On the 25th of May 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) will come into force. It was adopted more than two years ago, on the 27th of April 2016 but gave EU companies two years to prepare for compliance. The GDPR is an EU legal document which aims to protect the personal data of EU citizens. Although not the first of its kind, the GDPR is the most comprehensive legal document dealing with personal data and privacy. It will be enforceable in all EU member states, but perhaps the most astonishing part is that even non-EU companies that process data of EU citizens will have to comply. So this includes foreign companies all around the world.
Given the two year transition period that the EU gave companies, one can logically assume that the GDPR is a big deal. The fines for non-compliance are high and strict, companies can be fined up to 4% of their annual global turnover for breaching the GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements, e.g., not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
Seeing that the GDPR will be a game changers for companies that process EU citizen’s personal data, and seeing how little time there is left to comply with the GDPR, companies will need to start working on taking the necessary steps to prove compliance with the GDPR. In order to prove compliance a company needs to have all the necessary documents in force, we will go through the necessary legal documents or also known as policies that your company needs to draft to help you be compliant with the GDPR.
Necessary Policies
There are in fact quite a few policies that a company needs to draft to be compliant with the GDPR. These are some that the EU General Data Protection Regulation Documentation Toolkit lists:
Data protection policy
Training policy
Information security policy
DPIA procedure
Retention of records procedure
Subject access request form and procedure
Privacy procedure
International data transfer procedure
Data portability procedure
DPO job description
Complaints procedure
Audit checklist for compliance
Privacy notice
We will address only five of the most important ones, that we believe a company needs to start drafting as soon as possible, not only to be compliant with the GDPR but also to understand more on where they stand in terms of GDPR compliance, so they know where they need to improve to be GDPR compliant as soon as possible.
1. Employee Data Protection Agreement (EDPA)
The EDPA, is an internal document that should be sent to all the employees in the company. It must serve as an informative document, informing employees of the GDPR and everything important related to it. Such as informing themabout the legal documents in power, such as the GDPR, national Data Protection Law and other important legal documents; provide employees with contact information of the Data Protection Officer and National Data Protection Authority; inform them what personal data we need to process to be able to provide our services and what personal data we need not to process; about sensitive personal data; about the procedures in case there is a data breach; instructions on how to minimize the chances of data leaks such as: create a strong password, use a VPN, participate in privacy trainings etc. and many other important details. In the end the employee should sign the EDPA, to prove they have understood their duties to protect their user’s personal data and be careful with the digital devices they use which are used to process personal data.
2. Privacy Impact Assessment (PIA)
A PIA is a process which assists organisations in identifying and minimising the privacy risks of new projects or policies. PIA is not strictly defined, it can be any plan or proposal in an organisation, and does not need to meet an organisation’s formal or technical definition of a project, for example set out in a project management methodology. It is important that a PIA should tackle both physical and non-physical security threats.Although a PIA is not mandatory, it is considered to be perhaps the most helpful tool to determine where the company falls short in GDPR compliance, conducting a PIA could help the company establish what it needs to improve, and how it can improve. A PIA could save a lot of money, time and energy in the long run for the company.
According to the Information Commissioner’s Office a PIA should incorporate the following steps:
1. Identify the need for a PIA;
2. Describe the information flows;
3. Identify the privacy and related risks;
4. Identify and evaluate the privacy solutions;
5. Sign off and record the PIA outcomes;
6. Integrate the outcomes into the project plan; and
7. Consult with internal and external stakeholders as needed throughout the process.
3. Privacy Policy
A privacy policy is a legal document that explains to data subjects how and why their data is collected, how it is used and how data subjects can request to update it or remove it.
Although this policy is already the norm, most serious companies that process data have a privacy policy, which is usually found at the footer of the website. However, now after the implementation of the GDPR, it is mandatory for all companies that process EU citizen’s personal data to have a privacy policy. This is because a privacy policy is used to fulfil the transparency and consent requirements. Even companies that already have a privacy policy in place will need to update it. The GDPR requires that documents that ask for users consent, must be short and written in clear and simple language, not legal jargon so that users can easily understand it. The privacy policy must also contain the data subject’s rights, an opt-out option, contact information of the Data Protection Officer, clearly state what information is collected and for what reasons, what information will be anonymized, what measures are in place to ensure users data will be protected etc.
4. Subject Access Request (SAR)
SAR is the right of a data subject guaranteed by the GDPR, which makes it possible for them to request information from the company which is processing their data.
According to ICO a user who has requested a SAR is entitled to the following information:
told whether any personal data is being processed;
given a description of the personal data, the reasons it is being processed, and whether it will be given to any other organisations or people;
given a copy of the information comprising the data; and given details of the source of the data (where this is available).
An individual can also request information about the reasoning behind any automated decisions, such as a computer-generated decision to grant or deny credit. In most cases you must respond to a subject access request promptly and in any event within 40 calendar days of receiving it, but can be further extended if necessary. There is not universal SAR template/form, data subjects can request SAR in various ways as long as it is in written, whether it is by fax, e-mail, mail or any other form.
5. Data Breach Notification Policy
A data breach is when personal data of ones customers is accessed by unauthorized persons, and then this data is processed whether it is altered, deleted, stolen etc. In the case of a data breach, the company is obliged under article 33 and 34 of the GDPR, to inform its supervisory authority, the controller and the data subject affected by the breach, this all should be done in less than 72 hours from the moment the company is aware of the data breach. Similar to the others this one should be put in written and be offered to data subjects, so that they will be informed what the procedure is in case there is a data breach.
The data breach notification addressed to the data protection authority should include the following information:
contact details of the Data Protection Officer or other contact person,
information regarding the categories and approximate number of data subjects and personal data records concerned,
a description of the nature of the breach,
likely consequences of the breach, and
measures the organization has taken or proposes to take to address the breach.
Whereas the data breach notification forwarded to the data subject rights should include:
contact details of the Data Protection Officer or other contact person,
a description of the nature of the breach,
likely consequences of the breach,
measures the organization has taken or proposes to take to address the breach, and
advice on steps data subjects can take to protect themselves.
Concluding Remarks
With the GDPR coming into force in about one month, companies need to step up their game and make sure they are compliant with it. A good stepping stone would be to prepare the above-mentioned documents. Those would help the company identify where they stand in terms of compliance but also tick some of the checkboxes. However, its important to note that these are just some of the necessary documents that companies need to have in place, there are also other documents that need to be drafted some of them we listed in the “Necessary Policies” part in the beginning. Besides policies companies also need to take other steps, however this is already a good start.
As mentioned above it is important that the documents provided, especially the ones for data subjects must be of a plain language and short enough so that readers will have it easy to read and understand them. Also companies should make sure these documents are up to date with, and must inform their users if there are any serious changes as they need their customers consent.
[1] Article 83: “General conditions for imposing administrative fines” of the GDPR.
[2]This is a comprehensive, considered a market-leading toolkit used by many organisations worldwide.
[3]Conductingprivacy impactassessmentscode of practice.
[4]ICO- Subject access request
[5]C.Pearson and X. Zhu, “Notification of data breaches under the GDPR – 10 Frequently Asked Questions”
https://www.clearycyberwatch.com/2018/01/notification-data-breaches-gdpr-10-frequently-asked-questions/
Comments