Only a few days remain until the EU-wide GDPR (General Data Protection Regulation) comes into force 25th May 2018. GDPR concerns all companies processing personal data of EU residents. From the end of May this year, companies that have so far successfully ignored this topic, risk being threatened by a letter from a lawyer or worse: The new regulation provides for fines in the millions. What can those responsible now do to prevent this?
Before anything else: don't panic. GDPR continues to allow processing of data. The EU regulation essentially anew protects the rights of individuals, i.e. those affected by data processing, within the European Union. GDPR is not only new territory: Until now existing data protection legislations such as the Danish "Persondataloven (Lov om behandling af Personoplysninger)", the German "Bundesdatenschutzgesetz (BDSG)" and the Swiss "Bundesgesetz über den Datenschutz (DSG)", already cover most of the points. Still two innovations deserve special attention: The right to not be evaluated on the basis of automated processing (including profiling) (Art. 22), and The right to data portability (Art. 20).
It is not expected that all companies will be threatened by heavy fines in the short term. Much of the new regulation has yet to prove itself in practice. Experts anticipate that it will first hit a limited number of prominent companies, of which cases lawyers, data protection experts and finally courts will need to work their way through.
Graphic by geralt on Pixaby
No reason for sleepless nights. But now is the time to take immediate action. The following five points can be implemented as first aid measures until the corporate processes have been properly adapted or converted as needed:
1) Create awareness in the management and begin the change in your company structure
The requirements of the GDPR cannot be fulfilled on the side. The team and resources must be provided to implement a change process. Clarify to the management the scope of the task, its significance and the possible consequences. Show where concrete action is currently needed. Make it clear that the GDPR does not only require a single project, but a change in corporate processes. In the future, data protection must be taken into account in every process. Compliance is thus the responsibility of the business owner and process owner, not a "GDPR project owner". It is also mandatory to raise awareness among all employees of the requirements and background of the regulation. Make it also clear to the management as well as the HR department, that there is no way around awareness training.
2) Clarify whether you need a data protection officer (DPO)
Contrary to § 38 in the new German "Das neue Bundesdatenschutzgesetz (BDSG-neu)" (the result of adaptation of the GDPR to the older BDSG) which prescribes a DPO is required if more than ten employees regularly process personal data (e.g. the daily use of an email application like Outlook), other countries’ adaption of the GDPR (such as the Danish "Databeskyttelsesloven" currently in the process by the Danish parliament) to older data protection legislation, as well as the GDPR itself, are more vague.
Like Germany (e.g. Gesellschaft für Datenschutz und Datensicherheit GDD e.V. in their "Der Datenschutzbeauftragte nach der Datenschutz-Grundverordnung"), all other EU member states' data protection authorities either have or are in the process of publishing clarifying information about the DPO. A very good example is the guidance in Danish Datatilsynets "Vejledning om databeskyttelsesrådgivere". The EU Article 29 Data Protection Working Party (a. k. a. "Art 29 WP") attempts to clarify the requirements and role of the DPO in its "Guidelines on Data Protection Officers (‘DPOs’)". The use of an external DPO (popularly called DPO "as-a-Service") is eligible, but does not relieve you or your company of responsibility.
3) Introduce a data protection management system
You can use special tools or set up your own processes using the usual office programs (thus the latter will require a lot of additional manual work). Vendors such as Crisam, Neupart, OneTrust or Otris pursue different approaches. Using a data protection management system will assist you in recording your business processes and processing activities. You use it to determine and document which personal data is processed, which information objects are available, which IT systems are used and whereto the personal data is eventually transferred, e.g. potentially to a data processor outside the EU. The records of processing activities (as specified in GDPR Article 30 "Records of processing activities" and the Danish Datatilsynets "Vejledning om fortegnelse") provide the necessary transparency to determine which processing activities need to be adapted to comply with the GDPR. Moreover, the absence of the list of processing activities is seen by GDPR as a "minor infringement", albeit punishable by up to two percent of the Group's worldwide turnover in the previous year or by up to ten million euros (whichever is highest). Many templates for recording processing activities are readily available, of which worth to mention are the German Gesellschaft für Datenschutz und Datensicherheit GDD e.V. in their "Vorlage Verzeichnis von Verarbeitungstätigkeiten", and the English templates of the Information Commissioners Office "Documentation of processing activities".
4) Focus on the processing activities with external impact
This applies to all points of contact with external persons, such as via newsletters, website forms or comment fields, and the contact with applicants, interested parties, prospects etc. You must however also pay special attention to processing activities which process sensitive personal data, as is the case in the HR department. Special categories of personal data are such as religious belief, mental or physical impairments, social identity and trade-union membership, etc., described in GDPR Article 9 "Processing of special categories of personal data". GDPR Articles 13 and 14 regulate your obligations to inform those affected ("data subjects"), including what happens to their personal data and what rights they have. Non-compliance with these information obligations is seen by GDPR as a "major infringement", fined by up to four percent of the Group's worldwide turnover in the previous year or by up to twenty million euros (whichever is highest). When you have determined the data and the related processing activities, you assess the protection of the rights of the data subjects. If you have already documented your processing activities, e.g. in an Information Security Management System (ISMS), you will already have gained time here. Your company website(s) is only affected to a certain degree by the GDPR, but as a new ePrivacy regulation will apply from the first quarter of 2019, you should – if you’re not implementing compliance with that already now –, at least ensure that your data protection/data privacy statement is up to date.
5) Secure the processing activities that involve the processing of data by third parties
This could for example be the case with a provider of CRM services. Templates in both English Data Processing Agreement (DPA) and Danish "skabelon for Standard-databehandleraftale" are available from the Danish Datatilsynet. Another template from German Gesellschaft für Datenschutz und Datensicherheit GDD e.V. is avaialble in their "Vorlagen für die „Auftragsdatenverarbeitung".
What about Austria, Denmark and Switzerland?
Austria, Denmark and all other EU member states are equally affected by the GDPR. Switzerland (like other non-EU countries which belong to the European Economic Area/EEA) must prove that its data protection laws and its data protection level at least correspond to those in the EU in order to retain its adequacy status in the EU. For this reason, the Swiss Data Protection Act is being totally revised and is expected to take over large parts of the GDPR. This "small GDPR" will in future meet the requirement of the same level of data protection. The GDPR applies to all companies offering goods or services in the EU, or which process personal data for the purpose of behavioral analysis of persons resident in the EU.
Do I need to set up a portal for the persons concerned?
Not necessarily. GDPR does not specify the form in which you comply with the rights of those affected – so you are free to do so via a portal, on request or however you want to design it. It is sufficient if the customer/affected person is informed of the contact details of the DPO or a data protection coordinator along with every consent.
Last but not least, a little consolation patch for all those who have not yet dealt with the GDPR and who risk being threatened by a letter from a lawyer. 25th May 2018 is a Friday, and until Monday 28th May no postal mail goes out. You have thus gained 3 days to implement the five last minute tips for GDPR.