General Data Protection Regulation (GDPR)

 

 

Here’s what you need to know and what we doing to protect your data.

What is GDPR?

The General Data Protection Regulation (“GDPR”) is a new, EU-wide privacy and data protection law. It requires more strict privacy protection in an organization’s systems, more nuanced data protection agreements, and more consumer-friendly and detailed disclosures about an organization’s privacy and data protection practices.

The GDPR replaces the EU’s current data protection legal framework from 1995 (commonly known as the “Data Protection Directive”). The Data Protection Directive required transposition into EU Member national law, which led to a fragmented EU data protection law landscape. The GDPR is an EU regulation that has direct legal effect in all EU Member States, i.e., it does not need to be transposed into an EU Member States’ national law in order to become binding. This will enhance consistency and harmonious application of the law in the EU.

GDPR takes effect on 25 May 2018.

 

Does GDPR apply to organizations located outside the EU?

Unlike the Data Protection Directive, the GDPR is relevant to any globally operating company, not just those located in the EU. Under the GDPR, organizations may be in scope if:

  • the organization is established in the EU, or
  • the organization is not established in the EU but the data processing activities are with regard to EU individuals and relate to the offering of goods and services to them or the monitoring of their behavior.

 

What does “processing personal data” under the GDPR means?

The GDPR governs how personal data of EU individuals should be processed by organizations. The terms “Personal data” and “processing” are frequently used in the regulation, and understanding their particular meanings under the GDPR helps to expose the true reach of this law:

  • Personal data is any information relating to an identified or identifiable individual. This is a very broad concept as it includes any information that can be used on its own, or in combination with other pieces of information, to identify a person. Personal data is not just a person’s name or email address. It can also encompass information such as financial information or even, in some cases, an IP address. Moreover, certain categories of personal data are given a higher level of data protection because of their sensitive nature. These categories of data are information about an individual’s racial and ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data, health data, information about person’s sex life or sexual orientation, and criminal record information.
  • Processing of personal data is the key activity that triggers obligations under the GDPR. Processing means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In practical terms, this means any process that stores or consults personal data is considered processing.

 

What does “data controllers” and “data processors” mean?

In EU data protection law, there are two types of entities that can process personal data — the data controller and the data processor.

The data controller (“controller”) is the entity which determines the purposes and means of the processing of personal data. The data processor(“processor”) is the entity which processes personal data on behalf of the controller.

It is important to determine whether the entity processing personal data for each data processing activity is a controller or a processor. This mapping exercise enables an organization to understand what rights and obligations attached to each of its data processing operations.

OfficeRnD has certain data processing activities for which it acts as a data controller and others for which it acts as a data processor.

 

What legal basis for processing personal data in the GDPR means?

Under the GDPR, every data processing activity, performed as a controller or processor, needs to rely on a legal basis. The GDPR recognizes a total of six legal bases for processing EU individuals’ personal data (in the GDPR, EU individuals are referred to as “data subjects”). Those six legal bases, in the order of Art. 6 (1) (a) to (f) GDPR, are:

  1. The data subject has given CONSENT to the processing of his or her personal data for one or more specific purposes;
  2. The processing is NECESSARY FOR THE PERFORMANCE OF A CONTRACT to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
  3. The processing is necessary for the COMPLIANCE WITH A LEGAL OBLIGATION to which the controller is subject;
  4. The processing is necessary to PROTECT A VITAL INTEREST of the data subject;
  5. The data processing is necessary for the performance of a task carried out in the PUBLIC INTEREST or in the EXERCISE OF OFFICIAL AUTHORITY; or
  6. The processing is necessary for the LEGITIMATE INTERESTS pursued by the entity, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require personal data protection.

The GDPR permitted processing list and the list contained in the Data Protection Directive are quite similar. However, there are also significant differences.

The most frequently discussed change made by the GDPR, when compared to the Data Protection Directive, is the tightening of the consent requirements (item 1 in the above list). The GDPR consent requirements include elements such as (i) the requirement that consent be verifiable, (ii) the request for consent must be clearly distinguishable from other matters, and (iii) the data subjects must be informed of their right to withdraw consent. It is also important to be mindful that an even higher consent requirement (“explicit consent”) is imposed with respect to the processing of sensitive data.

Another important item to highlight is the legitimate interest item (item 6 in the above list). When relying on “legitimate interest” as supporting the processing of personal data, an organization needs to be aware of the balancing test requirement associated with this legal basis. To satisfy the Accountability Principle under the GDPR, an organization must document its compliance with the balancing test, which includes its approach and the arguments that it considered prior to it concluding that the balancing test was satisfied.

 

What would be the consequences of non-compliance?

The most referenced consequence of non-compliance with the GDPR is the maximum fine that can be levied against a non-compliant organization. The maximum fine that may be levied is 4% of global revenue or 20 million EUR, whichever is higher. Certain other types of infringements carry a maximum fine of 2% of global revenue, or 10 million EUR, whichever is higher.

Less frequently referenced are the data protection authorities’ (“DPAs’ ”) powers under Art. 58 of the GDPR. These powers include the ability for the DPAs to impose corrective actions, such as a temporary or definitive limitation on data processing activities, including a complete ban on data processing, or to order the suspension of data flows to a recipient in a third country.

How does OfficeRnD handle GDPR

At OfficeRnD, privacy, data protection, and data security are always with the highest priority for us. We are working hard to ensure that our services are in compliance with GDPR on the effective date of May 25, 2018.

