On the 25th of May 2018, people on social media jokingly posted “Happy GDPR Day!” But, of course, it was no joke trying to become compliant with the EU’s latest data protection effort, the General Data Protection Regulation (GDPR). The GDPR affects all sizes of business anywhere in the world if they deal with EU citizens’ data.

Now, more than a month later, many businesses are still worried about ticking the GDPR boxes. To help you test your knowledge, we’ve devised a mini-quiz to go through some of the main points that the GDPR covers.

Explicit Consent

Consent is a mainstay of the GDPR, but there are nuances to its use under different circumstances. One of the main requisites of consent under GDPR is to give control to the user in how their data is processed.

YES, my organization is in compliance because we have the following in place (where appropriate):

  • We give the user a clear, affirmative option to consent to use of their data when marketing to them
  • Our consent request is separated from our T&Cs
  • We don’t use pre-ticked “I agree to consent” tick boxes
  • We are not taking blanket consent for multiple uses of data. Instead, we take consent per use
  • Third parties who also need consent for data are clearly identified
  • We keep consent receipts to prove consent is taken
  • We allow people to revoke consent and tell them they can
  • Any services offered to children verify their age and/or take parental consent

No, my organization is not in compliance because:

  • The “consent to share” data tick boxes are pre-checked
  • We do not allow users to remove consent
  • We do not take consent at all

What Should We Do?

Consent may seem like an onerous task, but it’s worthwhile to do right. Consent is about respect and building relationships with your user base or customers. It is a positive thing that will reap rewards in customer loyalty and brand recognition. On the other hand, not complying with regulations will not only alienate your customers but trigger the highest level of GDPR fines — up to 4% of your global turnover or 20 million euros (whichever is higher).

Make sure that you take explicit, affirmative consent whenever you are going to process a person’s data. And make sure that they know they can revoke that consent, and that you offer a mechanism to do so.

Data Collection

A useful rule of thumb to follow is that if you don’t need to collect personal data, then don’t. The idea of data minimization is part of the ethos of “privacy by design and default,” the mantra of the GDPR.

YES, my organization is in compliance because:

  • We only collect data that we truly need to run our business and service customers
  • In any data set collected, we only ask for the data that is absolutely required: if we don’t need a person’s date of birth, we don’t ask for it

No, my organization is not in compliance because:

  • We take data whenever we get the opportunity, whether it will be used or not
  • We ask for superfluous data the business doesn’t really need to know

What Should We Do?

Keep data collection to an absolute minimum. This will help not just with GDPR compliance, but with security.

What Data Do You Collect?

The GDPR requires that you document your data-processing activities, such as processing reasons, data sharing and retention. A good way to keep tabs on your GDPR activities and maintain compliance is to create a data map and audit your data activities.

YES, my organization is in compliance because:

  • We know what types of data we collect
  • We have created documentation that reflects the data processing we do
  • We keep these records up to date and have policies to ensure they reflect any changes
  • We carry out regular audits of our data-processing activities
  • Our documentation is highly granular and points to location of data, controller-processor contracts, Data Privacy Impact Assessments (DPIA) and breach notices

No, my organization is not in compliance because:

  • We are unsure of the categories of the data we collect and process
  • We are unsure if we process data, and unsure if we are a data controller or data processor (both have obligations to document their activities)
  • We have not documented any of our data-processing activities

What Should We Do?

If you are ever audited for GDPR compliance, you will have to provide documentation of your activities. Smaller organizations (250 employees and below) have some relaxed documentation requirements.

The International Association of Privacy Professionals (IAPP) has created a useful infographic on the categories of data, which can help you when mapping and documenting data processing procedures.

A data map will help you to create the documentation needed for GDPR. Article 30 of the GDPR has further information on this whole area.

Access to Data

As part of the suite of data-subject rights that the GDPR dictates, a person (data subject) has to be allowed access to the data you hold on them.

YES, my organization is in compliance because:

  • We have set in place procedures to handle requests for access to data, including verbal requests
  • We know that, as well as access to personal data, we also have to provide other data, such as:
    • Reasons for processing
    • What category the data fall in
    • Who you disclose these data to and if these data go to other third-party organizations and countries
    • Other rights, such as rectification of data

No, my organization is not in compliance because:

  • If a person asked for access to their data, we could not quickly or easily oblige
  • We can give them access, but we cannot give them the additional information about how their data is used

What Should We Do?

Make sure you have a policy that shows how to handle a data access request.

Securing Data Lifecycle

The GDPR advocates a risk-based approach to data security. The GDPR does not mandate specific technologies, but suggests the use of data security methodologies across the data lifecycle, at rest, in transit and during use. This can be achieved using database and hard-disk encryption, SSL/TLS of Internet communications, and robust access control to databases and data access portals.

YES, my organization is in compliance because:

  • We use encryption and communication security across the data lifecycle
  • We have robust access-control measures in place for administrators and users alike
  • We run a culture of security within our organization that encourages secure working practices

No, my organization is not in compliance because:

  • We do not have any robust security measures applied to the data across the lifecycle
  • We have limited authentication measures in place when anyone accesses data

What Should We Do?

Consider using industry-standard encryption to protect data within databases or hard drives. Make sure that only specified personnel have access to data, and apply two-factor authentication wherever possible.

Use SSL/TLS (HTTPS) whenever you collect data online and whenever your users log into their account manager.

Removing Data

One of the more contentious data subject rights of the GDPR is the “right to erasure/be forgotten.” This allows a person to ask that you remove their data from your systems.

