On 25 May 2018, the EU’s new General Data Protection Regulation (GDPR) will take effect. That’s a long way off - and a good thing, too, because it will give you time to prepare for compliance with the new rules. The rules of the GDPR are stricter in many areas, and you should start preparing for them now to make the transition as smooth as possible. These six steps will get you off to a good start.
WHAT IS SO IMPORTANT ABOUT DATA PROTECTION COMPLIANCE?
The GDPR brings new and stricter rules, including new requirements for data security and documentation and new penalties. Whereas currently fines for non-compliance are typically between DKK3,000 and DKK10,000 in Denmark (although in one case a penalty of an historic DKK25,000 was imposed), failure to comply with the new rules under the GDPR could attract a fine of up to the greater of EUR20 million and 4% of annual worldwide turnover. Non-compliance, therefore, could prove to be extremely costly. Also, there could be other adverse effects of infringements, e.g. claims for damages, detriment to your company's reputation, and a loss of trust in your company.
HOW TO ACHIEVE COMPLIANCE
Many businesses process, store and transfer large quantities of personal data with no set procedures for internal and external processes. ‘Compliance’ is an elusive concept to many, and judging whether a company is compliant or not can be difficult. And if a company is not compliant, what exactly needs to be done, then?
There is no ‘one size fits all’
solution, but most companies will be off to a good start following the six steps outlined in the following model.
1. IDENTIFY AND PREPARE: WHAT APPLIES TO YOU?
First and most importantly you need to make sure your management appreciates the importance of compliance with the GDPR and understands what the possible implications of the new regime to your company are.
You should convene, therefore, an initial meeting to assemble a cross-functional team with representatives from i.a. your legal department, IT department, your future Data Protection Officer (DPO) and any other employees who can help identify your data flows.
In this preparatory phase you should also identify which laws, regulations and standards you must live up to to ensure compliance with the GDPR.
You cannot be sure to have the full picture yet, as there are still interpretative aids missing for a number of the new provisions, but making the exercise will give you an impression, at least, of how far away from compliance you are.
2. ANALYSE YOUR DATA FLOWS: WHAT DATA DO YOU HAVE AND WHERE IS IT?
Next step is to do a mapping of your company’s data flows to see, among other things:
- What types of data are collected and processed?
- Who are the data subjects?
- What systems do you have for processing data?
Consider both your collection and processing locally and any processing by third parties such as cloud and outsourcing partners.
Start by asking yourself these important questions:
- Where does the data come from?
- Where is it kept?
The objective is to try to track the data ‘from cradle to grave’. For example, some employee data will be collected from job applications, and some will not be deleted until after termination of the employment.
WHERE DO YOU STORE PERSONAL DATA?
You may have the data on file in your recruitment or HR system, your personnel files, your e-mail, archives or payroll system, your intranet or external websites, in whistleblower systems, etc. Information about customers are usually stored in customer databases, e-mail and archives systems, CRM systems, mailing lists, etc. You need also to consider third party systems and storage solutions as well as your own internal use - for example, do your employees sometimes keep data on their desktops or in private folders, and are there internal customer lists or similar records that are not shared with other departments?
WHAT ARE YOUR DATA FLOWS?
The mapping of data flows is not an easy task. It requires a good deal of knowledge of your internal processes, and arranging data protection workshops with relevant employees (IT, HR, Legal and Compliance, sales and marketing, etc.) would be a good idea. In preparation for the workshop you should make [and have your employees fill out] a questionnaire to help you work out what information you need in order to do the mapping. Another way of going about it could be to have one-on-one interviews with key employees, or you could choose another approach that fits your company’s organisation and resources.
If properly done, the analysis will give you an overview of your company's data flows, telling you, among other things, what systems you are using and what the contents of those systems are, both in terms of who the data subjects are and what types of data are being processed. You can then use this in your compliance analysis.
3. ANALYSE COMPLIANCE: ARE YOU IN COMPLIANCE WITH CURRENT RULES - AND WHAT ABOUT THE NEW RULES?
The first question in your compliance analysis should be, does your data processing comply with the rules as they are now? Next, you should see where you are in terms of complying with the coming rules of the GDPR. The following is a guide taking you through a number of areas that are be essential for determining the lawfulness of your data processing.
ARE YOU COMPLIANT WITH BASIC PROCESSING RULES AND DOCUMENTATION REQUIREMENTS?
You will need to establish if your current data protection compliance and internal rules comply with the basic requirements of section 5 of the Danish Act on Processing of Personal Data, which lays down a number of conditions for the lawfulness of any processing of personal data. These conditions will reappear in the GDPR. For example, processing must be lawful and fair, or it will not live up to good data processing practice. Processing of personal data may take place only for objective and legitimate purposes, which must be expressly stated, and only relevant and sufficient data must be collected. Processing must comply also with the principle of proportionality, which holds that processing may take place only if necessary for the attainment of the stated purpose and if the same results could not be achieved by less intrusive means. The data controller is also under a duty to erase and correct: personal data which no longer serve their purpose must be erased and incorrect data must be corrected.
