On May 25, 2018, the new EU data regulation (GDPR) will be effective for all companies operating in any EU member state. The impact is already massive. Every company must be ready to capture consent, transfer customer and employee data to third parties and be able to prove that they manage personal data effectively. This GDPR guide will teach you how to get your processes ready for this.
The main impact comes from the fact that the GDPR shifts the burden of proof to the company. What does this mean in practice? Imagine that you’re driving on a country road. All of a sudden, a policeman pulls you over. Now, he asks for you to prove that you didn’t drive faster than you should have during all of last year! This may sound absurd but with the new EU regulation, this is what we all need to do. You need to demonstrate that you follow the rules. It’s not up to the regulatory authorities to prove that you are in compliance! As a result, this puts the burden of proof on your organisation. Fortunately, this GDPR guide will cover everything you need to know.
Penalties for non-compliance pose significant risks to your organisation
GDPR will have a large impact on organisations that have not described their processes and have not documented how they follow those processes. If they can’t then they risk fines of up to €20 Million or 4% of their annual turn over – whichever is the highest. In addition, regulatory authorities may even forbid violators to manage any personal data. So, this is clearly a risk that you must manage. The question is how? I’ve written this guide to prepare our own activities and thought it would be worth sharing.
This GDPR guide seeks to answer the questions that we had when starting out
This GDPR guide seeks to answer the five questions that I found myself asking when Gluu first started getting ready for this:
- What is the scope of this new GDPR regulation?
- When is your organisation a data controller and when is it a processor?
- What are the main requirements that we must adhere to?
- What checks that we meet the requirements?
- How do we start?
Table of Contents
Introduction to this GDPR guide
First to some basics.
What does the new EU data regulation cover?
The GDPR covers all personal data. Personal data is information held which covers individuals. Everything from the IP address of a consumer to the address details of an employee. The EU regulatory site states it like this:
“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
So as you can see the scope varies with your business model. In our case, we’re selling an online platform to businesses, so we have no personal data on private individuals. To decide where to start, we made the following priority list:
- Data on our customer’s employees within the Gluu platform.
- Sales and marketing data on our customer’s employees (in our CRM system).
- Data on our own employees.
These priorities helped us to decide which processes to look at first.
When is your company a “data controller” and when is it a “data processor”?
The regulation differentiates between the parties that are responsible for the data and the ones that are merely storing and/or processing it.
“A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.” – EU regulatory site
In our case, we’re our own data controller for our own employees and for sales and marketing data related to specific individuals in our CRM system. In relation to the data on our platform, we’re a data processor and our actions are governed by Data Processor Agreements that we have with customers.
To some, GDPR is just another process compliance challenge
With the scope clear, we needed to understand the work ahead of us. At Gluu we already have to comply with quality and development requirements so in that sense the GDPR is just another compliance area to add to our management system. However, this management system is within our own Gluu platform and it already states how we operate (process hierarchy, diagrams and work instructions and measure that we comply with automatic tasks and change recording).
To a normal management system (that may cover health and safety, quality and security) the GDPR adds the requirement that your organisation must:
- Document how it treats personal data,
- Ensure that its processes meet the GDPR requirements,
- Be able to report and prove that it does as it says.
In other words, you must have all necessary processes in place and be able to prove that you follow them.
So where does this leave your organisation?
|Your situation||Your task ahead|
|No documented processes and “process culture” at all||Start by making a process hierarchy where you focus on the processes that are likely to involve or impact personal data.|
|An outdated quality management system with processes described in Word documents.||Migrate and validate your processes to a format where you can easily involve all the necessary colleagues in discussing each activity.|
|A fully operational “process-driven” management system with broad ownership and a good “process culture”.||Go through all processes and mark any activities that may impact personal data. Revise your processes and activities in accordance with GDPR. Add any missing processes.|
At Gluu we’re genuine “process-nerds” and we, therefore, found ourselves in the last group. However, the task has still been significant.
