The complete guide to preparing for the GDPR
EU General Data Protection Regulation is a regulation that requires companies to provide data security and privacy of EU residents. The GDPR will come into force on May 25, 2018, and will replace current laws about personal data protection in European countries.
Companies that need to prepare for the GDPR
Introducing strict requirements to the processing of user personal data, the regulation has an extraterritorial principle of rules function, meaning that all organizations working with personal data of EU individuals are to comply with the GDPR.
Otherwise, they won’t be able to compete with other companies and will have to pay huge fines in case of violations of the GDPR requirements. Take a look at what companies are to comply with the GDPR:
- companies that sell goods or services to consumers from the EU (meaning the location, not necessarily EU citizens)
- companies that analyze user behavior from the European countries (similarly – their actual location is important)
- permanent representatives of non-European companies operating in the EU
Thus, the regulation will affect even those organizations that have no presence in the EU, but store, collect, and/or process user personal data. These are financial companies, IT, media, and telecom companies, logistics companies, online stores, hotels, and a lot more.
Consequences of the GDPR violation
The GDPR provides for huge fines for the violation of GDPR requirements – up to 20 million euros! An administrative fine of up to 20 million euros or up to 4% of the total annual world turnover for the previous financial year is to be paid if your company:
- incorrectly obtained a user consent to the processing of personal data
- somehow violated individual rights whose personal data has been processed
- exceeded a minimum of user information required for delivering services
- violated other important rules of the regulation
For less significant violations fines are also huge. If your company processes personal data on inappropriate software, doesn’t have agreements properly formalized or has a lack of personal data processing accounts, you’ll have to pay a fine of up to 10 million euros or up to 2% of the company’s total annual turnover for the previous financial year.
Preparing for the GDPR
1. Collect only those personal data that you really need
The regulation asks companies and organizations to collect only those user personal data that they do need to provide their services.
For example, an online store that sells goods in Europe has to take such information as banking details for remote payments and customer name and address for successful purchase delivery. However, it doesn’t require information about age, job position, or relationship status.
In order to collect other personal data that are not directly related to the company services (gender, profession, contacts, etc.), you have to receive a special user consent or demonstrate in the contract the necessity to process such data.
Another consent is required if you’re going to collect or/and process sensitive personal data like racial or ethnic origin, sexual orientation, political and religious worldviews, and so on. In practice, they are most often used for contextual advertising and customer profiling.
2. Make sure you have a consent to process user data
To process user data, you’ll have to receive a user consent in advance. Make the text of the consent very clear and indicate how the information will be processed, for which purpose and by whom, and to what country it will be transmitted.
Note, that the consent to the processing of personal data will be invalid if the user had no choice or wasn’t able to withdraw his consent without detriment to himself. Also, if the user has agreed to the processing of their personal data, the controller must be able to demonstrate this.
An important point you should keep in mind is that silence or inactivity no longer means a user consent (for instance, the user himself must tick the box next to the “receive newsletter”), so exclude any methods to obtain consent by default.
However, you won’t need a special user consent if you request only those data minimum that you need to provide services, e.g., customer name, address, and phone number, like with the example of an online store we’ve described above.
Concerning practical examples, you should establish a user-friendly interface that would ask users for their consent to data collection and processing and clearly describe their rights. Here at Smartym, we have such solution already developed, write to us to learn more (firstname.lastname@example.org)!
3. Document the whole process of personal data processing in the company
You should be always prepared to prove that you meet all the requirements of the GDPR. Noteworthy that the regulation directly indicates that only the actual compliance with all requirements isn’t enough, so make sure you have all necessary documents to confirm it in written form. First and foremost, you are to have the following documents:
- the policy of personal data processing
- internal rules and procedures of working with personal data
- personal data registers
- personal data processing accounts
Thus, you should document all user personal data you hold, including sources it came from and all data processing activities. Create and maintain a user personal data register and keep a record of user location, the responsible file owner, information sensitivity level, data storage period, and data availability.
