GDPR – One month to go !

The EU General Data Protection Regulation (GDPR) becomes enforceable by law on May 25^th.  It will replace the Data Protection Directive 95/46/EC.  The regulation sets out the rules for the processing of personal data and is “intended to contribute to the accomplishment of an area of freedom, security and justice and of an economic union ….and to the well-being of natural persons”.

Even though it is a lofty aspiration, businesses and organisations are expected to have the GDPR ingrained in their culture in such a way that it is borne out in practice.  Enforcing it in practice are the data protection authorities of all the Member States of the EU.  Protected by it are all the citizens of the EU.

If, for whatever reason, your organisation has not yet paid any attention to processing personal data in line with the rules of GDPR, this article aims to motivate you to start now, with less than one month to go, by explaining how you may be putting your business as well as those who hand over their personal data at risk.

Once you have a practical understanding of the what the GDPR aims to achieve, it will become clear why it is good for your business and why inaction is not an option.

TWO IMPORTANT FACTS ABOUT THE GDPR

The first thing to know about the GDPR is that it is designed to uphold the fundamental rights and freedoms of individuals as granted under EU Charters and treaties – among other rights, all individuals have the right to the protection of their personal data, the right to private and family life, home and communication, freedom of expression and information, the right to a fair trial and an effective remedy.

The second thing to know about the GDPR is that it is a risk based approach to data protection.  You are expected to know what personal data your business collects, uses, stores and shares.  You are also expected to assess the impact the processing of this data may have on the lives of the data subjects who provided the data.  In other words, what risk or danger do your operations pose to the rights of individuals. The individuals may be your employees, customers, students, the public etc.

THE CONCEPT OF RISK AS IT APPLIES TO PROCESSING PERSONAL DATA

It is important that personnel in your organisation understand how the collection, use etc of personal data may pose a risk to the rights of individuals.  And that those individuals have the right to information and to seek a remedy if you breach those rights.

The concept of ‘risk’ as it relates to processing of personal data is explained in GDPR recital 75.

“The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to:

• physical
• material or
• non-material damage,

 in particular, where the processing may give rise to

• discrimination
• identity theft or fraud
• financial loss
• damage to the reputation
• loss of confidentiality of personal data protected by professional secrecy
• unauthorised reversal of pseudonymisation or
• any other significant economic or social disadvantage;

where data subjects might be deprived of:

• their rights and freedoms or
• prevented from exercising control over their personal data;

 where personal data are processed which reveal:

• racial or ethnic origin
• political opinions
• religion or philosophical beliefs
• trade union membership

 the processing of:

• genetic data
• data concerning health
• data concerning sex life
• criminal convictions and offences or
• related security measures where personal aspects are evaluated,

 analysing or predicting aspects concerning:

• performance at work
• economic situation
• health
• personal preferences or interests
• reliability or behaviour
• location or movements
• in order to create or use personal profiles

 where personal data of vulnerable natural persons, in particular of children, are processed; or

where processing involves:

• a large amount of personal data and
• affects a large number of data subjects.

To know if your business presents any of the above risks, you must have detailed knowledge of what personal data is processed by your business and how.  This is the first, and possibly most challenging stage of complying with GDPR.  It entails gathering information on all personal data the business has in its possession or outsourced to another.  However difficult, it is both a revealing and rewarding exercise.  So, it is worth thinking about how best to approach this data discovery step.  It is explained a little in step 2 of the action plan below.

So now you understand better why the GDPR makes sense and is here to stay, know also that there is still time to gather a data protection team together and initiate a GDPR compliance plan for your organisation by 25^th May. Follow the steps below and you should not feel infirm if you have a visit from the Data Protection Commissioner on 26^th May.

A 10 STEP FAST TRACK APPROACH TO GDPR COMPLIANCE

1. To be clear on your responsibilities, decide is your organisation a controller or a processor, or both (see Article 4 – Definitions).
2. Audit what personal data streams the organisation has and create records of all processing activities. Sending surveys to all departments asking what personal data they have, who accesses it, why they have it, how long they have it is one approach.
3. Review and update current privacy notices on websites and CCTVs to ensure you are being transparent regarding what personal data you collect, how you use it, store it, secure it and who it is shared with.
4. Create data flow maps that will allow you to track the journey of each type of personal data your organisation collects (for example HR, marketing, sales, CRM system, website inquiries…). See diagram 2 which is an example of a data flow mapping tool developed by Anthony Budd of medium.com.  There are numerous mapping tools freely available, some very simple and some not so.
5. Perform risk assessments on the data maps and identify risk /high risk areas. See diagram 1 below which shows how your organisation can process personal data in line with GDPR. Key relevant Articles from the GDPR are mentioned for reference.
6. To address high risk areas in your data processes, first review work practices to review how staff are processing data. Next, assess current technical controls to see if they are adequate and proportionate to the risks.  If those measures do not reduce risk to an acceptable level for your business, consider employing new technical controls.
7. Create and/or review key data protection policies and procedures and have staff trained in relevant areas. Senior management needs to agree with and sign off on the policies.  For most staff members, training will involve giving an understanding of the data that they will have access to and how a breach may occur.
8. Plan how the organisation will allow individuals (employees, customers, the public..) to exercise their expanded rights under GDPR (Chapter 3 of the GDPR).
9. Develop a data breach response programme. How will your organisation report to the supervisory authority and to affected data subjects if necessary—within 72 hours of first becoming aware of a breach?
10. Review contracts – the agreements existing between your organisation and organisations it outsources personal data to (for payroll or cloud storage for example) and ensure they align with Article 28 requirements.

Collect, Control and Secure Personal Data in line with GDPR

Diagram 1. Flow diagram showing how personal data may be processed in line with GDPR

GDPR Data Map

Diagram 2. Modified data flow mapping tool, original developed by Anthony Budd

Contact the GDPR Services team at MCS Integrated Solutions if you outside need help to get started with implementing the GDPR.  We provide training, practical workshops, risk assessments and much more!

Sarah O’Connell at soconnell@mcscomputers.ie

Jim Warren at jwarren@mcscomputers.ie

John Anderson at janderson@mcscomputers.ie

Here is one of the many useful resources available on-line:

http://www.privacy-regulation.eu/en/index.htm

Good luck!