The GDPR introduces a new requirement for documentation. You must be able to prove compliance with the new conditions for processing of personal data.
You should actively analyse and decide, therefore, how the objective of any given processing can be delimited; how data volumes can be minimised; how regular updates and erasures can be managed; and what means will be required to safeguard against unlawful processing and loss of data.
- Assess the objectives of processing.
- Look at the amounts of data collected relative to objectives and critically evaluate whether collection is necessary.
- Clear out all data that are outdated, irrelevant or no longer serve a purpose.
- Document your compliance with fundamental principles, e.g. by drawing up guidelines for the collection and processing of data.
HAVE YOUR DATA SUBJECTS CONSENTED TO THE PROCESSING OF PERSONAL DATA?
In Denmark, where the processing of personal data requires consent such consent must always be ‘explicit’. That is not necessarily the case in all EU Member States, in relation to general, non-sensitive information (name, contact details, etc.), but all processing of sensitive information such as health details requires explicit consent.
The GDPR prescribes stricter requirements for consent than does the Data Protection Directive. For Danish enterprises, however, it will be nothing new - provided, of course, that they are already using valid consent forms. A valid consent must be voluntary, specific and informed. Additionally, the GDPR emphasises the need for consent texts to be clear and easy to understand, and separate from the rest of the text of a contract or set of terms and conditions, etc.
Performance of a contract may be conditioned by such consent only if the processing to which the consent is sought is in fact necessary. Under the new rules, however, the data subject must be informed that he or she may withdraw the consent and it must be easy to actually do so.
ARE YOU COMPLIANT WITH THE NEW RULES ON CONSENT?
Why not start adjusting for the new rules on consent even now, so that the consents you ask for and obtain are in compliance with the GDPR? Update your current consent forms. If the consents you have been collecting until now do not live up to requirements under the GDPR, you should check to see if the data can be processed without consent. If not, you will need to obtain new consents to ensure compliance.
WHAT DATA PROTECTION MEASURES DO YOU HAVE IN PLACE?
Be sure to map your existing data protection set-up so that you may adequately assess its technical and organisational robustness or shortcomings. Examples of security measures include, among other things, restricted access, passwords, firewalls, pseudonymisation, encryption of sensitive data, etc. The GDPR introduces some new concepts in this area, e.g. data protection by design and by default. Data protection by design calls for systems intended to store or process personal data to be specifically designed for data protection. Data protection by default builds on the general principle that the most restrictive settings should always be adopted as the default settings in all such systems.
You are generally free to decide for yourselves what security measures you want to go with. However, if you have notified a particular processing to the Danish Data Protection Agency there may be special conditions to comply with, also in terms of data security. For example, the Agency has prepared standard terms and conditions for the processing of sensitive data in HR management, and there are special security requirements for the use of cloud-based solutions.
You are obliged, of course, to observe these requirements and should consider them in your assessment of the measures to be taken in any given processing of personal data, whether notified to the Data Protection Agency or not.
Public authorities are subject to the Danish Executive Order on Security Measures for Protection of Personal Data (No. 528 of 15 June 2000 as amended), which lists a number of requirements to be complied with in relation to, e.g., logging, access control, and other aspects.The Executive Order does not apply to private enterprises, but may serve to provide inspiration. Other than this, you could look to industry standards and practices and learn from the requirements involved in ISO certifications such as, for example, ISO 27001.
The requirement for implementation of adequate security measures is, by nature, dynamic and intended to reflect at all times the current knowledge and the technological advances. It will not do, therefore, to make the assessment ‘once and for all’. Although the coming GDPR does not add much new to the current rules on security measures, the latter are an important element in the data processing requirements, meant, among other things, to prevent breaches of security.
HOW ARE YOU HANDLING THE RIGHTS OF DATA SUBJECTS?
Start by reviewing your existing procedures for compliance with disclosure requirements, handling of requests for access to data and various enquiries about, e.g., erasure or correction of data. Then compare your procedures against existing rules and adjust as necessary.
When the GDPR takes effect, your duty of disclosure will be extended. Data subjects will have a right to know the manner in which their data will be processed, and the information must be provided to them in clear and easy-to-understand terms.
The GDPR also mandates a right to data portability (i.e. granting data subjects the right to receive, under certain circumstances, the data concerning themselves in "a structured, commonly used and machine-readable format" – presumably USB key or similar), restrictions on processing, "right to be forgotten", including deletion of data at third parties, etc. You should therefore look to see what measures you will need to take in that respect and start adjusting your procedures to ensure that all the future rights of data subjects under the GDPR will be respected.
ARE YOU COMPLIANT WITH THE NEW DOCUMENTATION REQUIREMENTS?
As noted above, the GDPR imposes on enterprises a documentation obligation: Not only must you comply with the new Regulation, you must be able to prove that you have taken adequate measures to ensure compliance.
