The final stretch to GDPR – when is it time to panic?
Doom, gloom and a bit more doom – the big stick with which the incoming General Data Protection Regulation (GDPR) regulation can hit organisations that breach its statues has raised widespread concern, writes Curtis Peterson, the senor vice president of Cloud Operations at RingCentral.
For those that have ignored GDPR completely and are now only considering a position, what is the get out of jail card needed to prevent a worst case scenario?
I just left the bunker – so what is GDPR?
The GDPR is a regulation which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). Its primary objective is to return control of personal data to EU citizens and to simplify the regulatory environment for international business by unifying data protection compliance within the EU. Before heading to the IT department with a bag-o-cash for some magic bullet shaped technology that will instantly fix compliance; the first thing to understand is that GDPR is about processes and policies which can be implemented and controlled using certain technologies.
Processing personal data
The most crucial aspects of the regulation are that organisations are only allowed to collect personal data for specified, explicit and legitimate purposes which must processed lawfully, fairly and in a transparent manner. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Knowing me, knowing you!
That preceding paragraph is summation of just 1 of the 100 articles that make up GDPR. For this time-to-panic guide, the other 99 can be summed up as “you need to have explicit consent to collect or share this information and if a person wants to examine the data you hold on them, then you need to make it available on request.”
Panicking yet? Well the first thing you need to do is to find out what personal information your organisation holds. This could reside within mailing lists, customer relationship management systems and even HR records. You also need to find out where this data is stored, if it is shared with any third parties and critically what it is used for? You also need to find out who has access to this data and under what circumstances and – ultimately – if this data is destroyed at some point. This requires a GDPR compliance audit and there are several firms that can do it for you or you can assemble a multi-discipline team and carry out the process internally.
This process might take days or weeks depending on the size of your organisation and the number of systems you maintain but ultimately it will result in a list that should answer a few questions: What personal data do we hold? Where do we keep it? And what do we use it for?
Do we need to know?
These answers can immediately help you to flag up major issues which article 9 of GDPR stipulates: “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”
There are exceptions such as the person has given consent, or you need the information for processing as part of legitimate activities. So, for example, union affiliation is necessary data if your organisation is Unison. But holding information on sexual orientation is almost certainly prohibited.
On the dotted line
The next question to ask is do you have consent to hold, process and transfer any of this personal data? In very broad terms, if the data held has information that is covered in article 9 (race, ethnicity, political opinions, regions, beliefs, genetics etc) – basically anything more than name, address; then you need to find a corresponding affirmation of consent which could have been electronically obtained that correlates to each person whose data you wish to process.
Most of the ‘terms and conditions’ that people sign to gain access to electronic services such as pay-TV, dating apps, even the mighty Google, have embedded consent forms that require a click before continuing. Many paper contracts have similar legalise and it is wise to ensure that all customer communication includes these consent forms are included in all electronic and printed communications moving forward.
Pretend you’re the customer
Lastly, GDPR requires that organisations can produce the information held on a person, change it if it is incorrect and delete that information if consent is removed. So what now? Well, it would be a good idea to test using a few dummy accounts if your organisation can do all the above and document the processes needed to accomplish these tasks in a timely manner. If not, then you need to rebuild these workflows to be able to carry out these measures.
On a side note, the cloud can help with some of these workflows by allowing you to collate and synchronise personal data in a centralised repository. However, trying to sum up a quick fix for a regulatory framework that the EU allowed 24 months to be implemented is still a challenge. The final bit of advice is to take it seriously or be part of the first test cases that find out just how painful a fine of 2% of global revenue of €20 million really feels like.