GDPR compliance is comprised of many elements. Among others, we are updating our documentation and agreements to align with GDPR requirements. We are also revising our internal policies and procedures to ensure that they adhere to the GDPR standard.

Most of the GDPR compliance elements take place “under the hood” of an organization as they relate to updates on how an organization is processing personal data. These are some of the steps which we are performing in anticipation of the GDPR:

  • Perform a gap analysis between the requirements imposed by the Data Protection Directive and the GDPR, as applicable to the company’s business operations.
  • Review and update internal tools, procedures, and policies where necessary.
  • Revise data mapping and data inventory practices, and update where necessary, to comply with record retention obligations under the GDPR.
  • Perform a dedicated gap analysis of privacy and data protection review tooling to meet the Data Protection Impact Assessment requirements.
  • Update approach to international data transfers.
  • Update contracts to reflect Art. 28 GDPR obligations as they relate to the company’s contracting parties.
  • Review and, where necessary, revise relationships with vendors to meet the requirements of the GDPR to ensure that those third parties receive and process personal data in a lawful way.
  • Update the company’s compliance policies with continuous employee training to reflect the changes to be implemented for the GDPR.

 

What does the Accountability Principle stand for?

OfficeRnD customers should consult with their legal professionals to understand the full scope of their compliance obligations under GDPR. As a general rule, if you are an organization that is established in the EU, or if your organization is processing EU individuals’ personal data, the GDPR will be applicable to you.

One overriding GDPR principle to keep in mind is the Accountability Principle. The Accountability Principle states that the data controller has to be able to demonstrate that its processing activities are compliant with the data protection principles set forth in the GDPR. The easiest way to demonstrate compliance is by documenting and communicating your GDPR compliance approach.

At OfficeRnD, compliance has been the product of a collaborative effort from many people across our organization, including Support, Customer Success, Sales, Engineering, Security and Legal. In our experience, cross-functional partnerships and easy-to-read documentation are incredibly helpful to the overall GDPR compliance process.

 

GDPR checklist for organizations

Small- and medium-sized organizations may face particular challenges to get ready for the GDPR. With this in mind, we’ve put together some of the key elements of a GDPR compliance in a checklist for customers.

  1. Get on everyone on the same page. Get together with all relevant roles from your organization and bring each other up to speed on what the GDPR is and how it impacts your organization.
  2. Understand what is happening with personal data in your organization. You may apply a data mapping exercise to uncover how personal data is stored and processed by your organization. You can use the following questions as a guide:
    1. What categories of personal data are you processing? (e.g., financial information, health information, marketing-related information, etc.)
    2. What categories of individuals are you processing personal data for?
    3. What is the reason for processing this information?
    4. How and why did you collect this information?
    5. How are you securing this data?
    6. Are any third parties receiving this information? If so, are you disclosing such third-party recipients in your Privacy Policy or other forms of notification? Do you know who those third parties are? How long are you keeping information about individuals?
  3. Legal basis mapping. Use the 6 legal bases mentioned before. For every processing activity that you identified in your data map, link it back to a legal basis. That connection gives you the legal basis for processing.
  4. Take the time to understand how to comply with an individual exercising their rights:
    1. You should be able to use the information from the data mapping to answer a data subject access request.
    2. From the data map, you should know where personal data is stored to comply with an opt-out, modification and erasure requests.
    3. Know what data formats your systems use, and figure out how you are going to respond to data portability requests.
  5. Data breach and incident response. When you talk to your colleagues on the technical / security side of the organization, make sure you know your incident response plan.

There are many more things that can be added to this checklist. For example, you may need to do data protection impact assessments, appoint a data protection officer, manage and review marketing and other company communication practices, and revisit your vendor management and contracting processes, just to name a few.
If you have a solid foundation by mapping out your data processing activities, you are giving yourself a big advantage for any subsequent GDPR compliance question that you encounter.
You can find some additional resources below. We used them and we hope they will also be useful to you.

 

Additional resources

There are many places where GDPR is referenced and it is hard to find of the good resources that are available online. Here are some resources we use to keep current with GDPR developments:

  • The formal legal text. The full legal text of the GDPR is here and the Data Protection Directive is linked here.
  • The Supervisory Authority. There is a Data Protection Authority (DPA) in each EU Member State, and many of them have published helpful guidelines on GDPR implementation. You’ll find a list of DPAs here.
  • Article 29 Working Party (WP29), soon to be European Data Protection Board (EDPB): The WP29 is an advisory body made up of a representative from the DPA of each EU Member State, the European Data Protection Supervisor and the European Commission. As of May 25, 2018, the WP29 will become the EDPB. The EDPB will include the head of a DPA of each EU Member State and the European Data Protection Supervisor.
    The WP29 has issued hundreds of guidelines and opinions and has opened up several topics for consultation. The most recent guidelines and opinions all focus on how to best implement GDPR elements into an organization’s compliance structure. The WP29 Newsroom is here.
    The Working Party 29’s old website had a lot of additional resources that unfortunately are not as easily accessible now with the new website layout. The archived website with additional materials is available here.
  • Some DPAs, law firms, privacy organizations such as the IAPP, and many other organizations, NGOs and companies are hosting GDPR-related events. It is very likely that other organizations have very similar questions to yours about GDPR implementation. These are great opportunities to reach out to the GDPR community and work through the questions together.