With the imminent commencement of the European Union’s General Data Privacy Regulation (GDPR), companies are struggling to bring their privacy programmes up to the new standard. The GDPR adds significantly to the rights of European residents, and also the obligations of those who control or process their data.
While there is a large volume of information available for companies on the topic, there is also a large amount of work that needs to be done in order to make sure you meet your obligations. Based on our experience with supporting clients through this process, the top five areas you need to focus on are:
Privacy Impact Assessments
Privacy Impact Assessments (PIAs) are a method of assessing whether a particular product or process introduces any specific privacy risks. They have been used by privacy professionals for many years, but are now mandatory for anyone processing high risk data about people.
The reason to start with PIAs for your highest risk data processing activities is that you will already be focusing your resources where it is most critical, rather than starting with the data in silos and working out how it is used.
Once you’ve selected a process to review, our suggested method is to:
- Define a scope to the project and map the process
- Determine the people involved who could potentially be data subjects
- Determine the data held for each type of subject
- Map the data flow, with special consideration on transfers outside your organisation and internationally
- Ensure that the data is used properly (this includes being retained for a legitimate purpose, and being adequate, necessary and limited to that purpose, as well as getting consent, and maintaining the data appropriately).
The PIA process is a great way to start your data privacy programme by uncovering the issues from the basis of a business project.
Establish a lawful basis for processing
Under the GDPR, personal data may only be processed if at least one of six criteria exist. These six ‘lawful bases’ for processing include having the consent of the data subject, the processing being necessary to comply with law, and the processing being for a legitimate public interest (among others).
While analysing the six lawful bases is beyond the scope of this article, we will note that establishing a lawful basis for processing may be more complex than it first appears. For example, consent should be explicitly provided by the subject, and should be specific to the type of processing being contemplated. Any processing that goes beyond the scope of the consent will require another lawful basis to exist, or require an additional consent from the subject. This demonstrates the importance of ensuring requests for consent are carefully crafted, and processing activities carefully monitored, to ensure the processing falls within the scope to which the subject has consented.
Similarly, while establishing a legitimate public interest may sound easy, the GDPR prescribes that a legitimate interest assessment must first occur. To rely on this lawful basis, you must first identify the public interest, then demonstrate the processing is necessary to achieve that interest, and finally determine that the public interest doesn’t outweigh the personal interests of the individual data subject. Since the GDPR is a new law, there is little guidance about this assessment process and, being a subjective test, there will always be inherent uncertainty in relying on this basis for processing.
While some questions remain, what is certain is that a lawful basis for processing must be firmly established. This lawful basis should be agreed upon by relevant stakeholders and clearly described in your privacy notice.
The imminent regulations provide many of the same rights that data subjects previously held, but also extend some rights and add entirely new ones.
The basic rights that all subjects have is to be informed of the data held about them and to access their data. Companies have been providing information to subjects via subject access requests for many years, however, it is a good idea to introduce clear processes about how to manage these requests if you don't have them in place already.
After the access request, often subjects will want to change something about their data. Their rights include to rectify their data, receive it in a format to move it (portability), object or restrict to how their data is being processing (especially where decisions are made as the outcome of any automated processing). While many of these rights are reasonable, and existed previously, there is also the new ‘right to be forgotten’ where subjects can ask for data to be erased. This new right came partly from case law under the previous regime, and should not be considered an absolute right, in particular where your reasons for holding the data are based on legal obligations. This is an area where you need to draft clear policies around what your response will be to these requests.
One of the key obligations for any data controller is to keep personal data secure. While this obligation remains unchanged, the GDPR now directly places a obligation on data processors This maintain the same level of security.
Security covers a wide range of topics. Most people focus on the IT security aspects of networks and servers, such as encryption and firewalls, which are essential, but not sufficient. Many recent security breaches have come from people being tricked into giving away access or simply losing unencrypted data. Since this doesn’t have a technology solution, it requires vigilant training.
You also need to spend time considering your processor’s security. Rather than just relying on the contractual and legal obligations - or the location being ‘adequate’ - where the data you control is sensitive, you need to actually review the security arrangements of your partners. As with all compliance tasks, you should apply a risk-based approach, with a combination of due diligence on key partners, and an audit of those who would impact you the most.
A major change in the GDPR is the obligation to notify authorities and possibly subjects within 72 hours of becoming aware of a breach.
A breach is far broader than external ‘hacking’ of a database. It can include any access by an unauthorised third party (either internal or external), or accidental sending of data, the loss of a device containing data, or just the alteration of personal data without permission. In the recent case of Facebook data being accessed, the data was accessed by an authorised partner, using a public programming interface; the ‘breach’ was that data subjects had not consented to their personal data being accessed for that purpose.
Once a breach has been identified, the primary obligation is to notify the lead authority within Europe for the data subjects (which may now differ from the primary authority for the data controller). The notification should be made within 72 hours, although that doesn’t mean that the full investigation must be completed by then, as it is understood that major breaches can require significant resources to properly understand and remediate. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
You must also keep a record of any personal data breaches, regardless of whether you are required to notify.