On May 25, 2018, the EU’s General Data Protection Regulation (GDPR) will be enforced, which will give EU citizens more control of their data. This regulation replaces the outdated Data Protection Directive, and addresses the creation of social networking sites, cloud computing, and location-based services.
While GDPR is a EU regulation, it will apply to any organization that collects or processes EU citizens’ data, whether they’re in the EU or not. Organizations that are non-compliant will face heavy fines. The penalty for a single breach could be up to 20 million euros (currently about $24,000,000) or four percent of the company’s global revenue, whichever is larger.
So, how can you make sure your company is GDPR compliant? Here are 12 steps that the UK’s ICO recommends taking:
Key people in your organization should be aware of the GDPR changes and identify areas that could cause compliance problems.
- Information you hold
Conduct an information audit and document what personal data you hold, where it came from, and who you share it with. The GDPR requires companies to maintain records of their processing activities. The GDPR also has an accountability principle, which requires that companies be able to show how they comply with the data protection principles.
- Communicating privacy information
Review your current privacy notices and make any necessary changes. Under GDPR, you will also have to explain to people your lawful basis for processing the data, your data retention periods, and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data.
- Individual rights
Make sure your procedures cover individuals’ rights. GDPR includes the following individual rights:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling
- Subject access requests
These are the new rules in handling access requests:
- In general, you can’t charge for complying with a request.
- You will have a month to comply (instead of the current 40 days).
- You can refuse or charge for requests that are considered unfounded or excessive.
- If you refuse a request, you must tell the individual why. You also need to tell them that they have the right to complain to the supervisory authority and to a judicial remedy, without undue delay and at the latest within a month.
- Lawful basis for processing personal data
Identify the lawful basis for your processing activity, document it, and update your privacy notice explaining it.
Review how you seek, record, and manage consent, and whether you need to make any changes.
Put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. The GDPR will bring in special protection for children’s personal data, specifically in the context of commercial internet services, such as social networking.
- Data breaches
Put in place procedures to detect, report, and investigate a personal data breach.
- Data Protection by Design and Data Protection Impact Assessments
The GDPR makes privacy by design a legal requirement. It also makes Data Protection Impact Assessments (DPIA) mandatory in certain circumstances. A DPIA is required in situations where data processing is likely to result in high risk to individuals.
Assess the situations where it will be necessary to conduct a DPIA. You should figure out who will do it, who else needs to be involved, and if the process should be run centrally or locally.
- Data Protection Officers
Designate someone to take responsibility for data protection compliance. You might be required to formally designate a Data Protection Officer (DPO) if you are:
- a public authority (except for courts acting in their judicial capacity);
- an organization that carries out the regular and systematic monitoring of individuals on a large scale; or
- an organization that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions.
If your company operates in more than one EU member state, you should determine your lead data protection supervisory authority and document this.