GDPR: 5 BASIC PRINCIPLES OF THE NEW EU PRIVACY RULES

When will the GDPR enter into force?

The GDPR (“General Data Protection Regulation”) will enter into force on 25 May 2018. Therefore, you still have some time to check the new privacy rules and prepare yourself.

 

Below are the main steps you can already take to become “GDPR compliant”.

 

GDPR fines: real risk or scaremongering?

 

The first thing people often think of in relation to the GDPR are the high fines. Are these fines a real risk or is it pure scaremongering?

 

The GDPR does indeed provide for high fines in the event of violation of certain privacy rules. These fines can be as high as EUR 20,000,000 (you read this correctly: EUR 20 million) or 4% of the company’s annual global turnover.

 

These amounts are astronomical but, in my opinion, create a distorted picture of the actual risk. An average Flemish SME will have to go seriously over the line to incur a fine of 20 million euros. To be clear: these amounts are maximum fines. In reality, fines will be proportionate to the infringement committed and the Privacy Commission will take all factual elements into account. The GDPR states that fines must be “effective” and “dissuasive” as well as “proportionate”.

 

Nevertheless, every company (including every sole trader or self-employed person) that processes personal data must comply with the new privacy rules. This is true even if you keep customer data (e.g., email lists). If you do not comply with the GDPR rules, you risk a fine. Even though this fine will not amount to 20 million euros, fines are still best avoided. Apart from the financial risk, you also risk damaging your reputation with your customers and business partners. Therefore, it is best to think seriously about what data you are collecting, whether you have sufficient consent, and what protective measures you are taking.

 

 

GDPR first step: know what data you are processing

To measure is to know! The first step you should take in the run-up to the GDPR is to map out which data you are processing. I therefore recommend that every company starts an audit procedure to check:

  • what personal data is kept
  • where that data comes from
  • for what purpose the data is kept
  • how long you keep it for
  • With whom you share it
  • what the legal basis is (e.g., how is consent obtained?)
  • what security measures you apply
  • etc.

 

This information must be recorded in a GDPR register that can be checked by the Privacy Commission. This GDPR register will replace the declaration that you currently have to make to the Privacy Commission. In the future, the Privacy Commission will be able to request your register to check whether you are taking adequate steps to guarantee privacy protection and security. If you are unable to provide a register or procedure, you run an increased risk of a (considerable) fine.

 

Certain SMEs will be granted an exemption in relation to the establishment of a data register. In practice, the chance that you will fall under the exceptions is fairly small. The Privacy Commission recommends that you keep a data register in any case. This also seems to me to the most sensible approach: it obliges you to think about your privacy and security policies and it limits the risk of breaches or fines.

 

GDPR second step: know what data you are passing on

Part of the exercise is also to audit your existing contracts with partners and subcontractors: if you transfer personal data such as customer names or email addresses to partners (e.g., outsourcing), you need to know what privacy safeguards your partners provide.

 

If your current contracts do not provide sufficient safeguards, you should renegotiate them. If you do not do this, you might incur a liability yourself, even if the breach is committed by your partner. I therefore recommend that you take a close look at your existing contracts and check them:

  • what data is transferred
  • what does your partner do with this data?
  • what guarantees are offered regarding privacy and security?

 

GDPR third step: update your internal privacy and security procedures

The third step you need to take is to update your internal privacy and security procedures. This depends to a large extent on the analysis of the previous two steps. The closer you get to the date of 25 May 2018, the further ahead you need to be in updating your internal procedures!

 

In concrete terms, I am thinking mainly of the following points:

 

  • Is consent or opt-in obtained correctly? Pre-ticked boxes are now out of the question! Unclear or “woolly” language, too. Consent must always be given via a clear, active action. Tacit consent is not good enough.
  • Collect evidence: As a company, you must be able to prove that someone has given permission to use their personal data. If you cannot prove this, you have a problem. Therefore, you need to make sure you record and keep track of consent. “Accountability” is a basic principle under the GDPR: if you can’t prove that you have received consent or that you are complying with the procedures, then you risk a fine.
  • Analyse your email marketing: Do you send out commercial emails or newsletters to contacts? Then you need to check whether those contacts have given you permission to do so. Have existing contacts given their permission in the past (e.g., they subscribed to your newsletter themselves), but you have no proof of that? Then you should in principle write to these contacts again to obtain new consent (keep the evidence!). This will be a bitter pill for many companies. Your e-mail database will become smaller but more relevant. Also think about whether you want to wait until just before the GDPR comes into force or do this now. Of course, a good “unsubscribe” or “opt-out” is also still required!
  • How do you respond to complaints or requests for access to data, correction of data, deletion of data, transfer of data to another provider, objections to “profiling” or “direct marketing”, etc.? Under the GDPR, as an individual, you are given clear rights about companies that process your data. As a “processor”, you therefore need to set up a procedure to respond correctly and in a timely manner to such requests. If you pass on personal data to partners, you will have to ensure that adjusted data is also adjusted at the partners. In principle, you must also be able to answer these requests “electronically” (not just on paper). For many companies, the solution will be that those concerned can view and correct/delete their own data online. Obviously, such online tools must be sufficiently secure…
  • How do you tackle data leaks? You will need to set up a procedure to detect, stop and report data breaches. In certain cases (but not in all) you will have to inform the individuals concerned and the Privacy Commission. If you do not do this (e.g., to prevent reputation damage), you risk heavy fines (and even more reputation damage). If you have no procedure for dealing with data breaches, your risk is obviously greater than if you do have a procedure. A “data breach” is for example a case of “hacking”, but also mistakenly sent emails with sensitive information or the loss of insufficiently secured laptops, phones, or USB sticks.
  • Do you have (and should you have) a “Data Protection Officer”? Some companies and governments will need to appoint a Data Protection Officer or DPO to ensure compliance with GDPR legislation. Check whether you fall under that obligation. The general principle is that you fall under the DPO obligation if the processing of personal data is part of your “core business”. Even if you are not subject to the obligation, it may still be advisable to appoint someone as a “central figure” for all aspects relating to privacy and security. That person could, for instance, be responsible for carrying out periodic audits of the existing privacy procedures, providing training and advice to staff, being the contact person for customers, colleagues, the Privacy Commission, etc.
  • How do you handle personal data from minors? Children get special protection under the new GDPR rules. If you offer services aimed at children and process children’s personal data (e.g., name, address, age, gender, etc.), you will have to prove that you have obtained parental consent (especially for children under 16). How do you best go about this?
  • Do a risk analysis or “Privacy Impact Assessment”: The privacy policy and the security policy of your company go hand in hand. In certain cases, you will have to make a risk analysis in connection with the data you keep. When rolling out new projects (e.g., if they involve “profiling”), the project team will have to assess whether or not there is a privacy risk and possibly seek advice from the Privacy Commission before implementing the project.
  • Update your privacy policy with customers or “end-users”: if you have an existing privacy (and cookie) policy, you will need to adjust it in certain respects.

 

 

Do not hesitate to contact us for questions regarding GDPR and privacy.

 

Author: Bart Van Besien