Welcome back to part 2 of our GDPR series on business operations, if you’ve not read the first part yet, you can hop on over and read it here. We’d recommend you do, or this part won’t make much sense!
Welcome back to part 2 of our GDPR series on business operations, if you’ve not read the first part yet, you can hop on over and read it here. We’d recommend you do, or this part won’t make much sense!
If you have read it, then you already know the first five ways that GDPR will impact the operational requirements of your business.
So today, we’re going to round up by looking at the last five and how you can prepare for these changes, without causing chaos in your business.
RTBF and Data Portability
One of the bigger elements GDPR bring in (after consent) is RTFB, or, ‘the right to be forgotten’. This is the first time any data protection law has recognised the rights of an individual to request deletion of their personal data by the companies who hold it.
This now means that any business must be ready to locate and completely (and securely) erase an individual’s data ‘without undue delay’ when requested to do so.
Controllers must also delete this data if; it is no longer needed, the data subject objects to the processing, or the processing itself is unlawful (for example in the case of processing data on a child without parental consent).
But the right to be forgotten goes even further than that and puts additional obligations on any controller who makes personal data public, especially online. When a data subject requests deletion of data that has been made public, the controller must take ‘reasonable steps’ to inform other controllers of the request, and endeavour to delete the data, as well as any copies of the data or links to it.
Of course, that’s not all. GDPR solidifies ‘the right to data portability’ which requires data controllers to provide personal data to the data subject in a commonly used format, and to transfer that data to another controller if the data subject requests it to.
It also means that, in any scenario where a business is processing personal data through automated means, the data subject has the right to receive the personal data concerning them, in a widely used format.
Vendor Management
In its efforts to protect and expand the rights of EU citizens over their personal data, GDPR creates some very clear lines in terms of accountability in data processing. This is the whole premise behind having defined ‘controllers’ and ‘processors’, each with their own roles.
For businesses that outsource or pass on personal data in the process of daily operations, this means understanding what role you play, and how to manage your vendors properly.
GDPR requires some pretty comprehensive requirements for controller-processor contracts, which has prompted a lot of businesses to reassess their vendor agreements to make sure everything is compliant.
The burden of responsibility lies rather heavily on the controller to ensure compliance and they are the ones liable if there is any breach, even if they aren’t the ones doing the actual processing of the data. This means that any business employing other companies to process data will need to vet them thoroughly and ensure that their processing partners are completely compliant before transferring any data.
Pseudonymization
At the heart of GDPR, the idea the whole regulation is built on, is personally identifiable data. That is, any information that could be used to identify an individual.
All of it is covered by GDPR but what GDPR doesn’t cover is data that ‘does not relate to an identified or identifiable natural person, or to data rendered anonymous in such a way that the data subject is no longer identifiable.’ GDPR calls this ‘pseudonymization’, a process that renders data neither anonymous nor directly identifying, allowing businesses to continue to use personal data without any risk to the individual.
It works by separating direct identifiers from the data, so that linkage to an identity is not possible without additional information, which is held separately.
This process significantly reduces the risks associated with data processing, while also maintaining the data’s unity. It has therefore become a popular option to comply with GDPR whilst still keeping hold of data.
Although pseudonymized data still falls within the scope of the Regulation, some provisions are relaxed to encourage controllers to use the technique. So controllers that do pseudonymize their data will have an easier time using personal data for secondary purposes and for scientific or historical research, as well as meeting GDPR’s data security and data by design requirements.
Codes Of Conduct And Certificates
There are several different rules to try and follow within GDPR and expecting one regulator to confirm each and every data controller or processor’s compliance with GDPR’s many protections goes beyond their capacity.
That’s why GDPR endorses the use of codes of conduct and certifications to do the following:
- Provide guidance on GDPR requirements
- Signal to data subjects and regulators that an organisation is compliant with the regulation
- Offer third-party oversight as another check on controllers’ and processors’ data handling practices
These tools are likely to feature fairly prominently in company plans for data processing and legitimate cross-border data transfer, helping ensure security and continuity with other worldwide systems.
Codes of conduct and certifications, both of which may be used to demonstrate compliance, have some subtle differences. The main one is that codes of conduct cover how things are done, while certificates are used as a method of demonstrating compliance to the outside world. We could write a whole blog on this alone, so if you have any questions about these, please do get in touch.
Consequences For Violations
Of course, this is the part that has people most interested. Unlike other data protection regulations, GDPR instigates some very steep fines for non-compliance.
This includes some fines with a high price tag, with a maximum of 20 million euros or 4% of annual global turnover, whichever is highest.
GDPR authorises the supervisory authority of each country (the ICO for the UK) to assess fines that are ‘effective, proportionate and dissuasive’, and gives them the flexibility to look at mitigating circumstances when deciding these penalties.
This includes the introduction of a ‘two-tier’ system, which will help define which penalties are appropriate. Higher tier offences include the failure to:
- Comply with data protection principles such as lawfulness, fairness, transparency, storage limitation and confidentiality;
- Obtain valid consent;
- Fulfil the requirements relating to processing sensitive personal data;
- Meet obligations in relation to data subjects’ rights such as the right to transparency, the right to access personal data and the right to rectification and erasure;
- Transfer data to a third country in accordance with the rules on data transfer;
- Comply with Member State law adopted to implement the provisions to specific processing situations; or
- Comply with certain supervisory authority orders such as; limiting processing or suspending data flows, failure to
- Comply with a data subject’s requests to exercise his or her rights or failure to communicate a data breach to an affected data subject.
While lower tier offences include the failure to:
- Obtain consent on behalf of a child;
- Comply with the provisions applicable to processing which do not require identification;
- Incorporate and implement data protection by design and default principles;
- Apportion risk appropriately in a data-sharing situation;
- Designate a representative where required;
- Comply with the requirements concerning the appointment of data processors;
- Maintain proper data processing records and comply with requests from the supervisory authority;
- Implement proper security measures;
- Notify a supervisory authority and/or affected data subjects of a breach;
- Conduct a data protection impact assessment and address identified risks; or
- Appoint a Data Protection Officer
And that’s it! Just 10 ways that GDPR can impact your operations as a business.