On the 25th of May 2018, the General Data Protection Regulation (GDPR) will become enforceable. Organisations will need to prepare in order to be compliant and to prevent high potential fines (up to 20 million euro).
So what does the GDPR entail and how can you best prepare your organisation?
From national to European regulation
The past few years, European countries have kept taking new measures to ensure the privacy of their citizens. This is logical, seeing as there are ever more technological developments influencing privacy and awareness about the importance of privacy keeps growing.
The new General Data Protection Regulation (GDPR) will unify regulation of data protection within the European Union, thus simplifying regulation for international businesses and strengthening data protection for all individuals in the EU.
At the end of the day, the main goal of regulations such as the GDPR is the protection of citizens in times of increasing digitalisation and globalisation. As such, preparing your organisation for the GDPR is not a temporary project, but an ongoing one which entails changing (and constantly updating!) existing work processes.
Which organisations have to deal with the GDPR?
Even though the GDPR is a European regulation, it is important to note that it applies to organisations within and outside of the EU. As long as your organisation collects or processes data of EU residents, the GDPR applies to your organisation.
With regard to data storage outside of the EU it is important to note that privacy law in countries such as the United States (where communication tools such as WhatsApp and Skype are based) is a lot less strict than the norm set by the GDPR. In the end, your organisation carries the responsibility to ensure compliance with the GDPR and, as such, for the tools and systems used. In a nutshell: make sure you work with software that stores its data on European soil – software that helps you with your compliance with the GDPR rather than undermines it.
The definition of personal data was already quite broad and has become even broader under the GDPR. In principle it means that data can be linked to a natural person. This goes for data such as names and citizen service numbers, but also for email addresses, photos, videos and, under the GDPR, also IP-addresses, MAC-addresses and cookies.
What is expected of your organisation?
The goals of the GDPR are a higher degree of transparency and the strengthening and expansion of privacy rights. The responsibility for ensuring privacy will increasingly lie with organisations and the regulation will be upheld the same way in all of the EU.
When processing personal data, organisations will need to take the following into account:
- Legitimacy, propriety and transparency
- Goal binding
- Minimal data
- Storage restriction
- Integrity and confidentiality
- For children under 16: permission from a parent or legal guardian.
Organisations should take both technical and organisational measures to uphold these principles. It is recommended to work with a so-called ‘processing registry’ – such a registry includes how privacy-sensitive data is processed, with what purpose, how long, how such data is protected and who can access it. For organisations with more than 250 employees or organisations that systematically process personal data, such a registry is obligatory under the GDPR. Organisations must also set up fixed procedures for the classification of data and what to do in case of data breaches.
The part about ‘minimal data’ means (among other things) that organisations have to minimize risks by pro-actively deleting data when this data is no longer relevant. If you are using the Alterdesk platform, you can choose to always send messages containing personal data with a specific ‘lifespan’. After the duration of this lifespan, the messages will be automatically deleted from all devices and servers.
The rights of data subjects
The data subject (for example: a patient, client or employee whose personal data is being processed) has specific rights within the scope of the GDPR. These are:
- Right to information
- Right to access
- Right to rectification
- Right to erasure
- Right to limit processing (for, for example, marketing purposes)
- Right to transfer data
- Right of objection
Right not to be subjected to automated individual decision-making.
The core of these rights is transparancy: inform data subjects on what will happen with his/her data and let them know that they can object if they wish to do so. Most of the rights mentioned were already part of most national privacy regulations preceding the GDPR, but rights such as the right to erasure are new.
Good to know: if your organisation uses the Alterdesk communication platform, contacts can be deleted from the system (in order to comply with the right to erasure). Messages sent by these deleted accounts will be ascribed to an ‘anonymous’ user and can no longer be traced back to this person. Besides, it is also possible to generate a PDF of an Alterdesk conversation, for the sake of, for example, the right to transfer data or the right to access.
When working with personal data, organisations have to take specific security measures with regard to the digital processing of such data. The GDPR obliges organisations to use the following measures:
- Encryption of files and digital communication
- Pseudonymisation to make data irreducible
- Data back-up (and testing)
- Access security (by means of registration and assignation of rights within accounts)
- Privacy by design.
The Alterdesk platform uses firewalls, encryption and access security to secure data. A back-up is made of all stored data. As mentioned above, our platform also enables the irreducability of sent messages. Of course, privacy by design lies at the very core of our platform: we focus on privacy during each step of the development process.
Steps to take
In order to prepare your organisation for the GDPR, it is advisable to take the following steps:
- Map how personal data are processed at the moment;
- Check what kinds of personal data are being processed;
- Check whether your organisation is legally permitted to process this data;
- Verify whether the necessary permissions have been obtained;
- Check whether data has been properly classified;
- Take a close look at current procedures and instructions;
- Determine whether there is sufficient awareness among employees about the GDPR;
- Decide which employees should carry specific responsibilities regarding GDPR compliance;
- Prepare an action plan to adjust procedures where necessary and communicate this to employees;
- Prepare a processor agreement containing the nature of the data, the storage period and the measures taken with regard to data security;
- Does your organisation use systems based outside of the EU? Then a specific agreement must be drawn up with the data processor outside of the EU;
- Make sure your organisation has set up a privacy statement. In case website visitors can send in information through the website (by means of, for example, a contact form), then this privacy statement should also be published clearly on your website.
The fines for non-compliance with General Data Protection Regulation can be quite high. If the privacy by design is not as it should be and this leads to, for example, data breaches or other security incidents, this can lead to a fine of up to 10 million euro or, for a company, up to 2% of the global annual turnover of the previous financial year (if this comes up higher than the fixed penalty amount).
This fine can increase even further if the local authority judges that an organisation has taken insufficient technical and organisational measures – the maximum fine will then be 20 million euro and the aforementioned 2% will be 4%.
Ouch. Non-compliance with the GDPR can become quite expensive. Even so, we have hardly heard anything about it from organisations in our network. As such, it is important to increase awareness about what the requirements are and how these will need to be upheld starting the 25th of May 2018.
Many of the necessary actions mentioned above are organisational in nature, but it is abundantly clear that the GDPR also influences the ways in which an organisation can communicate. Communication processes will need to minimize the risk of a data breach and it will need to be clear where personal data is stored, how it is sent and how it is secured. Organisations using WhatsApp or unsecured email accounts (unfortunately, this happens more than you might think) run the risk of getting high fines.
Luckily, secure communication is our expertise. Would you like to know more about how our platform can help your organisation become GDPR-compliant? Do contact us – we’d love to hear from you.