Discover How We Can Help with GDPR ComplianceNetFort LANGuardian can help you comply with GDPR around 4 pillars:
- Reporting & Audit Trail
The General Data Protection Regulation (GDPR) is a European law which establishes a number of requirements that organisations that collect or process the personal data of individuals based within the European Union (EU) must follow.
There is some confusion as to who will be subject to the law. To clarify, the regulation will apply in cases where either the data subject (person), the data controller (company), or the data processor (service provider) is based within the EU.
Compliance with this new regulation, which will come into effect on May 25, 2018, is sure to present a challenge for groups located both inside and outside of the EU.
The principle goals of the GDPR are to protect the personal data of EU residents and to give them greater control over how their data is used.
As a result of this, all data collection and data processing must be closely tracked. Individuals will have the right to request copies of their data, to ask for records of how their data has been used, and to request that their data be deleted by the entities which store or use it.
Organisations must therefore have systems in place that record data use, that log processing activities, and that track where data relating to each data subject resides on the system to allow for simple retrieval or deletion.
The GDPR will also harmonise the current European legislation on data processing across member states, which will facilitate compliance for companies that deal with information collected from multiple countries.
Non-compliance could result in fines of either €20 million or 4% of an organisation’s annual global turnover, whichever is higher. Since this is an EU Regulation and not a European directive, it will become part of Member States’ law and be enforceable in the courts of Member States immediately and simultaneously upon coming into force in May 2018.
The GDPR defines what is considered as personal data in Article 4. It states that:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
As the definition given above implies, almost any data can be deemed “personal” if it can be used to identify an individual, including IP addresses, information relating to sexual orientation, and biometric data.
All of this information must be protected to the standards set down by the GDPR.
The GDPR does not specifically mention the data protection measures that must be put in place for a group to be considered compliant.
Instead, it is mentioned in Article 32 and several other parts of the regulations that “appropriate technical and organisational measures” must be taken.
These measures must be based on the level of risk to individuals’ rights and freedoms arising from the data processing that is being carried out.
For example, networks should be able to resist, to a reasonable level of confidence, accidental events or malicious attacks.
Article 32 goes on to note that security measures such as encryption and pseudonymisation should be considered, but they are not necessarily mandatory.
Audits of the data that is being held by a company should be conducted to allow data types and other important information to be established and recorded.
This will also help in identifying the risks or weaknesses that may lead to data breaches or data loss.
The GDPR includes a number of standards that must be met to ensure compliance.
Some of these are listed below:
As mentioned above, the GDPR requires procedures to be documented. This requirement is summarised in Article 30: Records of processing activities.
As a data controller, groups must record their data processing activities. The Article goes on to list a number of elements that must be tracked, from basic information such as:
As there may be large amounts of data involved, groups should implement systems that facilitate the documentation of data use without impacting efficiency.
Useful functions may include features that allow searching, categorising, or cataloguing data. We will cover this further below.
The GDPR will affect almost every type of organisation in some way, but will have the most impact on groups whose activities rely heavily on data processing or providing data processing services.
This would include companies that have customer engagement or profiling databases, agencies that operate hosting services, and entities that offer data storage solutions.
The businesses affected will also include those whose core activity might not be processing personal data. The GDPR will be impact a diverse array of interests, including:
To reiterate, the GDPR will apply to groups that are either based within the EU themselves, and to organisations that collect data concerning individuals located within the EU.
If a company is located, for example, in Asia, and they make use of the services of a data processor located within the EU, then they too must ensure any relevant parts of the GDPR are applied and respected.
It is mentioned in Article 30 that smaller structures, those with 250 employees or fewer, are covered by a derogation except in situations where they engage in systematic data processing or where the data they process is particularly sensitive or creates a risk to the rights and freedoms of the individuals concerned.
For example, a clothing manufacturer with 50 employees will fall under the derogation whereas a market research agency with 40 employees or a research laboratory with 20 employees would not be covered by the derogation, as one carries out systematic processing and the other processes special categories of data including genetic and health data.