Checklists for the six main GDPR requirements
From a conference with the Danish law form DAHL and the reading of white papers and checklists of international ones, I made this list of six main requirements facing us:
- Obtain lawful consent.
- Document all personal data related processes.
- Report on personal data breaches.
- Ongoing risk analysis.
Each requirement is explained further below. I have also shared our own internal checklists that were made from recommendations found on the EU GDPR site and various law firms recommended there.
1. Obtain lawful consent from each individual
You may no longer be able to use a long “terms and conditions” document where each individual ticks a box to confirm that he or she has read it. The EU GDPR site states it like this:
“Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt-in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.”
With this in mind and input from lawyers we created this checklist:To begin, find out how we record consent and consider how to keep a clear record of what each individual consented to. Next, ensure that we have identified and documented the grounds for lawful processing (and where the legitimate interests ground is being used, what the legitimate interests are) and the storage period for the data. Make it easy for individuals to withdraw their consent (i.e. an “unsubscribe” link). Demonstrate that consent is always obtained when recording data. Demonstrate that those who have given their personal data are aware they have the ability to withdraw it.
2. Document all personal data related processes
“If your data treatment could impact the security of personal data – and this is collected systematically – then you need to document all data treatment activities.” I read this as the need to ensure proper documentation of many processes within Marketing, Product Management, HRM and IT Operations.
This is the checklist that we created – split into our responsibilities as Data Controller and Data Manager:
Data controller responsibilities:Identify where personal data is processed within your organisation, including by third-party processors. Decide the process (and tooling) for storing the purposes of processing data.
A description of categories of data subjects and personal data.
The categories of recipients of personal data.
The details of transfers to third countries.
The time limits for erasure of different categories of data.
A general description of technical and organisational security measures taken (by reference to the information security policy and information classification policy). Consider how to ensure that the relevant information will be kept up-to-date. This may require imposing obligations on contract managers to keep information relating to the contracts that they are responsible for up-to-date and accurate. Map your current processing activities;
Consider whether they are compliant with the provisions of the GDPR. HR department handling of employee data
Provided employees with all data collected and for what purpose (both employees, customers and other third parties).
Any monitoring of employee communication and internet usage (including through Bring Your Own Device solutions and social media).
Accessing employee files/communications for investigations.
Use of CCTV.
Operation of whistleblowing scheme. Customer data
Customer marketing protocols.
Cookies and online tracking. Other third-party data
Supplier / business partner notices / consents. Data transfers to third parties
Sharing data with other controllers.
Data sharing with processors. Data subject rights
Responding to data subject rights, i.e. subject access, rectification, erasure, restriction of processing, data portability, right to object to certain types of processing and right to object to or obtain human intervention in certainly automated decision making. Information security
Information security and data breach response policy. Data storage periods
Records management programme which has been adapted so that there are maximum storage periods for personal data categories as well as minimum retention periods.
Data Processors responsibilities:Determine the process you will use to record the following details in respect of each controller:
Name and contact details of the processor and the Data Privacy Officer, and the controller on behalf of which it is processing.
Categories of processing.
Transfers of data to a third country or international organisation.
General description of the technical and organisational security measures.
Keep information up-to-date. Again, this may require imposing obligations on contract managers to keep information relating to the contracts that they are responsible for up-to-date and accurate.
3. Report on personal data breaches
The Data Controller must ensure that the right technical and organisational tools and processes are in place to ensure that personal data is handled in accordance with the regulation. This includes safeguarding and protecting personal data.
Importantly, the data responsible party must be able to provide proof that data is treated in accordance with the regulation.
For Gluu this means that when we act as Data Processors on behalf of our customers, then we must ensure that they can meet this requirement fully and with ease – for any data stored on the Gluu platform.
Specifically, this is important when it comes to information security. Article 33 covers the requirement that all security breaches that affect the security of personal data must be documented.
