What does GDPR compliance mean? How can you make sure that you are compliant and take the necessary steps as an organization if you do not even understand what is it you need to achieve? There is a lot of buzz around this topic in the blogosphere. And there is a reason for this. This important new EU wide regulation will be put into practice starting May 2018. As a result, it is time for companies to start taking this “buzz” seriously and try to find their path through it.
Why is this relevant? Because in the end, the GDPR focuses on the protection of personal data and not just the privacy of personal data.
Why should companies take this step? Could it be, the possible huge fines they may receive? The moral ideas behind this regulation? The fact that their customers can lose trust in them, damaging their reputation and even business revenues? Let’s assume that some or all of the above are sufficient reasons for a company to realize it is time to do something and they want to do something about it. Now let’s see how compliance is defined in relation to data protection:
“According to Merriam-Webster, compliance is defined as:
- The act of process of complying to a desire, demand, proposal, or regime or to coercion.
- Conformity in fulfilling official requirements.
- A disposition to yield to others.
- The ability of an object to yield elastically when a force is applied.”
Here we will focus on definition number 2, which can be seen as a starting point. A first question organizations should try to answer starting from this definition is, “what are the requirements that I need to fulfil to achieve compliance?”.
To be able to answer that question, an organization needs to first identify its role within the process of dealing with personal data on EU residents. Different requirements apply to different roles:
- Data controllers – The natural or legal person, public authority, agency or other body that, alone or jointly with others, determines the purposes and means of processing personal data; where the purposes and means of such processing are determined by the laws of the European Union or an EU Member State, the controller or the specific criteria for its nomination may be provided for by the laws of the European Union or the EU Member State. (Article 4 (7), GDPR)
- Data processors – A natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. (Article 4 (8), GDPR)
- Data sub-processors – A natural or legal person, public authority, agency or body other than the data subject, controller or processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data. (Article 4 (10), GDPR)
Having established this, what needs to be specified here is that complying with the GDPR “…requires both organizational and technological measures…” As Dana Louise Simberkoff says in her article: “Aside from legal and statutory requirements, we must also understand how policies relate to operational practices, people and technologies within our organizations in order to be truly effective.” She even goes further than this and presents a model to address this challenge. She considers that a combination of education, monitoring and enforcement are key to achieving this.
Education makes perfect sense. Without an educated organization, the chances of succeeding with protecting privacy are quite low and it will be a bumpy ride. Employees need to be made aware of the policies they need to follow to handle personal and sensitive data.
Where is all my data coming from? What are the requirements that need to be applied to that type of personal data? Do I have the right to collect it? Did my customer give his/her consent? Where do I store my data? How do I process this data? All valid questions that need to be taken into account. There may be multiple organisations involved in this process and they may have different requirements. Working clearly across teams, departments, businesses, suppliers and partners with different areas of expertise is of high importance. Digital collaboration is going to be vital to success in order to meet all GDPR obligations.
Once the first step has been taken, i.e. education, monitoring needs to go hand in hand with this. It’s not sufficient to give instructions. You need to follow up and see they are implemented and done so in the right way. This is not a subject to be taken lightly as organizations need to understand the legal basis of controlling and/or processing data and implement the specific requirements from the GDPR legislation, which are many and varied.
Organisations also need to determine if the right privacy levels are set for the data being collected, regardless of the source. They need to ask questions like: are my employees implementing the initial requirements established? And, am I sending personal and/or sensitive data to unsafe destination points? Constant attention to these processes is needed. The understanding of these (quite a few) new concepts cannot be expected to happen overnight. Especially when there isn’t yet the perfect recipe for success.
Enforcement is seen as the applicability of the requirements in a controlled way. This starts from a central point where understanding the rights of the data subjects, as seen by the GDPR, is of the upmost importance. Understanding the concepts and then translating these into technical implementations and organizational processes is the test companies need to pass. Data protection by design and by default need to be built-in to the solutions that will be used.
But this does not end here. Everything needs to be recorded. Who did what, when and where?
As an organization, can you easily answer all these questions in order to be GDPR compliant? Who are you working with and are they also in line with all necessary requirements and obligations? Are all your employees ready for these big steps? Are your customers trusting you with their personal and sensitive data?
In summary, these measures to fulfil requirements will have no importance if they are not centred around the core GDPR principles to protect data subject’s rights, i.e.:
- The right to require rectification of personal data
- The right to erase personal data (“right to be forgotten”)
- The right to prevent further processing of personal data (“restriction”)
- The right to transfer data (“data portability”)
- The right to be informed when personal data breaches take place
If you can meet all of these principles and prove you do so each and every day, then you will be truly GDPR compliant.