It should not be overlooked that, in the absence of more specific rules provided for by Article 88, the personal data of employees is also protected by the GDPR.
Human Resources personnel should rapidly review the personal data they keep on file and determine what is necessary for them to fulfil their tasks and what is superfluous.
They must ensure that they have correctly received freely given and informed consent from all employees to process data. If consent is not given for the storage of non-essential data, this data must be erased.
There are numerous situations in which organisations will be allowed to collect, treat, and process data.
The Regulations state that the processing of data is lawful in cases where either:
In such a case, other legal avenues should first be explored to justify the processing and only on failing to find a relevant condition should the data be processed on the basis of protecting vital interests.
Similarly, if a data controller has a legitimate interest that is not overridden by the rights and freedoms of the data subject, and if it the processing is not outside the realm of what a data subject could reasonably expect their data to be used for, processing may be done in a legal manner.
For example, if a data subject is a client of a controller and has an established and appropriate relationship with the controller, then they may reasonably expect the controller to process their data to aid the continuation of the service being offered for the duration of the service period. It may not be reasonably expected that the controller might use the data in relation to a non-linked service several years later.
Sales emails or other direct marketing material being sent to existing customers may be allowed under this and other parts of the law, explained further below, however it is advisable to review each client’s consent, how it was gathered, and what it explicitly covers before sending using data in this way. Consent should be re-acquired where necessary and in-so-far-as-possible to be 100% sure of compliance.
The processing of data for the legitimate interests of the controller must be examined closely in relation to what the data subject consented to when the data was collected and how it will be processed.
Two important points to note in relation to legal processing of data are that:
Interestingly, the GDPR states that “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest”.
Organisations are strongly advised nonetheless to ensure that they have documented consent in order to carry out this type of processing.
If they cannot demonstrate to supervisory authorities that they have received freely given and informed consent from data subjects, or if they do not have a record of the consent having been given, then the use of the data would not be compliant with the GDPR and consent should be sought from each individual in the correct manner – i.e. freely given, informed, and with an affirmative action – not a passive acceptance or inaction – taken on the part of the data subject.
The legislation also notes that “processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations”.
This is included to allow data to be used for purposes such as public health research, legal defences, or other uses. It should not be forgotten that data used for such purposes must still be protected by appropriate security measures.
The “public interest” justification for processing should be based on EU or Member State law. As such, this may vary from country to country and the legal aspects should be closely monitored if this is the justification being used for processing.
In all cases, documentation should exist to justify the processing and to track the procedures being carried out. This documentation should be easily retrievable to facilitate compliance audits.
Ideally, a system would:
The recording of processing activities is necessary for both controllers and processors under Article 30.
A useful function would allow data to be found through a reversal of this logic i.e. a search to display all data gathered on a certain date; gathered during a single collection activity; scheduled for deletion at the same time; or processed for identical purposes.
Cross referencing of these and other relevant factors – such as what internal team is using the data, what new devices have been added to the network, or what servers are relevant for what data – can help data be stored and used in compliance with the GDPR.
The system and data must be well protected against unauthorised access by both external and internal parties. Access logs and attempted connections should be recorded. Depending on the risks which data processing may present, pseudonymisation, encryption, and other appropriate security measures should be considered.
Importantly, there should be some way of easily identifying malicious or abnormal activity – to spot it among the massive amounts of authorised use and flag it for further review.
After all, there is little point in having a system that tracks every single user movement and data point if there is no way to realistically distinguish a threat from an approved employee or partner.
Reviews should allow the activity for the suspect period to be accessed and examined. It may be the case that all of the activity of an identified unknown element or unauthorised user must be evaluated, or it may be that an authorised user lost control of their account for a period of a few hours.
The ability to focus in on the relevant interval will speed up threat evaluation and facilitate any further notification or investigation should supervisory authorities need to be involved.
The ability to quickly or even automatically create reports of this information – such as lists of data for deletion on a certain date, lists of data accessed by an unauthorised user, lists of abnormal activities carried out, or reports of all relevant documentation relating to a data subject’s consent – can help prove to authorities that the company is following the rules or quickly identify threats and mitigate risk to the freedoms and right of data subjects.