Documentation shall include:
- What happened.
- When it happened.
- The impact.
- The corrective and preventive action taken.
Report to the regulatory authority within 72 hours after the breach is known to the data responsible.
Again, we followed a checklist:Firstly, put in place data breach response and notification procedures to meet 72-hour deadlines in respect of notifications to the Regulatory Authority.
Secondly, prepare data breach response procedures to evaluate situations exposing data subjects to high risk and procedures to enable notifications to be made to data subjects “without undue delay” in such circumstances prepare template letters and conduct rehearsals in respect of data breaches.
Additionally, maintain a personal data breach register that includes the facts relating to the breach, the impact and the remedial actions that are taken.
Ensure those processor agreements have provisions allowing us to meet the 72-hour deadlines for reporting breaches.
Finally, ensure that where we are the processor, those mechanisms are in place to enable us to report data breaches without undue delay to the controller.
Ongoing risk assessment is important to comply with GDPR.
It is of utmost importance that you complete a risk analysis when considering implementing new technologies that could impact the security of personal data. An example of risk assessment of new technology is screening and “what-if” questions.
This is the checklist:Put a process in place to determining whether a PIA is required. If it is determined that a PIA is required, ensure that there is a clear process for ensuring that PIAs are carried out appropriately across the organisation and include the minimum requirements set out in the GDPR, namely: a systematic description of the processing operations and purposes of the processing an assessment of the necessity and proportionality of the processing operations. An assessment of the risks to the rights and freedoms of data subjects (e.g. ask your team if you want to collect unusual info on them).
Data controllers ensure that your systems and processes are designed with privacy in mind. Therefore, GDPR requirements are built into these.
This is the checklist for process design:Only use personal data where necessary – in other cases use pseudonyms. Ensure personal data is only accessible to individuals who need it. Use applications or processes which allow you to implement such controls.
Article 20 states that the registered individual has a right to receive the data that he/she has given to the data responsible. Give this information in a structured and common, machine-readable format, for easy data transfer to other organisations.
This is the checklist for portability:Review and map your international data flows, including data transferred outside of the EU. Assess how these rights trigger and how they will be exercised in both customer and employee contexts. Consider how to search for, filter and separate the information required to comply with the rights. Consider whether the rights can be met wholly or partially through a self-service option. Ensure that mechanisms are in place to enable responses within one month. Assess the opportunities to have personal data of competitors or other third parties customers ported to your organisation through data subject’s exercise of portability rights.
How do you start?
Now you have outlined all of your requirements and listed their checkpoints. The next step in our GDPR guide is to look at how and where you start.
With our above checklists as the starting points we identified the following main tasks:
1: Analyse our current state
Before we started, we analysed our maturity in relation to personal data and processes. This helped to clarify where to focus and gave us a starting point for the work. We used the Danish government tool “Privacy Compass” to do this gap analysis.
- Create an overview of all personal data related activities.
2: Map any missing processes
We identified and mapping the remaining data privacy-related processes. This mapping included the affected data flows and IT systems.
3: Analyse and close gaps in relation to GDPR requirements
Fill in a data form per activity (in each process) that involves personal data. This step allowed us to identify gaps in our requirements and to close this.
- Conduct a risk analysis.
- Assess information security.
- Ensure all third-party relations are ready for GDPR.
- Establish a new process for personal data protection.
- Update our process for security breaches.
- Maintain all processes.
- Verify all processes.
- Update our policy on personal data.
- Update our consent notices.
4: Prepare control system
We prepared a GDPR control system in Gluu for our user’s personal data. To do this, we set up recurring tasks to ensure that we follow-up correctly. In addition, we document the follow-ups for simple and easy reporting.
- Setting up recurring tasks and forms.
5: Prepare operations
Finally, we ran some tests to ensure that we could report properly. For instance, if there was a data breach could we then show exactly which activities that involved personal data and were affected by this?
- Staff awareness training.