GDPR: All the changes
The GDPR (General Data Protection Regulation) comes into effect on 25 May 2018 – i.e. in less than a year. It will have a huge impact on organisations' data retention and management procedures.
In this era of digital transformation, where both businesses and individuals are required to increasingly use data, this change is even harder to handle as the new regulation, an extension of the data protection act, introduces fundamental organisational, technical, and legal changes.
This article aims to shed some light on these changes, which will affect everybody very soon, both professionally and personally.
1/ THE PRINCIPAL REQUIREMENTS OF THE GDPR
One of the first requirements for businesses - accountability - is to keep a processing log - which replaces the declaration to the French Data Protection Authority - to be accountable and guarantee respect for privacy. This log is used to record the same information as in the declaration but shifts the burden of proof. In the past, the French Data Protection Authority had to demonstrate failures and the controller had time to resolve any issues. In the future, it's the business that will have to demonstrate their compliance. The GDPR also introduces a reporting requirement by controllers in the event of personal data breaches. They must inform the French Data Protection Authority as quickly as possible.
Another requirement is to take account of the notion of respect of privacy from the product, service, or application's design phase: "privacy by design". An insufficiently-secure information system will not comply. Businesses must set the highest standards in terms of protection of privacy. Every time it processes data, it requires specific and express consent (opt-in) from the user.
The final requirement: organisations must appoint a data protection officer (DPO) to oversee the implementation and monitoring of the GDPR.
Supervisory authorities will give businesses 2 years to comply.
Who does it apply to?
The regulation will apply to all European Union countries as well as businesses based abroad if they target EU residents by profiling, or offer them goods and services. Only the US and UK may not be concerned, as their domestic laws prevail over the GDPR.
What is the risk for businesses in the event of non-compliance?
A fine set by the Court of Justice of up to €20 million or 4% of sales for the most serious cases.
"In terms of financial penalties, the issue of privacy has reached the same level as corruption and cartels," points out Benjamin May, lawyer/partner at the Aramis law firm.
What impact will it have on businesses?
2/ "HUMAN" CHANGES
It will strengthen protection of consumers: their data will only be "lent" to companies. As a result, they will remain sole owners of this data, and may exercise all the related rights.
• Consent: any processing of their data must be explicitly authorised,
• Respect of privacy: any type of processing likely to result in a high risk to privacy must be the subject of an impact assessment,
• Transparency: the individual has the right to know what the data is being used for,
• Profiling: right not to be the subject of a decision exclusively based on automatic processing,
• Possibility of unsubscription: any profiling must be clearly reported and unsubscription possible at any time,
• Right to be forgotten: on demand, the consumer can ask for their data to be deleted,
• Inactive contact: any contacts inactive for more than 3 years must no longer be processed,
• Right to portability: all an individual's data must be directly exportable by the individual.
It also redefines what personal data means.
The term currently covers:
• E-mail address,
• Professional telephone number (direct line),
• Position or job title,
• Postal address of place of work, business,
Plus in the future:
• Localisation data (IP address, GPS data)
• First- and third-party cookies
• Identification number, identifier
• Information on physical, psychological, genetic, or economic identity
3/ "DIGITAL" CHANGES
The GDPR will also require that respect of privacy be taken into account from the product or service's design phase.
Consent must now be explicit and obligatory
Individuals will have to deliberately subscribe, more commonly known as "opting in", to authorise businesses to process their personal data. Profiling will remain authorised for marketing purposes as long as the person is informed of this fact and may object to it.
"When a mobile app is installed, it requests access to your personal data stored on your smartphone (contacts, calendar, etc.) via a pop-up. If you refuse, you can't access the service. But this information is not necessary to provide the service in question.
From May 2018, this will no longer be allowed. The data collected must be used to provide the service. A different consent form will also be required for each type of data."
Nevertheless, the regulation specifies 5 legal grounds on which processing remains lawful, even without consent:
• When processing is necessary to execute a contract accepted by the person;
• When processing is required to comply with a legal obligation;
• When processing is necessary to protect the person's vital interests;
• When processing is necessary to carry out a task in the public interest;
• Any other legitimate interest of the controller, unless the fundamental interests or liberties and rights of the person prevail, particularly if they are a child.
Another point for developers, separating personal data that is normally attributed to a person. As information is retained independently, additional information must be used to link information together, e.g. using a hash key.
Its use is strongly encouraged when setting up secure but non-compulsory data processing.
ta Protection Authority).
4/ IMPACT ON BUSINESSES
The GDPR affects the data life cycle from start to finish. It requires enhanced governance and management of business processes and the architecture supporting it. A comprehensive transformation process must therefore be set up as described by Olivier Chotin who works at our Nantes agency in an article published in La Tribune.
An approach focusing on 8 key categories:
• Data strategy
• Data governance
• Organisation and HR
• Business processes
• GDPR implementation
• Data management
• Technical implementation
How can we see the impacts clearer?
Article 35 of the GDPR states that where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of its impact on the protection of personal data (PIA). Art. 29 WP or Article 29 Data Protection Working Party - an independent European advisory body on data protection and privacy - put in place a process to analyse risks and impacts.
5/ IMPACT ON DSP'S
In terms of Communication, websites must be modified to take account of data protection requirements. A few examples of features to be included:
• Contact source storage
• On-demand data exportability
• Revised legal notices
• Form with tickbox
• Updated database with site data
• Automated inactive data deletion system
• Reviewing of more explicit Cookies
In terms of HR, it must be possible to trace the source of the data collected on applicants after receiving their explicit consent for the different types of processing (data use and reuse). In terms of storage, the focus must be on encryption and pseudonymisation to ensure personal data is fully protected. Another point on automating certain recruitment processes: the GDPR requires you to keep applicants informed of the processing type and rules.
So checks need to be carried out to see whether the HR tool enables regulatory compliance.
In terms of Purchasing, service and sub-contracting agreements need to be reviewed to include new clauses taking account of the GDPR, particularly in terms of sharing of responsibilities, and the requirement to report all breaches of privacy.
As for information systems, steps must also be taken to make sure all tools comply with the GDPR in terms of storage and processing of employee and customer data.
In terms of organisation, the GDPR imposes a new role of "Data Protection Officer" (DPO) for public authorities and companies whose core business involves data processing (whether large-scale or high-risk). For other businesses, it strongly recommends that a DPO be appointed. Their mission is to effectively oversee the successful implementation of the GDPR. In practical terms, they must keep up to speed with new requirements, help decision-makers to understand the impact of different types of processing, draw up a processing inventory, organise awareness campaigns, continuously oversee compliance, and handle cooperation with the supervisory authority (CNIL - French National Data Protection).
(Image credits : © Thierry Roge / Reuters)