In our previous article we explained the differences between the previous data protection legislation and the new Regulation (GDPR) were; in this second installment we will provide you with a few steps to start your GDPR journey. With just 90 days left to go, it is important that every company with customers in the EU focuses on GDPR compliance.
Before going through the steps that need to be implemented, a few concepts need to be clarified:
Processing data, as defined by Art. 4 (2) GDPR, encompasses any operation or set of operations carried out on the customer's data (whether by automated means or not) such as: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Controller, according to Art. 4 (7) is the natural or legal person (or other entity such as a public body or agency) which determines the goal and the ways in which the customer's data will be processed.
The Processor, as defined by Art. 4 (8) is the natural or legal person (or other entity) which processes the personal data from the customers on behalf of the controller.
DPA or Data Processing Agreement is a document signed between the Controller and the Processor in which the former provides the latter with instructions on the data processing, including the subject matter, the duration of said processing, the nature and goal of this processing, the customer's information that will be processed (for example, name, ID number, address) , the categories of customers and the obligations and rights of the Controller and Processor.
[ Disclaimer: keep in mind that this is not binding legal advice and it's just our suggestions on what you should be doing ]
So, what should your first steps towards GDPR compliancy be?
1. If your company is located outside the EU and you are processing data of customers residing in the EU, your first step should be to designate a representative in the European Union, in accordance with Article 27 of the GDPR. This representative has to be located in one of the Member States in which the company is processing the personal data. If your company is located within the EU, then you would skip this step.
2. Next, you should carry out a mapping of the information that the company is processing: this will take time and thoroughness. For this step you need to ask yourself a few questions about the company itself: are you processing data from clients? Are you processing data from members of the company for HR purposes? What kind of information are you processing? Does it include sensitive data? Moreover, do you need this information or could you do without it? In addition, you need to figure out where this information is being stored: is it all in the cloud or do you have hard copies? Do you keep information on spreadsheets or data warehouses? Although this may seem simple enough, the reality is that it will take an extensive amount of time as it involves going through all the different departments of your organization, analyzing the tools being used for each of them and the information being obtained from the customers as well as its purpose.
3. The next step will be to figure out if your company is acting as a Controller, meaning that it has another party processing data for you (this other party would then be known as the Processor). The Processor can be a person but may also be a company providing a platform or system that you use to keep the data. If you work together with a Processor, you will need to sign an agreement with them to ensure that they are being GDPR compliant when dealing with the customer's information. Furthermore, if the Processors themselves have any sub-Processors, then they will in turn need to sign Agreements with them to the same purpose.
4. One of the main points of GDPR is obtaining consent for processing the customer's information. In order to do this, your company should create specialized (meaning tailored to your company) consent forms.
There are a few conditions that this consent form should have:
- Consent has to be clear and unequivocal, which means that this form needs to showcase a simple and understandable language.
- The consent request cannot be bundled up with other terms nor can it be pre-selected.
- It has to state what information will be requested and for what purpose it will be processed.
- Consent from a parent/guardian has to be obtained for customers under 16 years.
5. The next step will be to design procedures to deal with the different requests - as mentioned in our previous article - from the customers. This means that there should be different procedures in place to deal with access , deletion and rectification requests as well as data portability requests. Creating a clear flow and templates to manage these will make the process a lot easier come May 25th and will help with the 30-day limit to deal with these requests
6. Aside from obtaining the customer's data, it is important to keep it safe. For this, in accordance with the GDPR you should implement technical and administrative measures to ensure the protection and safety of the data that is being processed. These may vary from business to business, going from printing policies to having security systems at your office, but adding a certain level of protection should ensure the company is safe from any possible data breach in the future.
7. Finally, a very relevant but more complex step would be to come up with a procedure in case of a data breach. Determining who should be contacted first, how, what technical measures will be taken to stop and revert this breach are steps that should be taken into account. Since the deadlines are quite tight in this situation, having a system in place for dealing with the issue and informing the relevant parties in this case will save a lot of time.
While these measures may seem overwhelming as they entail a lot of different measures, following them will surely help set your company on the road to compliance. While some steps are easier (or at least, less time-consuming) than others, taking sufficient time to go through each of them will ensure that you are being diligent in the area of data protection.
Use the form below to subscribe to our blog for the next chapter of this GDPR series.