GDPR compliance: Are you ready?

On 25 May 2018, GDPR or General Protection Regulation came into force in the EU (after a 2-year adoption period spurred in 2016). It was created with the purpose of coordinating data privacy laws across Europe.

At a glance, the Regulation describes itself as a revitalized means of protection for personal data.

Personal data means data relating to a living individual who can be identified either from the data or from the data in conjunction with other information. Moreover, the Regulation implements new principles in relation to treatment, collection, and portability of data.

In the context of GDPR, the key characters are data controllers and data processors. A data controller is the party that determines the purpose and the means of processing personal data. The processor is the party that processes personal data on behalf of the controller.

Previously, the personal data that was protected under prior regulations (Data Protection Directive 95/46/EC) simply consisted of the users’ phone numbers, emails, zip codes, and purchase history. But under the new set of regulations, in addition to the above-mentioned data, information like content preferences, online behavior, age, genetic markers, mental or physical health, cultural and political affiliations, economic status, and social network information are going to be protected as well.

The overall territorial scope of the GDPR is larger than the currently legislated DPD. In fact, it encompasses non-EU based businesses that market their products to Europeans, or who monitor the behavior of Europeans. In other words, If your business or organization is not in the EU but caters to European residents, you’re not off the hook yet! It’s likely that GDPR will still apply to you.

Here, we will introduce the main elements of the regulation.

A critical part of GDPR is concerning an organization’s responsibility to be transparent.

The so-called “right to be informed” includes organization’s obligation to provide “fair processing information”; typically through a privacy notice. It emphasizes the need for transparency on how you plan to use personal data.

You must clearly state to our customers what data we wish to take from them, how we will be handling it (i.e. protecting it), and what we intend to do with this information. In order to schematize the “right to be informed” and related transparency obligation, the processing of personal data must be:

• Concise, transparent, intelligible and easily accessible;
• Written in clear and plain language, particularly if addressed to a child; and free of charge.

In that same vein, consent will be required before a company can use or process any personal data. In the past, for users to opt-in, they would simply be required to click an affirmative statement of some sort.

Now, you are obligated to ask users for explicit consent. You must also define their preferences; regarding frequency, topics covered, and so on. Furthermore, consent must be verifiable, meaning that some form of record must be kept of how and when consent was given.

Finally, Individuals have the right to withdraw consent at any time.

GDPR requires that organizations pay close attention to the age of their users. Individuals under the age of 16 must provide parental consent. Stakeholders must take reasonable measures in order to verify that consent is coming from the parents.

In this case, it may be helpful to review Article 8 to further learn about how certain organizations can comply with the lower requirement of the age of 13.

Moreover, the GDPR strengthens the significance of protecting children’s personal information, as used for the purposes of marketing and creating online profiles.

This is the ability for users to obtain their personal data for their own purposes.

As stipulated under Article 20, users also have the right to request that personal data is transmitted directly from one controller to another (when feasible). The essence here is that data must be produced and kept in a way that is compatible with other systems.

You must provide the personal data, free of charge, in a structured, commonly used and machine-readable form so that software can extract specific elements of the data.

Finally, users can now also simply request that any information should be deleted from the system. This is called “the right to erasure”, or “the right to be forgotten”.

The idea of building digital systems in order to include privacy by default (and design) is also featured in the Regulation. Fundamentally, user privacy is to be considered at the root of the system as it is being modified or built.

Under the GDPR, organizations have a general obligation to execute technical and organizational measures in order to show that they have integrated the implementation of data protection within their processing activities.

Privacy settings should be set to their highest possible level by default, allowing a user to tone it down if they wish.

Organizations have to implement several measures (including pseudonymisation) that meet the principles of data protection by design and data protection by default.

Under GDPR, pseudonymization is a recommended process in order to separate data from the subject. A solution for this may be using a reference ID for someone’s data rather than their name while storing their information.

Companies should have a whole other database of names and their corresponding reference ID on a totally separate system to later make sense of the data.

In the advent of this regulation, it’s a given that controllers and processors must review all privacy notices, statements, and internal data policies to ensure compliance.

Of course, if a controller works with third-party processors (like VBOUT for instance), they must make sure that these processors intend to respect changes in regulation as well. On the other end, processors should look at what modifications will be required to their customer contracts as well.

First, GDPR requires that organizations have a suitable process in place, in the event of a data breach.

The GDPR introduces a duty on all organizations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.

Depending on how the breach actually occurred, and it’s overall severity, you have a legal obligation to report the data breach within a maximum of 72 hours! Certainly, all organizations have to make sure that their staff understands what constitutes a data breach, and that this is more than a loss of personal data.

It is important to note that the fines have increased dramatically under GDPR. Non-compliance with GDPR can result in 4% of the organization’s annual turnover and can be up to 20 million Euros (whichever is higher)!

Identify all your active data processors. For each data processor, take note of these following questions:

• Why are you using the data?
• Where is the data stored?
• Do you need this data?

Verify the privacy policy of each of your data processors, this will give you an indication as to whether they are GDPR compliant (U.S.-based processors should be compliant under Privacy Shield).

It’s rare that you will come across a data processor that isn’t compliant and has no plans to be by the deadline. If this does happen, it is recommended that you replace them as soon as you can. You will be within your rights to ask your current processor for a copy of your data, and then delete their copy of it as well.

Keep in mind here that holding data opens you up to liability. Unless you deem it necessary to keep the data, it’s ideal to delete it.

All controllers and/or processors must be able to demonstrate compliance to their local authority through a data protection officer (DPO). Processes should be recorded and put up for review regularly– and employees should be trained and operational measures should be adapted in order to demonstrate this compliance.

The DPO or other experts should be responsible for monitoring your organization’s compliance with GDPR rules.

However, this only applies to organizations that process large amounts of personal data, whether that be employees’ information or individuals outside of the company.

DPO can either be a trained employee designated by data controller organization or an outsourced professional.

Our role as a stakeholder in these new regulations is as a data processor. The services we provide to our clients (the controller) presents us with our own set of responsibilities; including keeping personal data secure from unauthorized access, disclosure, destruction or accidental loss.

In this framework, VBOUT has put all efforts needed and guide its client toward the compliance with GDPR.

GDPR will undeniably benefit both the company and the user. Regulatory compliance will enable companies to prove that they are trustworthy, whereas the individual’s personal data will be further protected. It may seem like processors and controllers alike will bear the burden of complying with these rules, but fundamentally, GDPR functions as a guidebook on how to have a healthier, more transparent relationship with their customers!

At VBOUT, our team worked hard to implement all the requirements stipulated in the new regulations. We have the utmost respect for our all of users’ privacy, from our clients to their end users, and we are committed to keeping it that way!

Disclaimer: This document is not an authority on EU data privacy, nor is it a sufficient substitute for professional legal counsel for your company to use in pursuing compliance with GDPR. Our intention in producing this article is to give you a topographical understanding of the regulatory changes. As such, we insist that you consult legal counsel for further advice on how to adapt your business practices for these regulations.