This, of course, calls for implementation of appropriate procedures, precautions, etc. To that end you might consider the following procedures/documents:
- General IT policy
- Policies and guidelines for the handling of personal data - preferably arranged by type (e.g. employee data, customer data, etc. ) - to lay down your rules on collection, regular processing, erasure, blocking, etc.
- Duty of disclosure procedures
- Policy for the handling of requests for access to data - should be drafted in such a way that it can be read by third parties
- Policy for the handling of other rights of data subjects
- Handling of international data transfers
- Procedure for the handling of security breaches, including the duty of notification to the Danish Data Protection Agency from 25 May 2018 onwards
- Handling of data processing agreements - when to have them, how to draft them, etc.
- Guidelines on the use of cloud-based solutions and/or services from IT suppliers in general
DO YOU KNOW WHAT THIRD PARTIES ARE PROCESSING DATA ON YOUR BEHALF?
The use of data processors requires a written data processing agreement, the contents of which must live up to certain specifications.
You should see, therefore, what third parties you have processing data on your behalf, review your existing agreements with them and insert the necessary provisions for, e.g., data protection if any are missing.
It is important in this regard that you include in your analysis also any potential processing on your behalf: if, for example, a third party is in a position to access your data or if an emergency back-up of your systems is required. The GDPR will introduce additional requirements for data processing agreements, including a requirement that they specify the nature and type of data, the categories of data subjects, etc.
As a general rule, therefore, you should be sure to have all of your data processing agreements updated accordingly by 25 May 2018.
You might want to include into the agreements also a provision on liability, as under the new rules the company (the controller) and the contracting party (the data processor) will be jointly and severally liable for any unlawful processing by the data processor. This represents a significant departure from the current regime, where the controller cannot but accept full liability for the processor’s actions on its behalf.
ARE YOU TRANSFERRING DATA OUT OF THE COUNTRY?
The transfer of personal data from one EU country to another requires no special precautionary measures. If you are transferring to countries outside the EU, on the other hand, you must ensure an adequate level of protection for the transfer. You should check to see if you are transferring personal data to countries outside the EU and if so, on what basis. The fastest and most widely preferred solution is to use the standard contracts of the European Commission, which, if the wording is reproduced unchanged, do not require approval by the Danish Data Protection Agency. For transfers to the United States the new Privacy Shield agreement, recently approved by the European Commission and open to US companies from 1 August 2016, could be relevant. There are other possibilities, too: For example, Binding Corporate Rules may be used for intercompany data transfers, or the explicit consent of the data subjects may be sought. Whatever your circumstances and preferences, you should make certain that you are not now transferring data unlawfully.
DO A COMPLIANCE REPORT
Building on the detailed analysis of your data flows and the lawfulness of your current data processing you can do a proper compliance analysis, identifying the measures you need to take to achieve compliance with the current Data Protection Act and with the GDPR when it takes effect on 25 May 2018. The outcome should be a report which may serve also - in part, at least - as the soon-to-be-mandatory documentation that your processing of personal data is responsible and compliant.
4. ACTION PLAN: WHAT INITIATIVES ARE REQUIRED TO ACHIEVE COMPLIANCE?
Having successfully mapped all relevant information about your data flows and internal policies, analysing on that basis what you should do to ensure compliance with current rules and to be ready for the GDPR, all you need now is to convert your findings into concrete action points. You could do this by drafting an action plan, which might also be the starting point of your new compliance policy. The plan should be realistic and identify what areas you wish to prioritise.
5. IMPLEMENTATION: LAY DOWN THE POLICIES AND TRAIN YOUR EMPLOYEES
The implementation phase may involve the preparation of specific policies, training of employees, implementation of new procedures and safety measures. It is crucial in this phase that you create internally an understanding of the importance of data protection and that you communicate your message in a way everyone can relate to and appreciate, so that the changes will not be perceived as something burdensome or a project to be done and then forgotten.
6. STAY COMPLIANT: FOLLOW UP ON YOUR ACTION PLAN
With your compliance analysis completed and all necessary measures effectively launched, it is essential to do periodic controls to make sure you stay compliant. If your old procedures and workflows were not compliant, there will have been many new internal mechanisms introduced, and you should take care - especially at the beginning - to keep your focus and steer clear of pitfalls. Readable and easy-to-understand guidelines and procedures, and perhaps follow-up training, will help your staff in the process. Also, you should revisit your procedures after a year or so, to check that they are working as intended and that they are actually being used.
Our personal data team advises on all legal aspects of data protection law, across all industries, including the financial sector, the research and healthcare sector, and the telecom industry. We have refined and reinforced our personal data capabilities and skills substantially over the last few years. Our skilled and experienced lawyers have assisted on a variety of tasks within personal data compliance, offering valuable advice and successfully bridging the gap between a solid understanding of the law and practicable hands-on advice to our clients.