The EU’s General Data Protection Regulation (GDPR) will enter into force on 25 May 2018. It is intended to create a single law on data protection across the EU, and will have a significant impact on businesses in Europe and, importantly, also on businesses outside of Europe, such as in the US, that have data on Europeans, whether customers, business partners or employees.
The GDPR will be a game changer in how businesses use data given the very significant fines being introduced by the GDPR for non-compliance of up to 4% of annual worldwide turnover for a corporate group.
With only a few months to go until the GDPR becomes law, businesses, should now seriously consider the impact of the GDPR by carrying out an internal gap analysis of current data privacy and cyber security practices as compared to GDPR requirements.
>See also: Change is coming: the GDPR storm
IT professionals have a crucial role to play in any GDPR compliance project. IT’s engagement is essential in order to determine the changes required to bring a business in line with the requirements of the GDPR.
IT professionals will also need to be heavily involved in devising or sourcing technical solutions to some of the most challenging aspects of the GDPR, such as the principle of privacy by design.
This article sets out some of the key practical steps organisations must take in order to comply with the GDPR by May 2018 and highlights the role of IT professionals in each step. It is important to note that there is no grace period with the GDPR so businesses need to be fully compliant with the GDPR by 25 May 2018.
Data mapping requirements
It is a legal requirement under the GDPR to maintain a record of data processing activities by creating a data map or data flow analysis. Data mapping is also an essential practical step which helps to identify gaps in current compliance.
Whoever is running your organisation’s GDPR project will need to schedule calls with IT, provide questionnaires or use data mapping software. Input from IT professionals regarding security and ongoing maintenance measures, data storage and vendors which process personal data will be central to the creation of a data map.
The GDPR applies to: (i) any EU based controller or processor where personal data are processed “in the context of its activities”, and (ii) an entity with no EU presence which processes the personal data of an individual in the EU in connection with goods or /services offered to him or her or the monitoring of that individual’s behaviour.
If an organisation has an EU establishment it will need to determine which Data Protection Authority (DPA) in the EU will be its lead DPA. If an organisation is subject to the GDPR but does not have an EU establishment it must appoint a single data protection representative in the EU.
Data protection officers (DPOs)
The GDPR requires the appointment of a Data Protection Officer (DPO) including, where processing involves regular and systematic monitoring of individuals on a large scale, or where processing sensitive personal data (such as data on health) on a large scale.
Even where there is no legal requirement, guidance recommends appointing a DPO as a matter of good practice. DPOs have to be independent, accessible, have expert knowledge and report to senior management.
Following a recent German case, a member of the IT team cannot be appointed as a DPO and retain their existing responsibilities because this may create a conflict of interest due to the key role of IT in processing the organisation’s personal data.
Organisations must review their IT systems and procedures to ensure that GDPR requirements for privacy by design, and by default (that is, privacy should be designed into products, systems and processes) are met as well as data minimisation requirements (that is, only the minimum amount of personal data necessary should be processed by the business).
Under GDPR, Privacy Impact Assessments (PIAs) must be completed where using new technologies and the data processing is likely to result in a high risk to individuals (e.g. employee monitoring).
Recent guidance has also recommended that PIAs should be done now for current activities even though the GDPR does not become law until May 2018. Compliance staff and outside counsel completing PIAs will need input from IT personnel on the data storage, data retention and data security measures in place.
>See also: One year to GDPR: guide to compliance
Consents and notices
Under the GDPR detailed privacy information as to how their personal data will be used must be provided to individuals. Where an organisation is relying on consent as a legal ground for data processing then consent must be freely given, specific, informed, unambiguous and importantly, require separate consent for different processing activities. The GDPR will also require systems to be overhauled so that if an individual withdraws consent then the organisation can stop processing their personal data.
Individuals’ new privacy rights
The GDPR gives individuals new privacy rights to: (i) erasure of data (for example, when data is no longer necessary or consent is withdrawn); (ii) object to processing, including in relation to direct marketing; and (iii) data portability (that is an individual can request that their data be transferred to another controller where processing is based on consent or on contract performance).
Complying with these rights is both a technical and legal challenge. In addition to developing policies and training on how to handle privacy rights requests, organisations will need to implement procedural and system changes to comply with these new rights. Failure to do so could mean that actioning requests to port or erase data is both highly time consuming and expensive.
Restrictions on profiling
The GDPR imposes new restrictions on businesses that conduct automated decision-making that produces legal or other similarly significant effects on individuals (e.g. profiling), unless limited exceptions apply, for example, where it is necessary for the performance of a contract or conducted with the individual’s explicit consent.
If an organisation does carry out profiling, it should consider whether any of the exemptions apply. Where there is no applicable exemption, it may be possible to introduce human intervention into the decision taking process so that the profiling is not solely automated and falls outside the scope of the restriction.
One of the key impacts of the GDPR for IT professionals will be the obligation to report personal data breaches without undue delay, and where feasible within 72 hours.
Where the breach is likely to result in a high risk to affected individuals they must also be notified without undue delay. Controllers and processors must also implement appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data.
To comply with this challenging requirement it is essential to develop or amend an existing Incident Response Plans to detect and report breaches effectively and to carry out table top exercises to test the plan. Regular security audits, including penetration tests, are also important in order to prevent breaches.
>See also: A 6-step action plan for complying with GDPR
Under the GDPR, contracts with data processors (e.g., vendors) processing EU personal data must contain specific data processing terms as set out at Article 28 of the GDPR.
These new provisions need to be inserted not only into new vendor contracts but also existing vendor contracts before May 2018. This may mean some businesses will have to amend numerous vendor contracts over the next few months. Where an organisation already has a vendor management and due diligence program in place, this should be updated to reflect the new requirements under the GDPR.
International data transfers
Similar to existing EU data protection laws, the GDPR restricts transfers of personal data to countries outside the European Economic Area (EEA) that are deemed by the EU to not provide an adequate level of protection, such as the U.S.. There are a number of international transfer solutions which permit such international transfers such as: (i) EU Standard Contractual Clauses, (ii) the EU – U.S. Privacy Shield, and (iii) Binding Corporate Rules.
IT professionals should ensure that all transfers of personal data outside the EEA of which they are aware are reflected in their organisation’s data map and that an appropriate transfer solution to allow for the transfer of personal data from the EU is in place.
Sourced by William Long, Parter at Sidley Austin
The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here