The General Data Protection Regulation protects individuals in terms of the handling of their personal data and the free circulation of this data.
The new EU regulation came into force on 25th May 2016 and compliance is obligatory for any company which does business in the European Union. Non-compliance with the GDPR can result in fines of up to 20 million euros.
The most significant new changes in the GDPR cover two general concepts:
The Principal of Proactive Responsibility
The GDPR describes this principal as the need for the entity responsible for processing personal data to apply the appropriate technical and organisational measures to ensure and be able to demonstrate that the handling of this data complies with the regulation.
It demands a conscientious, diligent and proactive attitude by organisations: they are obliged to analyse what data they handle and for what purpose they process this data, to apply the necessary operations for appropriate data processing and to demonstrate what these are to interested parties and to the supervising authorities.
The Focus of Risk
The GDPR indicates that some of the measures stipulated will only be applied when there is a high risk of infringing upon the individual’s rights and liberties, while others must be adapted according to the level and type of risk that the processing of this data represents. In other words, what might be suitable for a large organisation might not be necessary for a small company; the difference lies in the volume and type of data being processed.
Some of the key factors for ensuring compliance with the GDPR are:
1- Registering the Data Handling Activities
The GDPR demands a record which describes, among other aspects, what data is gathered, for what purpose it is processed, to whom the data is communicated, whether it is transferred to countries outside the EU, when it can be deleted, and what technical and organisational measures are being applied to ensure data security.
In addition to being an obligation for those responsible for data processing, keeping these records serves as proof of consent to the GDPR and to accredit compliance with the regulation
2- Requesting Explicit Consent
Until now most companies and professionals implicitly understood that they had the consent of interested parties for the handling of their personal data. It was usual practice to include informative texts in shared documentation but there was no unequivocal acceptance of the terms and conditions of personal data management.
The new regulation obliges businesses to resolve this matter by obtaining prior explicit consent from individuals to process their personal data. Moreover, the requirements have been expanded because it is now necessary to ensure that the data subject is aware of the terms and conditions governing the processing of their personal data and the scope of these operations.
3- Providing Clear and Simple Information
The regulation specifies that the entity responsible for data processing must take appropriate measures to ensure that the data subjects comprehend the information regarding its handling. As such, it stipulates that this information must be easily accessible and has to be presented in a concise, transparent and intelligible manner using clear and simple language.
Consequently, businesses must review the texts and informative messages used in their data gathering processes (paper documents, website forms, contracts, deeds, etc.) to adapt them to the new GDPR requirements.
4- Creating Procedures Which Guarantee the New Rights Covered by the GDPR
In addition to the traditional existing rights regarding data protection – the rights to access, rectification, objection and restriction – there are three new rights:
- The right to data portability: this refers to the right to transfer personal data for one party responsible for its processing to another, unless any objection is presented by the first party;
- The right to limit the processing: the data subject can demand a limited use of their data;
- The right to be forgotten: the interested party has the right to demand that the data processing organisation delete their personal data without unjustifiable delay.
Therefore, organisations must ensure that there must be efficient processes in place to preserve these new rights.
5- Evaluating the Impact of the Data When the Risks Are Especially High
This assessment is recommended when there is a chance that a particular type of data processing implies a high risk of infringing upon the rights and liberties of individuals, for instance, especially if new technologies are being used. In this case, before any data is processed the organisation should evaluate the impact of their data handling.
At the very least, this assessment must include a systematic description of the data handling operations and of the necessity and proportionality of the operations in terms of their purpose, an evaluation of the risks and an explanation of what measures are in place to address these risks.
6- Selecting Suppliers Who Offer Guarantees
If companies have opted to outsource their data processing or they use cloud services which involve personal data management, they must ensure that the suppliers – whom the GDPR refers to as data controllers – guarantee the application of the appropriate technical and organisational measures so that the data processing complies with the requisites of the regulation.
The data controller will be held to this obligation by means of a contract or other legal act which states that they will only handle the data following instructions documented by the organisation responsible for the data. It must also stipulate that they will ensure that the persons authorised to process personal data undertake to respect the necessary confidentiality.
At Nakima we are experts in auditing GDPR compliance and we provide the necessary tools to adapt to its requirements. If you would like more information on this matter, please don’t hesitate to contact us.