9 Ways the General Data Protection Regulation (GDPR) Affects Your Business

Here, CloudMaitre Founder, Trudy Mockford, shares thoughts on how business is to meet the demands of the EU’s new data protection regime with technology.

On April 14, 2016 EU Parliament approved new rules for the digital era. More than four years of work resulted in a complete overhaul of EU data protection rules. The reform will replace the current 1995 data protection directive, establishing a single new law across the EU.  The data protection package is a key enabler of the Digital Single Market and the EU Agenda on Security designed to boost trust for citizens and businesses alike.  This brings a renewed realisation that data is valuable and should be treated with great care by both consumers and businesses

How to Comply with the New GDPR Legislation

The best way to prepare for compliance to the new legislation is to implement a data records management process that includes encryption.  A certain type of MIS is not specified, the legislation does however refer to encryption as a means to secure personal data and make it unintelligible to unauthorised users. As it renders data unintelligible, encryption is widely accepted as a means of addressing these requirements. If encrypted data is lost or stolen no one can access the actual data which is the key objective of data protection legislation. Auditing and reporting capabilities support compliance efforts, enabling IT to prove that a machine, file or USB stick was encrypted at the time it was lost, breached or stolen.

The regulation document is 261 pages long – Here we take a look at some of the key new requirements:

1.     Consent

What constitutes personal data? Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.

A key part of the test of the validity of consent is whether consumers understand what they are agreeing to, and are given an understandable choice.  You will be obliged to provide evidence that you obtained consent from specific data subjects, which is going to require much better record keeping for many organisations. Failure to keep such proof of consent will be a breach of the requirements. This means not only recording the fact that someone ticked a box in a form, but having an audit trail that links the action to any document and the actual processing of the data concerned. An automated workflow process proves the SOP is in place and secure logging provides the audit trail. The duly signed Data Protection form can be indexed and stored in a central document pool from which reports can be run.

2.     It is your responsibility to inform users of their rights

Under the new regulations, controllers must inform and remind users of their rights, as well as documenting the fact that this has been actioned. In addition, users should not have to opt-out of their data being used, they must opt-in to your systems. This is more regulated than the current directive and firms that not meeting these requirements will face larger fines. Once again, you will be obliged to provide evidence that you communicated rights to specific data subjects, which is going to require a document management system for record keeping.

3.     The right to be forgotten (Article 17)

Any person will have the right to have his or her personal data erased when he or she no longer wants the data to be processed, provided there are no legitimate reasons for retaining it.  Do you have processes now for this and how would you remove contact information from individual databases? These are questions that need answering now. Again, control of data records and a process for destruction of select records handles this requirement.

4.     Data Inventory is a must

Under the GDPR organisations must create and maintain an inventory of their systems and data flows. With data stored across multiple platforms such as file shares, SharePoint, the cloud and databases firms will need to rely on technology solutions to search, classify and report on any sensitive data they hold. Classification reliant on end-user manual indexing is replaced by powerful intelligent indexing functionality.

5.     Privacy Impact self-assessment exercises

The GDPR rules that all organisations operating within the E.U. are obliged to perform privacy impact assessments (PIAs). A PIA is an analysis of the ways in which personally identifiable information (PII) is collected, used, shared, and stored by a company. Data must be digitally captured, indexed, stored and logged before reports can be generated and analysed. Organisations will digitalise paper-based document to enable PIAs.

6.     Data protection risk analysis

Do you have control of data records, and do you have the processes in place to prove it? If so, how confident are you that they are being adhered to?

Depending on the kind of data stored in your systems, you may need to move, delete or encrypt it. The capacity to do so quickly and proactively – and proving that you’re doing it through regular audit reports – will be the focus in any firm’s ability to meet GDPR compliance needs.

Where There’s Lack of Process, There’s Liability

Not having a clear process – or having a process and not using it – for storing, managing and disposing of documents is a liability issue. With clear procedures for the management and destruction of records – in both paper and electronic form – these kinds of liability issues would be eliminated.

7.     Users will be able to claim compensation

Leading on from risk-assessment, GDPR will allow users to claim damages where data loss occurs as a result of unlawful processing. This will also include collective redress, which is the equivalent of a class action lawsuit. Senior management will have to have a good understanding of the potential impact this would have on their business. Not only in terms of costly legal damages, but also further reputational damage as cases can and do carry on in the public eye for years. A prime example of this is Sony, reportedly facing seven class action lawsuits following last year’s hack.

8.     Privacy by Design

The concept of Privacy by design has existed for years, but will now form part of law.  At the heart of it, privacy by design calls for the inclusion of data protection from the start of the designing of systems, rather than as a later addition. In future, companies will have to design default processes such that as little personal data as possible is collected and processed.  Here there’s a requirement for expertise in process review to streamline the data captured for indexing and storing documents.

Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties, as well as limiting the access to personal data to those needing to act out the processing.  Software restrictions need to make sure that only authorized personnel have the right to do certain things, and maintain transparency for everyone. Whichever technology you use, a rights concept allows you to define in great detail, for each end- user, which activities he or she can perform within your system.

9.     Firms will have to appoint a data protection officer

Although the parameters are still to be agreed, many organisations will be required to appoint a Data Protection Officer (DPO) to ensure compliance with the law. They will be mandatory in the public sector, but for private sector organisations the key test will be whether the organisation is involved in “systematic monitoring of data subjects on a large scale“.  Data processors will be held responsible for data protection. Under the new regulations, however, any company or individual that processes this data will also be held responsible for its protection, including third parties. Technology will enable the DPO role and the complete SOP can be implemented with DocuWare Document Management System. Effective electronic document management meets GDPR requirements by tracking who stored each document and the document storage date, as well as who accessed the document and each access date. Access rights may be assigned automatically to each electronic record or on an as-needed basis. Overall, security for records may be easily managed based on document type and electronic file cabinet. When a regulated environment has clear, simple procedures that are easy to follow, concerns over compliance issues are addressed.

Call to Action

The regulation will take effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force May 2018. With the draft in place this is the time for companies to review the new requirements, seek legal guidance and put into place processes that will enable compliance. Data Protection has traditionally been the most likely area for compliance to fall short and be breaking the rules.  Under the GDPR documented consent will become one of the most important things to get right.

Moreover, the potential fines for getting it wrong are to rise dramatically. In stark contrast to what we currently have in the UK, where the ICO can fine up to £500,000. This will increase to the greater of 20 million Euros or 4 per cent of the worldwide turnover of a business. Given this, and Brexit aside, businesses handling data originating from the EU should in all cases ensure that data records management is prioritised on the boardroom agenda.

So who wants to risk potential fines and the ripple impact of getting it wrong?

Technology enables organisations to provide customers with a GDPR compliant data records management system and their own DPOs with a modern, collaborative and connected environment to police compliance accountably.

CloudMaitre - The smart cloud computing hub.  Our mash-up content provides quality info for the tech audience. (See: www.cloudmaitre.com for more information).
Thoughtfully curated content put together with a human touch. We are establishing ourselves as influencers in this space. Straightforward technology information not just for techies.