To be a successful business in Europe in 2018, you will need to be able to demonstrate GDPR compliance. Numerous articles have already detailed what GDPR is, the ramifications of failing to comply with it, and many of the steps towards compliance.
If there is one thing you know for certain, it is that there is a lot to take in, research to be done, and no easy route to fast-track compliance – writes Frank Krieger VP of Governance, Risk and Compliance, iland.
So let’s take it one step at a time. Here I’ve outlined a chief aspect of GDPR, the aim being to help your business take another leap towards full comprehension of and compliance with GDPR. Specifically, my objective here is to analyse the GDPR requirement around having the unambiguous consent of a data subject.
GDPR will transform how an organisation controls data. Under GDPR, an organisation must obtain the explicit consent of a data subject in order to store, access and process any personal data. Protected data will fall into different categories. Personally identifying information such as names, birth dates, photos, email addresses, bank details, and even IP addresses will naturally fall into the general category of “protected data.”
However, data which reveals the essence of someone’s personal life will be even more stringently controlled. This data, such as biometric records, religious or political views, and sexual orientation, will fall into special categories of protected data. Creating a classification scheme for data is a good first step towards GDPR compliance. For example, the classifications of public, internal, confidential and regulatory. From there, you can identify risk, technical safeguards and access controls.
How will the data subject give consent?
Data protection under GDPR will expressly impact marketing and sales operations. In the past, prospective or existing customers have only been given the option to “opt out” of marketing campaigns that target them. Now, with the introduction of GDPR, potential data subjects will always be required to “opt in” and voluntarily disclose their data before the data can be accessed and used.
The collection and resell of data will be strictly controlled, with the priority being that the data subject’s consent is clearly present at each step of the process, especially when the data is changing hands.
Then, the data subject has the right to review their data, and to ask for it to be entirely purged from the system at any time. The subject could even choose to monetise the use of their personal data. All in all, this gives an overview of the data subject’s rights under GDPR.
How will the organisation obtain consent?
GDPR will also introduce massive changes when it comes to the role of the business that is controlling or processing data. On the topic of consent, GDPR will drastically change how and why organisations are permitted to collect and process data.
In the past, companies have been able to accumulate and resell data to suit their needs with little regulation. Now, organisations will need to present a business case and define the legal reason for data collection. It is important to limit the scope of the data being gathered.
If the organisation can present a valid case for processing the personal data of given subjects, it must then communicate this case to the data subject in plain terms. That is, no more legal jargon or 20-clause forms with tick-boxes at the bottom. GDPR will make it so that the data subject’s consent must be requested in clear, simple language.
The organisation must establish strict regulations to dictate which people they collect data for, whether they disclose the data and, if so, to which parties. The risks of disclosing data to third parties must be considered. Regulations must also determine how long the data is retained for and why, as well as what special purposes would warrant data removal.
When processing data on behalf of customers, you must align with security and regulatory processes. Under GDPR, you must also be completely transparent, and keep the data subject informed of all processes. Data mapping can be used to monitor how data is flowing, and can also be referenced when establishing and tightening access controls.
That is, you can identify the systems and applications that are consuming data, and the individuals who have access to it. Also, they will help you create audit reports to validate adherence. The most important thing is to monitor your data processing carefully.
Additionally, you can create geographical view maps. The purpose is to outline where data is housed and where protected data resides, and helps identify cross border data flows. Network, application and system views are important for any organisation. This is to monitor the flow of data through systems and processes. Also determine which departments and people are controlling and processing protected data.
As a business, you can secure the help of a data protection officer who is responsible for making sure that the data subject’s rights are withheld. Large organisations with the capacity to hire a full-time data protection officer are likely to have an easier time weathering GDPR.
However, as a small or medium-sized business with a limited budget, it can be challenging to hire the services of a data protection officer to guide you through the process. As we prepare ourselves for GDPR, so we are keen to share our findings and best practices with other organisations.