As the GDPR gives data controllers only 72 hours to report a breach once it has been discovered – with as much of the relevant data as possible as listed in Article 33 – the ability to track individual records can improve breach responses and aid authorities and the company to mitigate damage from the breach.
Each of these is a crucial part of the GDPR compliance foundation, in particular with Article 24, which calls for controllers to be able to demonstrate that processing is performed in accordance with the law.
While automation is to be prized when it comes to efficiency gains, the GDPR specifically calls for human controls in some areas. Article 22 states that processing which results in a legal effect concerning the individual shall not be permitted unless it is specifically consented to by the data subject, or is necessary under a contract or member state law. Even in these cases, there must be human intervention and the data subject has the right to contest the decision.
The introduction of the GDPR is likely to lead to significant up-front costs for many organisations.
Reviewing contracts and verifying processes will undoubtedly necessitate many man-hours and financial support.
It is more than likely that much of the total initial cost per organisation will be spent on activities evaluating existing procedures and examining the nature and amount of the data being managed.
Auditing and categorising the data that a group stores and processes will probably consume the bulk of the year one budget allocated to bringing a company into compliance with the GDPR, depending on the scale of their databases.
Once this has been done for existing data, future data can be collected and treated in accordance with GDPR compliant procedures. In doing so, they will be categorised and catalogued as part of routine collection or processing.
The infrastructure to accomplish this will require maintenance and other budget lines each year, but this will likely be somewhat offset by efficiency gains related to data searches and avoided duplication or recollection of existing data.
A company employing between 250 and 300 people would be on the smaller end of the scale of those that are definitely subject to the GDPR.
Even if this company does not handle much data, they still must conduct a thorough audit of their data and their security systems; hire or train a Data Protection Officer (explained below); and make budgetary provisions to hire consultants, introduce new IT systems, and implement new procedures and security measures.
Training costs for new and existing staff also will have to be planned.
|Reviewing contracts, auditing data||€30,000|
|Reviewing IT systems + new systems||€100,000|
|Staff costs (HR data)||€25,000|
|Data Protection Officer (DPO)||€70,000|
|GDPR Staff Training||€25,000|
Let us imagine a company of 275 people that processes data as part of its activities but not as its core business.
Reviewing their existing external contracts and auditing data will most likely require outside experts for a number of weeks. Let us estimate €10,000/week for three weeks; €30,000.
Reviewing IT systems, updating or introducing new systems, and testing these systems can perhaps be done internally but will need probably two months for five IT staff. Estimate €100,000 for new systems and staff time.
Human Resources will need to review staff contracts for all 275 staff members. Even with a standard contract for most staff, estimate 2 hours/staff member to check the contracts, explain the change to employees, get the necessary documents signed, and related administrative staff. 550 hours is roughly 14 weeks or three and a half months of work for one person. Estimate €25,000 in staff costs, plus employer charges.
A data protection officer may need to be hired. Estimate €70,000 for salary and hiring costs.
Staff training on specialised elements of the GDPR relevant to their functions for 275 people could easily cost €25,000
As we can see, even a conservative and non-exhaustive estimate for a small company gives us a necessary budget of €250,000.This would only be the cost for the first year. Salaries, security, and maintenance costs would be recurring.
A data audit is the first and most fundamental step in a GDPR compliance project. It must be done to as high and complete a standard as possible, as identifying the type of data being stored and treated is crucial to identifying the potential risks that may arise from processing activities.
The information relating to individual data subjects should be grouped or classified consent should be checked, and all risks that have been identified should be addressed.
Any information that is found to be out-of-date or incorrect should be deleted or rectified, as per Article 5.
Security weaknesses that were identified should be addressed, and steps should be taken to minimise risk to an acceptable level, where possible.
If data controllers do not feel confident that they can mitigate risks to a reasonable level, they should contact the supervising authorities for advice before any data processing is carried out.
