On the 25th May 2018, important legislation governing the use and processing of data will come into place, known as General Data Protection Regulation (GDPR), and will apply to any organisation collecting or processing the personal data of EU residents. Personal data includes health, biometric and genetic data, as well as IP addresses and cookies.
The GDPR involves a massive shift towards individual’s rights in accessing, rectifying and sometimes even deleting their own personal data. While the GDPR document may seem overwhelming, we have produced a simple checklist to ensure you understand how to comply with the upcoming regulations.
Failure to comply with these regulations can result in a fine of €20M euros, or 4% of global turnover, whichever is higher, compensation claims for affected individuals, and significant reputational costs.
Fundamental to the GDPR, there are two primary roles:
1. Data Controller
2. Data Processor
In general, and in particular as a Data Processor, the below are simple steps you can take in order to meet your GDPR obligations:
1. Have you ensured data is stored in such a way that individual entries can be deleted easily?
If at any point an individual requests that their data be deleted, the Processor must have a clear system in place to achieve this effectively. This may involve restructuring the data you already have, and in some cases means you will have to redefine the way you collect data. It is important to show to regulators that you have a clear guideline in place for the deleting of individual data.
2. Have you determined whether you need to complete the Data Protection Impact Assessment (DPIA)?
The DPIA form is mandatory if the data processing is likely to result in a high risk to the rights of the individual, but it is good practice to follow this process regardless. The DPIA consists of defining the information flow, identifying data protection and related risks, and identifying solutions to protection and these risks.
3. Have you assigned a Data Protection Officer?
The Data Processor must make sure that personal data is processed lawfully, fairly and transparently. This includes appointing an independent Data Protection Officer (DPO), which is compulsory for companies processing large-scale data, or processing data of a sensitive nature. This DPO cannot be a chief executive of the company, and must be independent in some way, whether part of an internal legal team separated from business decision making, or an external consultant.
4. Have you set up an adequate protocol to prevent and counter data breaches?
If a data breach does occur for any reason, the regulator must be notified within 72 hours of the breach. Before this happens, Processors must ensure they have:
● Set up internal procedures and protocols, and appointed responsible persons for identifying, reviewing and notifying data breaches.
● Identified the competent supervisory authorities that must be notified in case of a data breach.
● Compiled list of relevant contact details of data subjects.
● Ensured that data processing agreements contain an obligation for the data processor to fully cooperate with the data controller in case a data breach occurs (for example by providing details about the breach to the data controller or to the supervisory authority).
● Considered whether it is necessary to take (additional) data security measures such as pseudonymisation or encryption of personal data.
5. If you are a data controller, have you ensured your consent rules are adequate?
Controllers must make sure that any individual whose data they collect consent to this, and that if the individuals also consent to their data being shared, and the parties this data is being shared with. It must be as easy to withdraw consent as it is to provide consent.
GDPR is approaching fast, but facing this regulation is easier than it seems. If you ensure that individual data can be easily accessed and deleted, complete the Data Protection Impact Assessment, appoint a Data Protection Officer to be responsible for enforcing the regulation, and make sure you have an adequate breach policy, you should soar through GDPR regulations.
If you are worried about any of these points, or about some of the finer regulations of GDPR such as data location, don’t hesitate to contact us to arrange a meeting with one of our GDPR specialists.
For our clients, Innovify as a Data Processor, has taken pro-active steps to be fully compliant with the GDPR regulations.
Innovify is a fast growing digital innovation & product management company.
Offering a wide range of expertise, Innovify helps clients to develop innovative products that enable them to focus on key business drivers using a collaborative work model that functions on an Agile & Lean philosophy. Innovify has become a trusted partner to its clients by going beyond the typical scope of application development through a range of digital products such as websites, apps, and software.
Innovify is the right partner for your digital ambitions.