by Barry Cook, industry expert and VFS Global’s Privacy and Group Data Protection Officer
It’s now over six months since the European Union’s (EU) General Data Protection Regulation (GDPR) came into effect, and, if recent industry surveys are to believed, anxieties about the path to compliance, and how businesses should revise their internal processes and frameworks to meet the legislation’s standards, remain commonplace.
For Irish businesses that operate in the EU or European Economic Area (EEA), or that serve its citizens, the GDPR legislation is significant, in that it has moved the benchmark for data handling upwards, from the preceding Data Protection Directive and effectively bound all trading companies, large and small, to a common rulebook.
This move, to standardise data handling and processing across the EU, took effect on 24 May 2018, and was parcelled into domestic legislation, in Ireland, a day later, through the Data Protection Act 2018.
Yet, it seems, even after a two-year implementation phase and six months of the new regulations being in effect, that uptake with, and understanding of, the GDPR remains low among businesses – with the majority still unaware of how, exactly, it could affect their culture, costs, and operations.
The truth, and short of the matter, is that almost all businesses have obligations with regard to the GDPR, or the Data Protection Act as it is known in Ireland, and will need to take steps to marry their processes with its baselines.
This may sound daunting, particularly for SMEs, but it doesn’t have to be burdening or, indeed, costly. It simply requires an appraisal of business procedures and processes.
Based off knowledge of the legislation and my experience, I have identified some key areas that I believe should feature in the thoughts of enterprises, large or small, as they embark on and ensure their compliance.
Identifying where personal information is used
This is one of the most significant areas of the GDPR legislation, and affects all businesses. So, even for single-person enterprises, it’s important that steps are taken to map out interactions with clients and customers, and to identify their data trails in a system. This is known as a record of processing activities (RoPA) in GDPR parlance. As data will often pass through several processes, a thorough mapping of all workflows is imperative, particularly if cross-border data flows are involved
This work will demonstrate compliance with the minimum baseline for this area, as well as make sourcing the data, in the event of a subject request, a simpler task.
As an addendum to this, businesses should also include unstructured web data – such as social media posts, profile images of customers, IP addresses of their devices, their geographic locations etc – in their mappings, as this falls within the reach of the legislation, and not forget any paper-based processes, especially if they form part of a filing system.
Determining lawful basis
Another key aspect of the GDPR is that personal data must not be processed without a ‘lawful basis’ for processing. The most commonly aired basis is that of consent. However, given that consent can be withdrawn – or, indeed, not given at all in some instances – businesses need to look, carefully, at their grounds for processing data.
An easy way of determining what lawful basis should be used for processing particular data is to apply a NEED, WANT, and DROP approach.
If an organisation “NEEDS” data for a business activity and can’t run the activity without it, then don’t use consent as the lawful basis, use one of the other lawful bases outlined in the legislation. If it “WANTS” the data, perhaps for marketing, then consent is an option. And, last, if it holds data, but cannot identify a lawful basis for processing it, then it should “DROP” that data and securely destroy it.
Organisational cultures will need change as a result of the GDPR. Data privacy is rapidly becoming a brand differentiator as the public awareness of privacy rights is raised. That’s a fact.
Failing to do so could result in competitive disadvantage, considerable reputational damage, and heavy financial costs, due to non-compliance.
So, this should be a priority for businesses both large and small, and will ultimately require moving towards a culture of transparency, both externally, towards the client with respect to how their data is processed, as well as internally, with staff. This will empower staff to understand the importance of data privacy and data protection so that data breaches are discovered, escalated and mitigated in a timely fashion.
To summarise the point: businesses should begin to document how they store, secure, and process data, as well as provide evidence of the steps they have taken to improve data handling. This is a requirement under GDPR but also enables a business to get clarity on it data processing.
There are a number of useful guides available online, including this one by the Data Protection Commission.
The right to be ‘forgotten’
A commonly known feature of the GDPR is the provision it provides for individuals and their rights with regards to their personal data. Those rights can be seen in more detail here.
One of these is the right of erasure – otherwise known as the right to be ‘forgotten’ and to have their data trails permanently deleted. And, since this has to happen within a tight timeframe, on receipt of a request, it’s key that businesses know where personal data is stored and have procedures in place to manage and action erasure requests. A point to note is that the right of erasure is not an absolute right and is conditional, as businesses have other obligations to keep some personal data for legal reasons such as tax reporting.
A lot of software used by businesses today does not permit the selective deletion of data and indeed, with interconnected databases and processes, deleting data may cause significant issues. However, this is not a reason to refuse to erase data. So, it is advisable that businesses bring together their IT teams, and look at how right of erasure can be implemented. It may that some investment is required in this area, or that steps need to be taken, internally, to develop automated workflows for triggering and confirming the erasure of data from multiple internal and external systems.
The UK Information Commission have produced guidance for organisations on this point.
Processing staff data
A running theme of the GDPR is that that consent should be given ‘freely’ by data subjects. This means where there is perceived to be an imbalance of power between the consenting party and the organisation, consent will be deemed invalid. This is of particular importance to HR teams when considering the processing of employee data.
This is a practical application of the NEED-WANT-DROP principle. In this example, another lawful basis such as “performance of contract”, (the contract of employment), should be used to process employee personal data. Of course, if “performance of contract” is used as the basis to process personal data then employees must be fully informed of those processing activities in order to comply with the principle of lawfulness, fairness & transparency.
Indeed, in the instance of employee financials and payroll, it is reasonable for an employer to hold and process this data without seeking consent. The same goes for processes that relate to the payment of statutory sick pay.
Still, though, are some areas that will require consideration within this topic.
One is how personal information, relating to staff and former employees, is stored and transported – particularly if a third party in a third country is used for activities such as payroll.
To this end, the default should be that files containing the most sensitive data be encrypted, and that all staff are informed of procedures, data retention periods, and the purposes for holding their data.
Businesses may also be required to appoint a Data Protection Officer, either within their existing team or through a new hire, to oversee all these matters. You can find more information about this role and what it entails here.
As a broader guide, the Data Protection Commission has produced information on the employee-employer element to the GDPR and a tick list for SMEs embarking on their path to compliance.