It is important that each individual’s data can be easily grouped or found.
The GDPR includes provisions for people to request copies of the data which concerns them from data controllers.
Controllers must be able to respond to these requests within one month. The regulation also includes an individual’s “right to be forgotten” – to have all of the data concerning them deleted from the totality of an organisation’s systems, including both data controllers and their associated data processors.
Reviewing, modifying, and creating internal procedures and processes will also require time and money.
Staff will need to be trained on any new procedures and on how the GDPR will affect their tasks and responsibilities.
Public authorities or bodies that process data, with the exception of courts of law, will also be required to train or bring on a Data Protection Officer, as will organizations that manage or treat high risk data.
All companies that fall into the categories mentioned above will be required to have a Data Protection Officer.
This may be an employee of the organization or a third party hired to perform the task. In all cases, the law states that “the data protection officer shall directly report to the highest management level of the controller or the processor”.
They should be chosen based on their knowledge of the law and their professional qualifications, but no specific qualification is mentioned in the text of the law.
Their main task is to inform and advise the data controller or processor on their obligations under the law, and to make sure all processing is done pursuant to the GDPR and any relevant member state laws.
They must be identified to the supervisory authority, as they will be the liaison between the company and the authority. The Data Protection Officer is also the point of contact for individuals who wish to request copies of their data or have their data deleted, as allowed by the GDPR.
In a nutshell, as explained in Article 38, “the data protection officer [must be] involved, properly and in a timely manner, in all issues which relate to the protection of personal data”.
They are protected by the law against any controller or processor imposed penalties resulting from the performance of these tasks.
Despite all of the costs related to bringing an organisation up to code, the costs of non-compliance with the GDPR will certainly be much higher.
Sanctions for violating the new legislation include fines, and the maximum financial penalty can rise to either €20 million or 4% of a group’s total global revenue, whichever is higher.
As well as this staggering financial penalty, organisations will also have to deal with the knock-on effects to their reputation and the damage to their image.
Given the increasing importance that consumers attach to the security of their information, companies that do not respect the laws may soon find customers choosing not to continue doing business with them and switching to competitors.
Even if the violations do not lead to a breach and are brought to light due to an audit, the damage to the institution’s image will be done, and such damage is difficult to repair.
Organisations must now view any expenditure related to GDPR compliance as a non-negotiable cost of doing business.
Not only is it the law, it will also serve to save money in some areas by reducing the complexity of collecting and processing data across European Member States.
If we go back to our example company of 275 employees, we had estimated an initial cost related to GDPR compliance of €250,000.
Assuming all systems are correctly in place to automate reporting, monitoring, and data processing, let us imagine how this may lead to an overall cost reduction.
The security systems needed should not cost much more than previous systems to maintain; training for new staff will integrate GDPR requirements and so not necessitate a much larger budget than before. Even so, let’s say an additional cost of €10,000.
Let us also assume costs related to the Data Protection Officer of €70,000. If no similar data security position was in the organization before the GDPR, which is unlikely, then this gives us an overall cost of €80,000 per year.
The job of the Data Protection Officer is to ensure the laws of all member states are being followed, and most member states will not have extra protections beyond the GDPR.
Let us estimate the previous costs of monitoring legal changes in each country, translating legal documents, and devising country specific procedures and staff trainings at €15,000 per country.
Let us also estimate the administrative costs of analysing each separate service provider, how their service complies with the laws of each relevant country, and drafting and modifying contracts to cover any identified gaps at €5,000 per provider.
Finally, let us estimate an overall efficiency gain of 5% due to streamlined internal procedures, trainings, and contracts.
Even on this conservative estimate, it is easy to imagine that the GDPR will lead to huge reductions in fees thanks to compliance across service providers, partners, internal procedures, and legal savings.
Our modest 275 person company could easily have 10 service providers and operate in four countries. With an annual turnover of only €10,000,000, we have already reached an estimated saving of €160,000 per year.
With an initial cost of €250,000 and an annual saving of €80,000, compliance almost pays for itself after only three years.