The Australian Cyber Security Centre is the government's lead agency for cybersecurity....
The General Data Protection Regulation (GDPR) will forever change how organisations process customer data, defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, and so on.”
As a result, the GDPR is an incredibly robust, all-encompassing law.
While this regulation specifically applies to businesses within the European Union (EU), it still impacts companies who hold the personal data of data subjects residing in the EU regardless of their location.
In other words, it applies to Australian businesses that process and hold the personal data of data subjects residing within the EU. So there’s a good chance that it applies to your business.
Failing to comply comes with significant fines of up to four percent of annual global turnover or nearly $32 million AUD—whichever is higher.
But perhaps what’s even more significant is the fact that data authorities can place a temporary or long-term ban on your data processing activities. Not to mention that it can damage your reputation.
One misinterpretation many companies have is that the GDPR is some monster that’s simply there to disrupt their flow of data. In reality, it’s all about using the information in a safe, responsible way. It can actually be more of an opportunity than an obstacle, and demonstrating compliance can be a considerable competitive advantage over others that are lagging behind.
Considering that the enforcement date is 25 May 2018, it’s vital that your company prepares itself in order to make a seamless transition.
Below is a series of questions you should ask as you prepare for the implementation of the GDPR.
1. Do I have lawful grounds to collect personal data?
The first area to address is whether or not your organisation has lawful grounds to collect and process personal data.
The Information Commissioner’s Office (ICO) explains that there are six lawful bases, which include:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
To understand how these requirements apply to your organisation, it’s crucial that you understand what is meant by the term “personal data.” EUGDPR.org defines this as any information that can directly or indirectly be used to identify a person. Some examples include:
- Email address
- Banking information
- Medical information
- Computer IP address
The sixth channel – consent – deserves special exploration. The international law firm, Taylor Wessing LLP provides a legal definition of consent as it applies to the GDRP:
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
This is typically done with an opt-in box where individuals can quickly choose to consent or not consent. Ideally, it won’t interfere with the on-site user experience (UX). Check out this resource from Econsultancy for examples of how to incorporate opt-in boxes without disrupting the UX.
It’s equally important that you maintain thorough records that data subjects did, in fact, consent. This is critical for defending your organisation in the event that you’re wrongfully accused of non-compliance. There is three key pieces of information you need here:
1. A record of when you got consent
2. A record of how you got it
3. A record of what data subjects were told
2. Are we transparent?
Note that under this new regulation, individuals have the right to not have their personal data processed for the purpose of marketing. You should be transparent about this fact, and data subjects must be given the option to refuse this.
The GDPR also mandates that data subjects have the right to withdraw their consent at any time and that it should be as easy to withdraw as to give consent. So if they happen to change their mind and choose not to have their data collected, you must provide them with a means of doing so.
This falls under the right to be forgotten, where the data subject is entitled to have the data controller (your organisation or a third-party with access to their data) erase their personal data.
3. Is there a purpose for the processing of data?
There should always be a definitive purpose for processing data, and data subjects should have a clear idea of what your intentions are for collecting their data.
Maybe you’re doing it to personalise their browsing experience or to feature suggested products they may be interested in. Whatever the reason, you must be explicit and unambiguous about the purpose.
4. Is it proportional to our goals?
You need to be cognizant of the types of data you collect and store, and to be sure it’s strictly the essentials. In other words, you shouldn’t be collecting and storing unnecessary data. Otherwise, you’re putting your data subjects (and your organisation) at unnecessary risk because you’re needlessly increasing the attack surface.
This brings us to the topic of data retention. Generally speaking, data should only be stored for as long as necessary. Once it’s no longer useful, it should be destroyed.
Taylor Wessing LLC explains that the retention period for different types of data can differ, and you should take any legal requirements into account including tax law, trade law, employment law, etc. For data where there are no legal requirements, you’ll need to have your own guidelines like deleting data once it’s no longer up-to-date or when a data subject has withdrawn consent.
Having a formal policy in place should keep team members on the same page and provides a certain level of accountability.
To streamline the process of deleting data, you must first know all of the places where your data is located (e.g. servers, employee email accounts, cloud storage, and paper files). From there, you should develop a procedure to ensure that everything is properly eliminated and can’t be restored.
Again, it’s wise to assign this to a person or group and have them be responsible for overseeing this.
Beyond that, it can be a financial drain as well. In fact, Gartner found that companies were spending 20 percent more than they need to on backing up unnecessary data, which equals nearly $13 billion AUD worldwide.
So be sure that you’re legitimately using any data you collect and store and that it has a practical purpose.
It’s also important that you continually review and audit the data you store. There’s always the chance that storing a particular type of data made sense at one point but, over time, it becomes unnecessary. For this reason, it’s smart to routinely check on your data and make sure everything you’re storing is still necessary.
This should be done a minimum of once a year. Be sure to appoint a particular person or team to this process.
5. Have we considered the impact our data processing will have on individuals?
You obviously don’t want to put your data subjects at unnecessary risk. Questions one through four here are all designed to drastically reduce the threat of their personal data becoming vulnerable.
Besides this, however, you should also pay close attention to any third parties who will be processing your company’s data and ensure that they’re upholding the same standards and meeting GDPR processing requirements. Otherwise, an oversight on their end could potentially hurt your data subjects, as well as your organisation.
In addition, you should be prepared in the event that a data breach does occur and understand the process of performing a breach notification.
Once the GDPR goes into effect, breach notification will be mandatory whenever a data breach is likely to “result in a risk for the rights and freedoms of individuals.” Also, note that it must be done within 72 hours of the time you first become aware of the breach.
The GDPR mandates that you include the following information:
- The nature of the data breach includes the approximate number of individuals it concerns and the approximate number of data records
- The name and contact information of the DPO or point of contact where affected individuals can obtain more information
- The likely consequences of the data breach
- The steps that have been taken or will be taken in order to address and resolve the data breach
- This is something you should be prepared for in the event that a data breach does occur.
6. Have we protected the information?
This one is huge. It’s critical that you take the right steps to optimise your organisation’s cybersecurity and ensure that your infrastructure is always up to par.
With data breaches plaguing Australian companies in 2017 and costing them an average of $2.51 million AUD, comprehensive cybersecurity is a must.
A good starting place is to conduct a risk assessment to identify any areas of potential weakness. Managed scans for sensitive data are ideal because they focus on vulnerabilities to specific customer data rather than more general vulnerabilities.
Beyond that, you’ll want to do the following:
- Use sophisticated encryption technologies
- Set limits on who can access customer data (many data breaches are the result of inside jobs)
- Educate your employees on cybersecurity best practices
7. Can we show that we’re accountable for what we’re doing for the other six points?
One of the main purposes of the GDPR is to shift the burden of proof to organisations and ensure that they’re taking responsibility when processing data. So the final question to ask is whether or not your company can prove accountability to the aforementioned points.
At the end of the day, you must be able to demonstrate that you have the appropriate policies and processes in place to ensure compliance. ICO explains the necessity of maintaining a record of which basis you’re relying on for each processing purpose and a justification for why you believe it applies.
There is no standard form or document for this. What’s important is that the record is sufficient to demonstrate that a lawful basis applies.
Being Diligent in Your Preparation
With the GDPR’s enforcement just around the corner, many companies are scrambling to prepare. This is understandably a stressful time for some organisations, especially considering the stiff penalties that are in place.
But it doesn’t have to be. By working your way through these questions step-by-step, all of the core areas should be covered, and you should be in good shape.
This way you can make a smooth transition once 25 May 2018 comes around.