The General Data Protection Regulation (GDPR) is coming, there’s no way around it. The deadline is May 2018, thus you still have a bit over a year to be compliant, and even more importantly, to be prepared to show you’re compliant. See, the GDPR doesn’t only require everyone to comply, it also requires being able to show your compliance.
Actually the GDPR is not about denying you of processing personal data. It’s more about you needing to know where you process that personal data and you telling the natural persons of which data you’re processing.
This means that you need to know where your data is. Which in turn means you need to map out your data flows.
1. Figure out what data you need to be concerned about
The GDPR expands the definition of personal data.
“The principles of data protection should apply to any information concerning an identified or identifiable natural person.”
So, everything you have that’s linked to a natural person. As long as you either identify or can identify that natural person.
“To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly.”
Essentially, if there’s any way you can tie a particular piece of information to a natural person, it’s personal data. A recent ruling by the EU also tied IP numbers as information that can be linked to a natural person by internet operators, the operator here being the “another person”.
2. Map out where you store data on purpose
Where are your CRM, your client database, the users of your website? And internally, your staff registry, your intranet users table, your AD server, payroll software user storage, SSO service, productivity software like Trello, Skype, Slack..? And all the ones I didn’t mention.
“This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum.”
Write a data map to show what data you store in all of these places and for how long you store that information for. You need to have a retention period, or a basis for storing the data.
3. Figure out where your data is dispersing
In my previous post I outlined the problems with modern data-intensive architectures, and how no document can tell you where the data actually gets stored. See, the modern architectures are made to keep data safe. Essentially that means we make data very hard to delete, so that a couple of errors combined can’t even get rid of it by accident. And that means it’s usually stored to a lot of places. Not to mention, very hard to delete permanently, even on purpose.
To find out where your data actually is stored, in addition to the official locations, you need to ask a lot of inquisitive questions from possibly a lot of people. You need to figure out your temporary storages on servers, people’s copies of the data on their desktops, email attachments, USB sticks, the contents of the company Google Drive, and also your backups, audit logs, access logs, backups of those logs, and so on. If this job appears too daunting, you can always call an expert to help you with it.
4. Update your processes, both technical and human
Let’s now imagine you have it all on your table. Every data flow is mapped in detail and you know where the data flow leaves its track of residual data.
This could mean an internal policy for your staff about not storing personal data on their laptops or USB drives, or possibly not sending personal data over email. It could also mean you’ll stop using a cloud service, if it’s in the US and the company isn’t Privacy Shield certified. Or you might need to reconfigure your around-the-world replication policy for your CRM database, as you can’t move your potential clients’ personal data to that data center in Hong Kong without their explicit consent.
It can also mean you’ll have to make drastic changes to your key software systems. Or it can mean you’ll have to replace a key software component. Note, that you’ll have to have the changes or the new system in production use by May 2018.
5. Aggregate and automate
The GDPR also allows the data subjects to exercise their rights electronically and without undue delay.
“Modalities should be provided for ... including mechanisms to request and, if applicable, obtain, free of charge, in particular, access to and rectification or erasure of personal data and the exercise of the right to object. The controller should also provide means for requests to be made electronically, especially where personal data are processed by electronic means. The controller should be obliged to respond to requests from the data subject without undue delay and at the latest within one month and to give reasons where the controller does not intend to comply with any such requests.”
Now that you know all your data locations, you need to estimate how many requests of access, rectification or erasure you might get within a certain timeframe. Then estimate how much work it would be to fulfill those requests manually. And remember, if your process previously needed physical presence in your office and a written request on paper, the pure ease of requesting via the internet will increase those requests. Especially in the UK, where it’s been allowed to charge a fee for exercising these rights. In May 2018, it’s going to be free.
“Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.”
If your calculations show that you don’t need that Google-style self-service dashboard for everybody to finetune their data and consents, you might still benefit from aggregating the data. If it’s a complicated process to combine the data internally, you might want to create an automated process that connects and gathers the latest data for a single data subject, even if you don’t run it unless someone specifically requests that data. Sometimes fully automated and scheduled aggregation makes sense.
6. Update your privacy policies and consent forms
Finally, now you need to provide all the information you’ve gathered to the data subjects. The requirements for informing the data subject about the data processing activities are expanded greatly in the GDPR. Here are a couple highlights that the GDPR mentions explicitly:
- identity of the data controller
- purpose of the processing
- recipients of the personal data
- whether the data is moved outside EU/EEA
- retention period of the data
- right of the data subject
- information about profiling or automated decision-making
This is not the full list, but should show that the details of the information that the controller must provide to the data subject, are very much dictated in the GDPR. Essentially this means that most of the controllers of personal data must update their privacy policies.
Another thing is the consent form. It also has some specific rules in the GDPR.
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, ... This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. ... If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.“
The consent form needs to be clear, but needing an informed, active action, while at the same time not be disruptive to the service. We’ve seen the rise of the cookie click-to-approve popups and nobody likes them. Based on the recent proposal of the EU Commission, they don’t like the cookie popups either. Thus creating a clear way to approve data collection while not being intrusive is going to be a challenge. And the consent needs to be recorded:
“Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”
This means everybody needs to store the actual consent data for the data subject to be able to demonstrate the consent.
Kalle Varisvirta, Technology Director