One of the primary goals of the General Data Protection Regulation, also referred to as GDPR, is to give control of personal data back to the individual (i.e, the “data-subject”). For companies trying to comply with these new laws, it is anything but simple — especially when it comes down to managing day-to-day privacy operations and consent.
However, it’s becoming more and more vital for organizations to pay attention to GDPR, not just for compliance reasons, but because privacy is impacting consumers decisions. For instance, the IBM Harris Poll discovered that "75% of consumers will not buy a product from a company — no matter how great the products are — if they don’t trust the company to protect their data ". Also, penalties and fines can be as high as 4% of annual revenue or €20 million, whichever is greater.
So what are the next steps for GDPR Compliance?
Among a long list of requirements included in the GDPR, companies must ensure sure that their data processing activities (i.e., third-party vendors) comply with the regulatory guidelines.
For the GDPR to apply, an organization has to simply offer its products or services to European Union subjects, or be established in the EU, or be engaged in widespread behavioral monitoring.
Because this affects so many businesses, most enterprise organizations and software vendors (SaaS companies) based in the US, Canada and elsewhere have to comply with GDPR regardless of where they are headquartered.
Below are 12 questions to guide through the initial applicability assessment process for GDPR compliance:
1. Are you processing personal data of EU data subjects? Are these processing activities related to monitoring of their behavior or offering of goods or services to residents of European Union directly by your company or on behalf of your customers? (As defined by GDPR Article 3)
2. How do you demonstrate compliance with Article 5 Principles of “Processing Personal Data”:
- data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- processed lawfully, fairly and in a transparent manner; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
3. How do you demonstrate proof that data subject has consented to the processing of his or her personal data?
4. Can your data subjects withdraw his or her consent at any time as easily as they gave their consent? (i.e., if you have long legal document with multiple steps required to withdraw consent, this process will likely not be considered “as easily” as they gave their consent).
5. How do you facilitate the exercise of data subject rights under Articles 15 to 22?
6. How do you demonstrate that Data subject rights don’t diminish regardless of how many third-parties are involved in data processing?
7. How do you demonstrate a proof that, at the time when personal data are obtained, data subjects were provided with all of the following information as per Article 13, including:
- the right to withdraw consent at any time
- the identity and the contact details of the controller and, where applicable, of the controller’s representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
- the recipients or categories of recipients of the personal data, if any;
- where applicable, the fact that the controller intends to transfer personal data to a third country or international organizations.
8. How do you provide data subject or the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information as per Article 15:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
9. How do you enable data subjects to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the grounds in Article 17 Paragraph 1 applies?
10. How do you enable data subjects to obtain from the controller “restriction of processing” where one of the grounds in Article 18 Paragraph 1 applies?
11. How do you communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed as mandated by Article 19?
12. How do you provide personal data to the data subject concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and facilitate the right to transmit data to another controller without hindrance from the controller to which the personal data have been provided as outlined in Article 20?
Next Steps: From Compliance, to Data Mapping, to Privacy Operations
If you went through the above questions and felt lost, confused or not sure of the answers, you’ll want to talk to a privacy experts, lawyers or consultancy services, like Deloitte, PwC or KPMG, as soon as possible. They can do an audit of your processes, show you where the gaps are and identify potential risks. From there, it’s a good idea to build a data map to see where your data flows. Once you’ve completed your data map, input the information into Feroot’s software and sit back and relax. Our software will make the ongoing management of third-party compliance, consent and access requests easy-peasy, and for the most part, automated. Plus, you can customize a beautiful privacy dashboard that tells your customers you’re taking their privacy seriously. This will help you gain their trust, increase market share and most importantly, make you feel at ease knowing that your privacy operations are in tip-top shape. If this latter part sounds good to you, feel free to contact our sales team for a quick conversation and demo.