YES, my organization is in compliance because:

  • We have set in place procedures to handle requests for data to be removed from our systems, including verbal requests
  • If we refuse the request, we know that we have to show good cause for the decision
  • We understand that we must tell any third parties who may have access to these data of the request
  • We have procedures in place to carry out the request

No, my organization is not in compliance because:

  • We could not easily erase data on request
  • We could not easily let third parties who have shared these data know about the request

What Should We Do?

This is an important data right within GDPR, so you must set in place a process to handle any requests for data erasure.

See also the special rights that apply to minors.

Data Transfers

This is another data-subject right, allowing a person to ask for data you hold on them to be transferred to another company. It is known as the “right to data portability.” Requests of this nature may well also link back to other data-subject rights, such as right to erasure and right to access.

YES, my organization is in compliance because:

  • If a person requests that their data is transferred to another organization, we are able to do so, as we have stored data in a structured and standard manner that is easily transferable between common systems
  • The transfer is done in a secure manner

No, my organization is not in compliance because:

  • We store data in an unstructured and non-standard manner
  • We could not easily transfer data to a third party
  • We do not have a process in place to handle portability requests

What Should We Do?

Make sure you store data in such a way to easily allow movement to a third-party platform. In doing so, you show that you are transparent and agile. You may have to move it to a competitor’s system, but the reverse may also happen.

Monitoring

The GDPR sets out regulations that apply to times when you may automatically make decisions based on personal data, and if you use automation to make a decision based on the profiling a person. There are strict rules around using automated profiling if the outcome has a legal impact on the person (see also article 22 of GDPR).

YES, my organization is in compliance because:

  • We are allowed under law to carry out automated profiling and decision making
  • We made our privacy policy easily available when we collected/processed these data
  • We can comply with the other data-subject rights like right to access
  • We only collect the minimum data needed to carry out our business
  • We have carried out a DPIA

No, my organization is not in compliance because:

  • We have not carried out a DPIA
  • We are not eligible to carry out processing of this nature, or we haven’t collected consent to do so
  • We have not provided clear reasons for processing data in this way

What Should We Do?

You must be able to show reasons why you must automate profiling to carry out your business or a contract. As a best practice, consider building a trust relationship with your user base by explaining what you do, how you do it, and why.

Data Breach Notification and Policies

Having a policy in place that sets out how you comply with GDPR should also have a section which explains how the organization reacts to a data breach if one should occur. The GDPR requires that you notify a supervisory authority within 72 hours of certain types of data breaches.

YES, my organization is in compliance because:

  • We have fully outlined the requirements of GDPR and data breaches in our policy document
  • We know what constitutes a data breach and which will require official notification within 72 hours
  • All relevant staff are aware of their duty under this policy and know how to react
  • We keep a copy of any data breaches, even those we do not have to notify anyone of

No, my organization is not in compliance because:

  • We are not aware of the types of breaches that require notice given (see also GDPR Article 33)
  • We have not set out the procedures to follow when a breach occurs within a policy document
  • We have not trained relevant staff in their duties
  • We do not know the supervisory authority who we need to inform if a data breach occurs

What Should We Do?

Choose one or more members of staff who are responsible for data-breach risk assessments and notification. In your security/privacy policy, ensure you set out the steps and process to manage data breaches, and be sure that the reporting mechanism is clear.

Privacy Policy

The GDPR specifies that you must offer a privacy policy to users, and that it must be in in simple, concise language that is intelligible and accessible.

YES, my organization is in compliance because:

  • We offer a free, simple-to-understand privacy policy that is easy to obtain

No, my organization is not in compliance because:

  • We don’t have a privacy policy
  • We have a privacy policy, but it is written in legalese and difficult to understand

What Should We Do?

Make sure you offer a privacy policy that can be easily understood and is easy to request or access online.

Someone to Help

The GDPR requires that both data controllers and processors appoint a Data Protection Officer (DPO) under certain circumstances.

YES, my organization is in compliance because:

  • We do not fall under the categories that require a DPO
  • We have appointed a DPO even though we don’t fall under the categories that MUST appoint one
  • We have appointed a DPO and we do fall under the categories that require one
  • Our DPO is accessible to employees
  • We have made our supervisory authority (SA) aware of our DPO contact details

No, my organization is not in compliance because:

  • We process large amounts of data for behavioral monitoring, but have not appointed a DPO
  • We have not made the SA aware of our DPO’s contact details

What Should We Do?

Follow the guidelines to appoint a DPO if you are:

  • Public body, OR
  • You are involved in specific processing activities, including large-scale monitoring or processing special category data such as criminal convictions.

Security Awareness

Everyone On Board?

The GDPR may seem onerous, but much of it can be applied using common sense and an awareness of what privacy is and why it is important. The GDPR actively advocates that an organization engages their employees and business associates in a culture of privacy. This helps to permeate privacy throughout the organization.

YES, my organization is in compliance because:

  • We spend time training staff in security and privacy issues
  • We talk to staff about their specific departments, and how they process data and fit in with the data lifecycle
  • We have policies on privacy strategy and delivery which we review regularly
  • We co-opt staff into policy creation
  • We regularly carry out training in security and privacy, and use metrics to improve these sessions over time

No, my organization is not in compliance because:

  • We haven’t yet adopted any security or privacy policies
  • We haven’t yet put contracts in place with organizations that act as our data processors
  • We haven’t chosen anyone to be responsible for data breach reporting
  • We haven’t carried out any training in security or privacy with our staff

This quiz is not an exhaustive list of GDPR compliance tasks, but hopefully it gives you a feel for what areas you need to think about. Remember, always err on the side of caution!

Sources

Micro, small and medium organizations, ICO
Children, ICO
Categories of personal information, IAPP
Records of processing activities, Intersoft Consulting
Automated individual decision-making, including profiling, Intersoft Consulting
Notification of a personal data breach to the supervisory authority, Intersoft Consulting