Over the course of 2018, you probably heard – and received many emails – about a new privacy regulation. If you have a company, you have probably realized that the new regulation may affect your collection and processing abilities of personal data. This regulation is known as the GDPR, which stands for General Data Protection Regulation.The GDPR is sweeping legislation adopted by the European Union which took effect in May 2018, which specifies detailed requirements regarding collection, processing and transfer of personal data.
It affects entities that process personal data of EU data subjects, regardless of the location of the entities processing the data (see below for an explanation of what constitutes "processing").
Consequently, not only EU entities are subject to this regulation, but also entities and organizations located outside the EU.
Many businesses have already experienced consequences from the GDPR – customers are asking vendors to sign Data Processing Agreements and may ask to conduct audits to verify the vendor's compliance with the GDPR. Individuals are starting to be aware of their rights as data subjects and are more and more often asking to exercise those rights.
One of the most powerful innovations of GDPR is the Supervisory Authorities' administrative supervisory and enforcement powers, allowing such Supervisory Authorities to impose sanctions for infringement of the regulation's requirements, as high as €20,000,000 or 4% of the infringer's worldwide revenue of the previous year, whichever is higher.
For the purpose of better understanding the recommendations below, you need to know some key terms in the context of GDPR:
- Personal data: any information relating to an identified or identifiable natural person;
- Data subject: the person whose personal data is collected, or as the GDPR defines – an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly;
- Controller: the person or organization that, alone or jointly with others, determines the purposes and means of the processing of personal data;
- Processor: the person or organization that processes personal data on behalf of the controller;
- Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
So, what are the initial steps an organization can take in order to become GDPR compliant?
Below is a non-comprehensive list which includes initial steps to be taken by organizations toward GDPR compliance:
1. Data mapping:
As a first step, we recommend mapping the data an organization collects, processes and transfers. This should result in a detailed understanding of (i) the source of the data (collected by the organization, provided by the data subjects or by third parties), (ii) the types of data collected (and the purpose of collection for each type), and (iii) the third parties receiving the data from the organization and the purpose of such transfer to each third party. In some cases, mapping the data can be challenging because various types of data are collected for various purposes or because an organization has many third parties from which it receives data. In such cases, a third party service provider can assist with this data mapping task. Data mapping will also give an organization insight regarding any excess data collected, allowing the organization to change its practice in order to comply with the GDPR's data minimization principle.
2. Third Parties:
Following the data mapping, an organization should take a look at the third parties providing and receiving data. The role of each third party should be determined and relevant agreements should be instituted. Under the GDPR, controllers are responsible for their processors; therefore, ensuring your organization's processors comply with GDPR is essential. For such purpose, it is recommended to review the processor's privacy practices and if relevant, to ensure the processor has a mechanism in place for international transfer, as permitted under the GDPR, as well as to sign Data Processing Agreements with the processors in accordance with the GDPR's requirements. Joint and co- controllers should define each party's responsibilities, including providing notification to the data subjects regarding the existence of the additional controller.
3. Privacy Notice:
If consent is required for the collection and/or processing of the personal data, the organization should have an adequate consent mechanism (consent should be freely given, informed, specific and unambiguous (and in some cases, explicit) indication of the data subject's wishes) and the consent should be documented.
5. Privacy by design and by default:
Part of the technical and organizational measures a controller needs to implement are privacy by design, and privacy by default. Privacy by design means embedding data protection into the design of products, services and technologies offered, while privacy by default means ensuring the most restrictive privacy settings are the default settings of products, services and technologies being offered. When designing new products or services, these principles should be taken into account.
6. Data Protection:
Both controllers and processors have an obligation to implement "appropriate technical and organizational measures" to ensure a level of security appropriate to the risk of the processing performed by the relevant party. The GDPR clarifies that when determining what "appropriate technical and organizational measures" are, the controller and processor should consider the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risk and severity for the rights and freedoms of data subjects. In terms of appropriate measures, the GDPR specifically refers to pseudonymisation and encryption, as well as confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to data in the event of an incident and ongoing testing of an organization's technical and organizational measures. Since assessing the security needs of a company requires extensive data protection expertise, complying with this obligation may require assistance from a third party service provider.
7. Compliance with local privacy and data protection laws:
Organizations located outside the EU that are subject to the GDPR should bear in mind that while complying with the GDPR is required when processing personal data of EU data subjects, local privacy and data protection law is likely to apply as well. Therefore, organizations should evaluate their compliance with those laws, too.
This article should not be considered legal advice and organizations should consult a legal adviser for customized privacy and data protection advice.
Netanella Treistman's practice focuses on matters relating to technology companies (including start-ups, fintech and adtech companies) with an emphasis on technology and licensing agreements and other general commercial matters. Netanella is experienced in business to enterprise contract negotiations and assists clients in various privacy matters.