What does the compliance process with General Data Protection Regulation (GDPR) look like? This article provides step-by-step instructions on the issues and actions to take into account when implementing the provisions of the General Data Protection Regulation. The key points to pay attention at when preparing for GDPR compliance give you a better understanding of the whole process and help you navigate how to start moving in the right direction.
So, let’s start:
1. Is personal data processed in your company?
According to the General Data Protection Regulation, personal data (PD) is any information relating to an individual that is identified or identifiable. The concept includes four elements: “any information”, “relating to an individual”, “an individual” and “identified or identifiable”. You might find more relevant information on the meaning of PD here.
Personal data also includes other types of information such as IPs, cookies, codes, etc. that allow you to identify a person.
The processing of such data gives you a reason to think about the need of GDPR compliance. But is it necessary?
2. Is GDPR applicable to your company?
If you are registered in the EU (or not even registered but operating in the EU, or in the course of the activity you gain access to the personal data of EU citizens as well as those located in that territory) GDPR requirements will apply.
That means that GDPR applies in the cases:
- The company is registered in the EU and processes PD of EU persons;
- The company is registered in the EU and processes PD of persons from other countries;
- The company is registered outside the EU, but processes PD of EU persons.
How can you determine whether you operate in the EU (i.e. whether you target the EU market)? The following criteria help the supervisory authorities determine that you offer goods and services to residents of Member States:
- The language used by the site is one (or more) of the EU languages
- Currency of payment for goods / services is Euro;
- EU domain registration;
- Delivery of goods / services to the EU etc.
Thus, it turned out that GDPR is still being applied. What’s next?
3. Do you process special categories of personal data?
GDPR allocates so-called sensitive data (special categories of data) among personal data. They require special protection because of making a person vulnerable. These include, but are not limited to:
- racial or ethnic identity;
- political beliefs;
- religious or philosophical beliefs;
- participation in trade unions;
- genetic data / biometric data;
- health status and sex life / orientation;
- criminal information, whether or not applied in the past to a specific person.
These lists may be extended in the national law of EU Member State. Its elaboration is only possible on a clear basis.
Personal data is collected for any individual. It can be a person who just visits your site, buys the product, is an employee / contractor of a company. Once such data have been obtained, they must be processed in accordance with the requirements of the GDRR, as more organizational and technical arrangements are required for proper processing.
4. What does a national legislation provide?
It is imperative to check national standards and requirements for the processing of personal data that are enshrined in the legislation of a particular EU Member State. Often national legislation extends the provisions of the GDPR. For example, expanding the scope of regulation (that is, not only the Regulation but also the requirements of national law) may entail:
- expansion of personal data subjects (including legal entities);
- requirements for the minimum age of personal data subjects who can independently consent to the processing of data;
- Whitelists and Blacklists, that is, approved by the European Data Protection Board (EDPB) lists of transactions that do not require or, conversely, require a Data Protection Impact Assessment (DPIA).
For example, for the purposes of data processing in Belgium, Estonia and Portugal, the age of a data subject who can consent to the data processing has been reduced to 13 years, in Austria and Bulgaria to 14 years, in France and the Czech Republic – to 15 years, in Germany and Ireland – 16 years old.
Moreover, data protection impact assessment also varies from country to country:
- A) in France, an assessment of the impact of the risks on the protection of personal data is required if the owner retains and processes the personal data of patients for commercial purposes;
- B) In Poland, the assessment should be carried out in situations where all activity of workers in the work equipment and indoors in large companies is monitored.
Therefore, national law should also be taken into account when implementing PD processing measures under GDRR, especially if your company is incorporated in this country or has a large majority of customers / users from there.
5. Is the PD transmitted to third countries or international organizations?
As a general rule, the transfer of personal data outside the territory of the European Union is forbidden unless the country has a lower level of protection of personal data (compared to the EU) and no special means of risk prevention (for example, stringent contracts for processing PD with contractors from third countries and receiving consent for the transfer of data from its own users, whose data will be available to foreign partners). However, the GDRR does provide for certain situations where such actions are permitted:
- Transfer on the basis of an adequacy decision
Based on adequacy decision personal data transfer to the third country or international organisation may occur if the European Commission (one of the seven major EU institutions) decides that a third country, territory or one or more identified sectors is located within that third country, or the relevant international the organization provides an adequate level of protection.
Such transfer does not require any special permission. Currently, the European Commission has identified 13 such countries. Ukraine is not among this list. If the transmitting country is recognized as an adequacy decision, the transmission of the PD is authorized without additional reservations and measures that are not present in such data transfer between EU countries.
