds of data processing (e.g. large scale) it will be obligatory to carry out the so-called Data Protection Impact Assessment, to identify scope, context and goals of these actions together with elaborating on the technology used thereto. Description of planned actions, assessment of their necessity, risk analysis and its mitigation would all be expected as an outcome.
Minimization of data principle in practice also means that review of personal data stored within a company will need reviewing on a regular basis to ensure only what is needed is being kept.
Software solution implications
Software solutions will need for sure to factor in design paradigms. Here the GDPR introduces two terms: privacy by design and privacy by default. Turning it into practice will require architects to think about appropriate security measures to take care of privacy while designing any solution from now onwards. In addition, privacy options will need to be turned on by default from the very start of a user’s interaction with the system.
Functionality-wise, administrators will for sure need the capability to remove a user upon his/her request. What to do with the associated data is not that clear, though. Option of exporting user’s data “in a structured, commonly used and machine-readable format” is also something that needs thinking through. Apart from these, surely all consents need auditing to assure that each one describes a single processing purpose and is as clear as possible.
How to start?
Even though the GDPR was passed as a unified regulation, not requiring EU member states to adjust it in any way, each country can have its own unique flavours including more specific rules. This is why we always recommend turning to your lawyer first to clearly list obligations needed to be fulfilled.
In parallel, setting up a cross-functional team, with one person overall accountable, seems to be the best way to go, due to the distribution of personal data within most companies. The team should then identify the personal data processed to define realistic goals and their milestones. One of those should be applying and interpreting the GDPR in the context of the organization. With certain aspects not defined explicitly in the GDPR (e.g. data portability), it will be required to agree on how to handle those. Next steps are likely to include resolving identified gaps, revising privacy policies and creating organizational setup and governance to remain compliant in the long-term.