It’s been over 12 months since the General Data Protection Regulation (GDPR) was introduced, with the aim to unify how data is processed, used, stored and exchanged across all EU countries. But since the rollout, how has the legislative change affected the way businesses handle personal data? And just how many companies are still lagging behind in terms of GDPR-compliant data handling and processing?
According to recent reports, the race to get GDPR compliant hasn’t gone smoothly, with over two-thirds of businesses admitting that more work is needed to achieve full compliance, and a further half anticipating fines for breaching legislation. Indeed, one in five organisations have said that they believe full GDPR compliance is impossible to measure – raising concerns about the amount of work still needed to ensure watertight compliance across all EU member states and their individual industry sectors.
This guide will explore the core tenets of GDPR and how they apply to IT processes, giving IT professionals a blanket overview of the steps they should take to help their organisations achieve full compliance – including a helpful GDPR checklist that can roadmap the process.
- Understanding the GDPR Compliance Criteria
- The Primary Parties Involved in GDPR
- Common GDPR Security and Personal Data Actions
- The Rights of Data Subjects You Need to Know
- GDPR Compliance Checklist
Many companies failed to prepare adequately for the rollout of GDPR because they weren’t sure if the new legislation applied to their type or size of business. GDPR applies to all organisations registered in the EU, regardless of their size or the number of employees, and it also covers businesses outside the block which sell goods or services within EU countries, or else process data from EU residents.
This is the GDPR compliance criteria:
- A presence in any EU country
- No EU presence, but deals with the data of EU citizens
- Any company with over 250 employees
- Any company with under 250 employees whose operations could impact the data protection of EU citizens
In other words, if your company is registered in the EU or handles data from EU citizens, it must comply with GDPR. This will be the case even after Brexit, because most businesses will still handle and process personal data from people living in EU nations.
When it comes to GDPR, there are three main stakeholders named as part of the legislation: data controllers, data processors and data subjects. We’ve gone into more detail about these groups below:
- Data controllers – This is the business which determines the purposes and means of the processing of personal data. They decide how data is processed and are responsible for ensuring GDPR compliance. IT personnel often support data controllers in this function.
- Data processors – The personnel within a business (or an outsourced contractor) which are responsible for processing data for the data controller, to ensure full GDPR compliance.
- Data subjects – The citizens whose data is being processed by the data controllers, often through the exchange of goods and services. It’s also worth remembering that a company’s employees are also data subjects.
IT professionals may be called upon to process personal data for a data controller, or else support GDPR compliance by performing audit work and carrying out security actions which help an organisation achieve full compliance. It is the data controller that must exercise control over the processing and carry data protection responsibility for it.
Over the last 12 months, more has become known about the types of actions which organisations must implement to ensure full GDPR compliance, including basic security changes and how personal data is protected. Examples of these requirements include:
- The testing, assessment and evaluation of internal data management processes, on a regular basis
- Robust provisions to support GDPR-compliant data management, including relevant processing systems and services
- The encryption of personal data
- The creation of new data policies which set out a business’ guidelines on how it protects and secures sensitive user data
- The provision of access and data availability, particularly in the event of a technical incident which could put personal data at risk
If a business is investigated for GDPR compliance, they will need to show evidence that they have implemented appropriate strategies to protect data and enhance security – like the processes listed above. This can require additional resources and significant investment, with the average Fortune 500 company budgeting for around £12 million a year to maintain full GDPR compliance.
In terms of the type of data deemed ‘personal’ under the new GDPR legislation, the criteria sets out six points which data controllers and processors need to know:
- Basic information, such as a name, email address and ID information
- Health, genetics and biometric data
- Web data, like location information and IP addresses
- Political opinions
- Sexual orientation
- Racial or ethnic data
As a means of strategizing your approach to GDPR from an IT perspective, it’s important to understand the rights of data subjects whose personal information you will be responsible for protecting and securing. Knowing the rights of data subjects under GDPR legislation will help your organisation to maintain compliance across all its day-to-day operations and data-handling processes.
Here are the entitled rights of data subjects you need to know:
- Breach notification – Data controllers must notify data subjects of the unauthorised use or distribution of their personal information within 72 hours of becoming aware of the data breach.
- Right to access – Under the legislation, data controllers have a right to request how, where and why their data is being used and processed, and may request a copy of all the data a company has about them.
- Right to be forgotten – This gives data subjects the right to request that their data and information is permanently removed from the systems of the data controller.
- Data portability – This gives data subjects the right to request a copy of their personal data in a machine-readable format, so that they can easily make the switch to another service provider.
- Privacy by design – This gives data subjects the peace of mind that their data is being used responsibly by the data controller. Data controllers must show that they are taking action to limit access and protect the personal information of data subjects.
Big or small, businesses need to invest time and resources into becoming fully GDPR compliant, or suffer the consequences of hefty monetary penalties and a poor public reputation for privacy and data management.
This checklist can help IT personnel operating in a broad range of industries implement changes which support full GDPR compliance.
- Conduct a data audit to find out what type of information your company uses and who can access it.
- Assess the legal justification for why such data is being used and processed.
- Encrypt and anonymise personal information wherever necessary.
- Consider data protection and security across the business, from the user journey to everyday interactions.
- Build awareness of data protection within the broader team, creating an internal security policy and providing relevant training at regular intervals.
- Conduct a data protection impact assessment, looking at how a data breach or GDPR penalty could affect your organisation.
- Build a robust breach notification process, setting out the steps to take in the wake of a security breach and how user data will be protected.
As an IT professional, you can bolster your organisation’s GDPR efforts by creating considered processes which help to uphold data subjects’ privacy rights. Consider the following when setting out your proposals for GDPR-compliant IT data processing:
- It’s easy for your customers and users to request and receive the data information you have about them.
- It’s easy for your customers and users to update inaccurate and incomplete information through your site.
- It’s easy for your customers and users to request to delete their data, and for you to carry out their wishes.
- If your customers or users request it, it’s easy for you to transfer their data to another organisation – supporting their right to data portability.
- It’s easy for your customers to request that you stop processing their data or using it in a way that they no longer agree to.
We hope this comprehensive GDPR guide proves useful in helping your business achieve full compliance. As GDPR legislation continues to bed in, it’s crucial that businesses of all sizes take steps to achieve compliance, before penalties become more commonplace.
For more IT guides and features, click here to visit the CDL blog and newsfeed. If you’re here to find out about our computer and IT disposal services, visit the homepage or call us today on 0333 060 2260.