- Transfers subject to appropriate safeguards
- a legally binding and enforceable instrument between public authorities or bodies;
- binding corporate rules;
- standard data protection clauses adopted by the Commission in accordance with the examination procedure;
- standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure;
- an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights;
- approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights;
- ractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; and
- provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
- the data subject has explicitly consented to the proposed transfer;
- the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
- the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.Derogations for specific situations
In the event that neither the first nor the second option, which would allow the transfer of the PD outside the European Economic Area, applies, exceptions in accordance with Art. 49 GDPR. For example, these include:
6. What role does your company play in data processing?
At this stage, it is important to define the role that is being played: the role of controller or processor. The latter has much less responsibility than controller. The reason of it is that processor operates solely based on owner’s instructions. It cannot collect and process PD in any other way than specified by the controller. Virtually any solution requires the consent of the controller. An example of this is processor/subprocessor.
The controller occupies the same leading role. It guarantees technical and organizational security measures, further informs a processor of processing of special categories of data, ensures that persons who have committed themselves to the processing of personal data carry out this in accordance with the conditions of confidentiality; and, of course, defines the goals and methods of PD processing.
Depending on what role you perform, the amount of responsibility a company must fulfill to be in GDPR compliance also depends.
7. Do all policies and other corporate documents relating to the processing of personal data comply with the Regulation?
It is also important to review from time to time the decisions of the European Commission on adequacy decisions and rules of national law. For example, do you currently negotiate with South Korea – and perhaps you have established relationships with local game business?
8. Data Protection Impact Assessment. When? How? What?
Data Protection Impact Assessment, is a process that identifies and minimizes the risks of processing personal data. The DPIA is mandatory only when the processing of personal data “can lead to a high risk to the rights and freedoms of individuals”. Most often, DPIA is necessary when using automated decision-making, profiling or processing of Big Data or special categories of data, but it is recommended to re-evaluate each time significant changes in business processes occur.
This process can be called the beginning of compliance itself, because it occurs before the very beginning of PD processing. At this stage, all staff who have access to personal data are involved.
In fact, DPIA is not as scary as one might imagine. It can usually be in the form of a plaque (as a regular file or record in a special program), which contains data regarding:
1) The purposes of data processing;
2) PD operations;
3) Risks arising from data processing;
4) Measures aimed at eliminating such risks.
It is performed as often as required by the operations processing personal data. These can be different situations: transferring data to a third country or international organization, launching a new product, changing staff, etc.
The responsibility for conducting the Data Protection Impact Assessment rests with the owner, that is, the person who determines the purposes of the data processing. Despite the fact that businesses often hire a person responsible for the proper processing of personal data, Data Protection Officer, the primary burden of responsibility is still the first.
9. Do you need a Data Protection Officer (DPO)?
The GDPR determines the circumstances under which a company is required to appoint a DPO. In turn, the DPO is the person appointed by the data controller to monitor the correct application of GDPR. It can be both an employee and a person working under a services providing agreement. Data Protection Officer may perform its functions for different companies at the same time – as a contractor. It is mandatory for the following reasons:
- the owner is a public body (for example, a public body);
- the data is processed on a large scale;
- special categories of data are processed.
DPO’s responsibilities include providing advice to the controller or processor when processing personal data, communicating with the supervisory authority, and monitoring the correct application of the Regulation.
10. Are processors aware of personal data processing policies and responsibilities?
If processor processes on behalf of the data controller, the data controller does not comply with GDPR unless there is a written Data Processing Agreement between two parties. This document should include, but is not limited to, the following provisions:
- data subject;
- duration of PD processing;
- the nature and purpose of the treatment;
- categories of personal data that will be processed;
- the categories of data subjects whose personal data will be processed;
- rights and obligations of controller and operator, etc.
It is likely that the national law of the parties to the contract may also have additional requirements for the content or form of such contracts. It will subsequently protect against the probable cancellation of the contract as invalid and sanctions for violation of the order of transfer of personal data.
This checklist is a step-by-step guide to how the compliance process should take place. And if that doesn’t happen, catch the fines or other sanctions.
However, dire sanctions should not be an important reason for compliance. Better when the company is driven by the struggle for customer trust. Internet users may be infinitely far from understanding the intricacies of technical processes, but they trust information about themselves – and hope that their data is professional. Don’t miss out on another chance to show how qualified and prepared your team is – and getting rid of the regulator’s claims will be another great bonus.