4. Make sure that all contracting companies meet the GDPR requirements
Even if a company doesn’t have a presence in EU, but collects or processes personal data of EU individuals or provides the main organization with some services (e.g. supplies hardware), it puts under the GDPR.
It means that organizations processing personal data of Europeans in Belarus for online sales, for example, airlines, hotels, hotels, online stores, fall within the ambit of the GDPR and must comply with the new European rules of personal data processing.
As the GDPR covers all businesses implicitly dealing with EU citizens, you should trace that the entire chain of contracting companies complies with the GDPR requirements.
Conclude a special agreement with corporate contractors and make sure that similar agreements are concluded between all of the contracting companies. Also, note that the main company is to provide a written consent for the involvement of such contractors.
5. Ensure that the software also complies with the GDPR requirements
The GDPR introduces two key principles companies are to follow to make sure their software complies with the regulation, namely “privacy by design” and “privacy by default”.
“Privacy by default” means that you should take care of privacy at the initial stages of software development process, even before the first personal information arrives in the system.
Take the following measures to ensure data security and privacy:
- implement cryptographic protection of user personal data to avoid various risks and prevent unauthorized access to personal data.
- provide user depersonalization – a separate storage of data that can be used for establishing a person identity and additional information related to him/her. For example, a person name should be stored separately from the activity history so that a data leak won’t enable to learn to whom these actions belong.
“Privacy by default” means that users should be provided with the highest level of privacy settings, always by default. If a user changes nothing in the settings, a security level should remain the same.
6. Appoint a company representative in EU (if necessary)
In general, if a foreign company (not belonging to the European Union) processes personal data of EU users, it is to appoint an official representative in the EU, who will be responsible for the compliance with the regulation.
In some cases, it will be possible to select an EU member country whose supervising authority will monitor personal data processing activities and issue fines in the event of rule violation.
However, there are some exceptions for organizations that:
- don’t work with sensitive personal data
- irregularly process user personal data
- don’t pose risk to rights of individuals related to the use of their personal data.
So, if your company does correspond to some of these points, you won’t have to appoint a representative in the European Union.
7. Appoint a Data protection officer in the company (if necessary)
Another novelty of the GDPR is a position of a Data protection officer (DPO). Since 25 May 2018, some companies will have to designate a DPO who can be either a corporate employee or a third-party contractor. You are to integrate this position if your company:
- is a public authority (except for courts acting in their judicial capacity)
- processes user personal data, including regular and systematic monitoring of individuals on a large scale (large social networks, companies working with Big Data, and large marketplaces)
- carries out processing of special data categories on the large scale (sensitive personal data)
A Data protection officer is the very employee who will be responsible for the optimization of various procedures, approve of internal policies, keeping records of data processing activities, and ensure the everything meets the GDPR requirements.
A few words should be said about monitoring of user behavior. User monitoring may involve tracing EU residents on the Internet and the use of data processing techniques for user profiling, analysis of user behavior (e.g., for making predictions about decisions and launching successful advertising campaigns).
The regulation is applied to organizations (even non-members of the EU) if they control or try to influence the behavior of EU residents (to the extent that such behavior takes place in the EU).
8. Notify regulators of any violations within 72 hours after the violation was detected
In case of any GDPR violation, e.g., personal data leakage, companies are to notify authorities and alert users no later than 72 hours after it was detected. Even more, in the event of a successful hacker attack, a company will have to pay a serious fine.
For instance, the recent news about a hacker attack on Uber is a vivid example of a violation of this rule. Hackers had access to personal data of 57 million users and drivers a year later. If the GDPR were in force now, Uber wouldn’t avoid a fine of 4% of the annual turnover.
Here in our company, we do focus on delivering a high level of personal data security and privacy. Understanding your business needs and challenges, we’ve developed a solution helping companies meet the GDPR requirements and now continue working on other ones. Click on “Get a quote” to get more information!