5 key lessons for organizations still struggling with GDPR
It is now three months since the European Union’s General Data Protection Regulation came into effect, and anxieties about the legislation, which flowed through our industries before its implementation, remain commonplace.
The new regulations supersede the Data Protection Directive and have standardised protections across Europe. In respect of business, this means they have bound organisations that operate within the European Union (EU) or European Economic Area (EEA), or that employ or serve its citizens, to a single rulebook.
It is clear from recent industry surveys that many organisations are not yet quite clear on how to comply with their GDPR obligations, and how, exactly, the regulations will affect their culture, costs, and operations.
However, if you’re a business owner, and you’ve not yet considered your organisation’s obligations in respect of the GDPR, you urgently need to do so. This needn’t be costly or overly burdensome. It simply requires an examination of your existing procedures, and, where necessary, bringing them into line with the new regulatory baselines.
As the Group Data Protection Officer at VFS Global, the world’s largest outsourcing and technology services specialist for governments and diplomatic missions worldwide, we handle and process millions of visa applications and citizen service applications involving sensitive personal information of applicants. VFS Global became one of just 15 per cent of global companies to achieve compliance with GDPR ahead of its introduction.
Here are five insights I can offer as result of our experience:
1 - Identifying where you hold personal information
This is the golden fleece of Data Protection; customers and clients leave substantial data trails of their personal lives online – particularly when making purchases; submitting enquiries; and consenting to online cookie policies. This data will be processed and handled by multiple teams, and systems, in companies large and small. So, identifying where and what personal data you hold within the structures of your organisation is imperative. It will not only demonstrate your organisation’s compliance with the minimum baseline for this area, but make sourcing data, in the event, of a subject request, a simpler task for you or your team.
It is also important to remember that unstructured web data falls within the scope of the legislation – this includes social media posts, profile images of customers, IP addresses of their devices, their geographic locations etc. etc – so do be sure to add these to your appraisal.
This guide should be useful in providing a structured approach identifying where data may be found in your systems: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/documentation/how-do-we-document-our-processing-activities/
Ultimately, though, improved collaboration between teams for the delivery of GDPR compliance will be key.
2 - Lawful basis for processing
A significant consequence of the GDPR for businesses operating in European sphere is that they are now compelled to demonstrate a lawful basis for processing a set of personal data. The most commonly aired basis is that of consent. However, consent can be withdrawn or not given. Therefore, careful consideration should be given to your business model when deciding on the lawful basis that you will use.
A simple method to determine if consent is a suitable lawful basis is to apply the NEED – WANT – DROP filter to the personal data that supports your business activity. If you “NEED” the data for the business activity and can’t run the activity without this, then avoid consent and look to another lawful basis such as “fulfilment of contract”. If you “WANT” the data, typically for marketing, then consent is a suitable lawful basis. If however, you have or want the personal data but you cannot perform legal processing on it, then you must “DROP” this data.
3 - A customer’s right to be forgotten
The new legislation enhances an individual’s right with regards to their persona data. One of these rights is the right of erasure (right to be forgotten) – i.e. to request that a company erases the data it holds on them. And, since this needs to happen within a reasonably short timeframe, on receipt of a request, it is important that you know where data is stored in your processes, and you have a procedure in place to delete that data so that you can respond quickly and efficiently.
A lot of commonly used business software does not support the selective deletion of data, so this will be a good time to have a discussion with your IT people to see if, and how the right of erasure can be supported. To avoid potential fines and reputational damage for non-compliance, you may also need to introduce automated workflows for triggering and confirming the erasure of data from multiple internal and external systems. There are several good products on the market that will support workflow management, and some will even create a webpage for your clients to exercise their rights.
4 - Changing your business culture to achieve compliance
The potential reputational damage, and financial costs, associated with a business failing to comply with the GDPR mean it is crucial employers take steps now to embed compliance within their organisational culture. Developing a culture of transparency both externally towards the client with respect to how their data is processed and also internally with staff so that incidents with personal data are escalated and addressed. As part of this transparency is the obligation of businesses to demonstrate their compliance
This is achieved through clear, documented records about how they store, secure, and process data through their systems, as well as the steps they have taken to improve data sourcing and handling among their staff. There are useful guides, which examine data storage and training opportunities for staff, at: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/
5 - Illustrating how you use, process, and protect existing employee data
GDPR requires that consent is ‘freely’ given by data subjects. This, ostensibly, means where there is perceived to be an imbalance of power between the consenting party and the organisation, that consent will be deemed invalid – and, given nature of employee-employer relationships this would prove pointless in some cases.
For example, an employer is expected to hold and process employees’ names and bank account details, on a regular basis, as per the terms of their employment – and, accordingly, should not have to establish ‘consent’ for each process. The same goes for transactions that relate to the payment of statutory sick pay.
In this area, then, it is thought that most organisations will use the lawful basis of “performance of contract”; in this case the contract of employment. That said, there are some areas that will require your looking at. One is how you store and transport the personal information you hold on your existing and former employees, especially if you are using a third party for activities such as payrolling. Files containing the most sensitive data should be encrypted and it is important that all staff are informed of your procedures, and purpose, for holding their data.
You can find more information on the employee-employer element to the GDPR at: https://ico.org.uk/for-organisations/making-data-protection-your-business/