Meeting the tougher new data protection regulation is likely to require additional work and a reduction in options for all businesses.
One of the hallmarks of the new General Data Protection Regulation (GDPR) is that it puts the onus on meeting the new standards firmly on each business. Article 5 of the GDPR is very clear on this, stating that businesses "shall be responsible for, and be able to demonstrate compliance".
Outside of pure compliance, changes in the ways that data can be collected, stored and processed can also have an impact on the way that businesses work. We'll look at the steps businesses should take to meet these goals in our next blog post. But here, we're looking at the direct impact that GDPR is likely to have on every company.
Although the regulation is clear that you must demonstrate compliance, there's no set method of doing so. At the very least, all companies should have one person responsible for documenting everything relating to GDPR, including how data is collected, stored, and processed.
Documentation should also cover staff training and how personal data can be accessed. It's a sizable job, but demonstrating that your company took reasonable steps to identify issues and fix them will be important in the event of a breach.
As part of the GDPR, trade associations and representative bodies will be encouraged to create codes of conduct and certification mechanisms. Once created, these optional schemes can help your business demonstrate compliance. Keep an eye on the ICO and your trade body for more information.
Although GDPR sets out many ways that data can be processed, gaining consent will often be the most straightforward method and the one easiest to prove. GDPR has definitive goals that change the way you approach gaining consent.
When seeking consent to process an individual's personal details, Recital 32 of the GDPR is very clear: "Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement."
The UK's Information Commissioner's Office (ICO), in its draft GDPR consent guidance document, goes on to explain that consent messages should be written clearly in plain English and unbundled, that is separate from all other terms and conditions. And, most importantly, the information must cover all forms of processing that you aim to undertake. Fail to mention a use for the data you're collecting, and you'll most likely have to go back and ask for permission.
Data collection policies need to be carefully rewritten to ensure that they meet the tougher new rules.
More powerful, and going along with the need to prove compliance, Article 7 of the GDPR states that businesses need to "demonstrate that the data subject has consented to processing of his or her personal data". While not explicitly required by the regulation, a double opt-in system could be useful here.
With double opt-in, an email is sent to the individual requesting them to click a link confirming the sign-up process. This act is a clear indication that the correct details were entered at first and that the user is happy with the conditions set out.
It's common for companies to collect data to share with third parties for marketing reasons. Say, asking a customer if they'd like to receive marketing emails from energy providers. Under GDPR this becomes unacceptable and all third-party companies must be named. As the ICO's draft guidance on consent states, "name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR."
Again, this is a fairly significant job. But all opt-in messages and collection systems need to be checked and rewritten where they don't comply with GDPR.
Data storage requirements
Personal data must be securely stored on servers in EU countries that are also GDPR compliant. Also, security needs to be there by design, which means that all information should be encrypted at the absolute minimum. Thoroughly analysing your data storage and access protocols is a must, strengthening any weak areas.
The right to be forgotten
The right to be forgotten is one of the most powerful new tools that individuals are given under GDPR. Under the new regulation, they'll be able to have their personal data removed from your systems. However, as the ICO has stated, "The right to erasure does not provide an absolute ‘right to be forgotten’".
In other words, there are times where your company may need to hold on to some personal details. According to the ICO, you can legitimately hold on to personal data:
- To exercise the right of freedom of expression and information
- To comply with a legal obligation for the performance of a public interest task or exercise of official authority
- For public health purposes in the public interest
- Archiving purposes in the public interest, scientific research historical research or statistical purposes; or
- The exercise or defence of legal claims
Realistically, when a user requests their data to be removed, your company will shoulder the burden of removing this data from some systems, yet leaving some data behind for legal and compliance reasons. Having an automated system that can perform these jobs may become a necessity, as manually removing data could be too labour intensive.
Working with third parties
If you work with any third-party companies to host or process your data, including cloud hosting companies, GDPR Article 28 states that you should have a contract. You may want to get legal advice on creating a third-party GDPR contract that you can use for current and future partners.
Finally, make sure that all your third-party services are GDPR-compliant, noting down any compliance statements in your documentation as proof.
To make sure you don't miss part 2 of this blog series 'What impact will GDPR have on your business, complete the form below:
ComputerWorld offer a range of security services and solutions to help your business get prepared for GDPR covering:
- Identity Management
- Protection and recovery
- Perimeter security and Networking
- Patch Management
- Security Strategy and Auditing
Complete the form below to speak to one our security specialists today: