GDPR Compliance Requirements

The General Data Protection Regulation implementation date is set for 25th of May 2018 and almost every company based in the EU or operating in the EU has been putting a lot of effort to demonstrate GDPR compliance. Unfortunately the GDPR requirements can be interpreted many ways and it seems that many companies are struggling to understand what is required from them to achieve GDPR compliance.

This post will provide you with a background of the GDPR and what things you need to be aware of in order to demonstrate GDPR compliance.

Regulation Background

The General Data Protection Regulation will be effective from 25th of May 2018 and its main purpose is to regulate the use of personal data within the EU.

The new regulation will replace the Data Protective Directive (1995 - Directive 95/46/EC). The final text for the new legislation was adopted on 14th of March 2016. A detailed timeline of the events can be found here: GDPR Timeline of Events.

GDPR Summary

The GDPR highlights 2 key parties to which the new regulation applies:

• Controllers: A controller determines the purposes and means of processing personal data
• Processors: A processor is responsible for processing personal data on behalf of a controller

In the case that you are a processor you are obliged to maintain records of personal data and processing tasks, and you carry the responsibility in the case of a breach.

If you are a controller you are not relieved of your obligations while having a processor. The GDPR contains regulations towards the controllers to ensure your contracts/agreements with the processors are GDPR compliant.

The new regulation is applicable to companies operating within the EU and to companies that offer services to individuals in the EU.

GDPR Checklist

We have put together some high-level guidelines on how to prepare for GDPR compliance. They are aligned to the guidelines provided by the Information Commissioner's office (ICO):

• Assessment: To begin with, you will have to identify the GDPR impact in your respective area and potential compliance issues that may arise.

• Documentation of information you hold: You will have document what kind of personal data you hold. You will have to identify what is the source of the data, how the data is used and if it is shared with third parties. Specifically, the new regulation requires that you maintain clear records of all of your processing activities. The GDPR's accountability principle states that organisations should be able to show how they comply with the data protection principles and document the types of personal data they hold and how they process the data. More details can be found here: ICO: Accountability and Governance.

• Privacy policy review and updates: You will have to revisit your privacy policy and make changes to reflect what is required from the new regulation. Your privacy policy should clearly cover how you intend to use personal data and what is the retention period prior to deletion. When updating your policy you should consider the following:

  • What information is being collected?
  • Who is collecting it?
  • How is it collected?
  • Why is it being collected?
  • How will it be used?
  • Who will it be shared with?
  • What will be the effect of this on the individuals concerned?
  • Is the intended use likely to cause individuals to object or complain?
  • More details on how to update your privacy policy can be found here: ICO: Guide to Data Protection.

• Rights of the individuals. Based on the GDPR individuals have the following rights:

  • The right to be informed. Individuals have the right to be informed about the data gathering, usage and retention period of their data. If the data is enriched with information from other sources the individuals should be notified. All the information provided to people should be clear, concise and transparent.
  • The right of access. Individuals have the right to access their personal data and once they request to access personal data you have 30 days to respond.
  • The right to rectification. Individuals can request to rectify inaccurate data and once the request is made you have 30 days to respond.
  • The right to erasure. Individuals have the right request data erasure. Once the request is made you have 30 days to respond.
  • The right to restrict processing. Individuals have the right to request a personal data restriction. The response time to the request is 30 days.
  • The right to data portability. Individuals have the right to transfer their data from one IT system to another as it relates to information the user has given to a controller.
  • The right to object. In some cases the GDRP gives the right to individuals to object to the processing of their personal data.
  • Rights related to automated decision making including profiling. The GDPR has specific provisions when it comes to automated decision making and user profiling. Specific authorisations should be in place in order to execute automated activities and information should be given to individuals about the processing.
  • More details about the individual's rights can be found here: ICO: Rights Related to Automated Decision Making.

• Accountability and Governance. This area highlights changes and measures required to be in place in order to achieve GDPR compliance. For example:

  • Implementation of data protection policies

  • Documentation of processing activities

  • Completing internal audits on data security and protection

  • Data security enhancements

  • More details on accountability and governance can be found             here: [ICO: Accountability and Governance](https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/ "ICO: Accountability and Governance").

• Consent. This area is about giving individuals the choice to decide how their personal data will be processed and used. Clear guidelines should be created and used to obtain consent from individuals. In addition, a clear process for individuals should be in place to revoke consent at a later stage if required.

• Minors and children. The GDPR is introducing special protection for children's personal data. Every company is required to put in place processes to identify an individual's age and to obtain parental or guardian consent for any data processing activity.

• Data Breaches. Every company should have in place procedures to detect, report and investigate data breaches.

• Data protection impact assessments. A Data Protection Impact Assessment (DPIA) should be completed if data processing may result in a high risk of compromising personal data. ICO has put together some checklists that can help you decide when to complete a DPIA. These can be found here: ICO: DPIA.

• Data protection officers. A data protection officer (DPO) should be appointed if you are conducting processing activities. The role of the DPO is to:

  • Monitor internal compliance
  • Advise on data protection obligations
  • Conduct data protection impact assessments
  • Act as a contact point for individuals and the supervisory authority
  • A data protection officer can be an existing employee and should have some education / awareness of data protection policies

• International transfers. If a company operates in more than one EU country it should determine its lead data protection supervisory authority and document it. Guidance on how to identify your leading data protection supervisory authority can be found here: EU: Article 29.

GDPR Fines

Supervisory authorities from each EU country will be responsible for imposing fines for non-compliance with the GDPR. A company will be subject to administrative fines up to 20 million Euros or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

GDPR & Brexit

The UK government said that it would implement the GDPR legislation and the UK's commitment to GDPR was part of the Queen's Speech in 2017. As the UK is still part of the EU, the GDPR is effective for all companies operating in the UK or those who have data subjects in the UK.

GDPR Resources

Some useful material on GDPR can be found here:

Regulation (EU) 2016/679 of the European Parliament aon the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) Here you can find the official PDF of the Regulation (EU) 2016/679 (General Data Protection Regulation) as a neatly arranged website. Guide to the GDPR explains the provisions of the GDPR to help organisations comply with its requirements.