Preparation to General Data Protection Regulation (GDPR)

GDPR

There are 12 steps you should take to prepare your company to the GDPR, which entered into force in May 25, 2018.

1. Awareness

You should make sure that managers and other stakeholders are aware of the GDPR. THey should acknowledge the level of concern of the Regulation.

2. Information that you maintain

You are obliged to document personal data (hereinafter the “PD”) that you maintain specifying from whom it was obtain and to whom it should be transferred. It is possible that you will need audit of available information.

3. Interaction with PD

You should reconsider your current privacy policy and make necessary amendments bringing it to conformity with the GDPR.

4. Human rights

Verify whether you uphold human rights including: deletion of all personal data of an individual, providing the information on PD under his request.

5. Requests to access the PD

You should plan means by which you will process requests in time, as well as provide more information than before.

6. Legal backgrounds for PD processing

It is necessary for you to define legal backgrounds to process the PD in accordance with the GDPR, as well as update the privacy policy.

7. Consent

You should analyze means to request and obtain a consent to process data of the User, as well as to apply the obtained consent.

8. Minors

Think about identity and verification system to obtain a consent of legal representatives concerning data processing.

9. Violation of rights

You should be certain about an ability to reveal and investigate violation of rights, as well as to notify about such circumstances.

10. Data Protection and Risk Assesment

Consider the EU legislation on risk assesment procedure, taking into account interpretation given by supervisory authorities. Clarify whether the risk assesment procedure is necessary for your company.

11. Data Protection Officers (DPO)

Appoint the individual responsible for compliance with GDPR. Also examine whether such appointment is necessary for you.

12. International Regulation

If your company operates in more than one EU memberstate, you should determine what governing authority are you subject to.

Many of the fundamental provisions and principles of GDPR are the same as provisions of earlier legislation such as Data Protection Act (DPA). Thus, if you operated in compliance with earlier data protection legislation, the majority of your activities with regard to the personal data protection (hereinafter the PD) remains an essential point of departure to bring your company in line with GDPR. However, there are also new provisions and requirements. That is why some things may be started with a blank slate. The other option is to amend existing operational procedures.

Regulatory bodies of each EU member state issue more and more interpretations and recommendations for companies, which are directed to assist you in compliance with requirements of the GDPR.

It is necessary to start your way to comply with the GDPR from obtaining of support from key stakeholders of your company. You may need, as an example, to implement new procedures of compliance with new provisions and human rights in relation to PD protection. In large or complicated business it may influence significant budget, informational, personnel and administrative consequences.

In GDPR more attention is devoted to data documentation. Furthermore, data controllers must continue maintain records. All fields of action mentioned in this document will require reconsideration of their approach to management and operational procedures in relation to the PD in the company. One of these aspects is revision of existing contracts and other agreements according to which you provide the PD of individuals to your counter-agents.

Some provisions of the GDPR may be significant for your company (for example, provisions on protection of minorss). That is why it might to well to examine major provisions for your project and give them special attention.

① Awareness

You should make sure that managers and other stakeholders are aware about the GDPR. THey should asses the level of influence of provisions regarding new regulation on their area of responsibility, reveal the weakest of them and prepare such areas to compliance with regulation. It is better to start with risk alalysis list of your company, if available. If you neglect such step, implementation of changes to comply with the GDPR may be injurious for you.

② Information that you maintain

You should have documents confirming that you have PD, which include informarion aboult source of obtaining PD, as well as third parties whom they should be transferred to. It is possible that you will need audit of available information to keep records in the framework of the company or its particular field of activity. The GDPR requires keeping records of personal data processing. It also modernizes rights for the world and the Internet. To illustrate, if you have inaccurate data and you share them with other company, it is necessary for you specify existing inaccuracy in order the obtaining company could specify it in its records and edit the data in case of relevant request of the user. You cannot fulfil this demand if you are not aware of the information on exactly which data was obtained and who transferred it. It also assists you to correspond with requirements of the GDPR related to sharing documents for report on personal data processing to the reglatory body, in case of its request.

③ Interaction with personal data

You should reconsider existing notifications on confidentiality and/or your Privacy Policy, as well as analyze them with respect to compliancce with GDPR. Before the date when the regulation entered into force, collecting PD, you were obliged to inform the user about such collection and provide him with information about yourself and purposes of collecting data. Generally it had been performed through the nofification on confidentiality and Privacy Policy. Now GDPR includes provisions regarding additional information to be added by users. As an examle, it is necessary for you to describe legal backgrounds for data processing, terms of their keeping, as well as to provide users with right to submit claims to you or to regulatory body when they assume that their PD are processed in unlawful manner. The regulation requires to provide clear information in a form, which is easy to see and read.

④ Human Rights

Verify whether you uphold all human rights in relation to the personal data protection, including right to remove personal data, providing information on processing availabe PD in electronic and print form under the request.

GDPR prescriber the following human rights:

right to be aware of data processing before giving consent;
right of access to the PD;
right to edit the PD;
right to remove the PD;
right to limit the processing of the PD;
right to transfer the data to third parties;
right to withdraw the consent to process the data; as well as
right of not being subject to automatical data processing including profiling.

In general, rights provided by the GDPR are in accordance with rights provided to users by earlier legislation including the DPA; however, some significant amendments in favor of citizens were made. It is necessary to verify existing mechanisms and develop the procedure of reqponding to inquiries of user, in case of, for example, inquiry to remove his data. Would your system be able to detect all data to be deleted? Who will make a decision on deletion?

Right to transfer data is absolutely new and applies only:

to personal data provided by the individual;
if the procesing is based on consent of the individual or fulfillment of contract;
if the processing is performed by automatical means.

You should assess whether it is necessary to amend existing operational procedure. You have to provide personal data for free. It is required to be in structured form, widely used format and computer-readable view.

⑤ Requests to access the data

You should reconsider existing means of giving the access to data and amend the operational procedure related to processing such requests, taking into account new requirements:

In most situations you cannot Вы не можете collect paymeny for giving the access;
You have a month to provide the user with respond, not 40 days as it was before;
You reject or collect the payment from the user if the request is groundless and excessive;
If you make such reject, you should explain the user backgrounds of the reject and inform about possibility to claim about accepted decision to regulatory body or court.

If your organization processes wide scope of requests, consider the option to implement new means of processing to comply with terms set by the regulation. As an example, take into account the possibility of sending the request and obtaining the respond by the Internet.

⑥ Legal backgrounds for PD processing

You should reconsider your legal backgrounds to process the personal data, mention them and update the Privacy Policy. Many organizations disregard legal backgrounds of processing the personal data as till the present moment this fact did not have any significant negative consequences. However, now rights of some individuals and legal entities will be amended depending on your backgrounds to process the PD. The most spectacular example is applying right to remove the data where the consent of the user serves as the legal background to process it: if you do not have other legal backgrounds than consent of the user, you are obliged to remove all existing data. On the contrary, if, for example, you have other legal background to process the personal data such as service providing agreement, you may continue to dispose the PD for the purposes and in the framework of concluded agreement till its termination. Also, you should describe your legal backgrounds to process the PD under the request provided by the user. Additionally, you are obliged to keep records regarding backgrounds of data processing to comply with reporting requirements under the GDRP.

⑦ Consent

Verify how you request, obtain and manage the consent to process the PD of the individual. If applicable, update your consent form. Consent given to you must be clear, informative and explicit. The consent cannot be obtained as a silent accepting or performing imlicative actions. Also, it should not be separate from other terms of use and prescribe simple means to withdrat previously given consent. There must be a possibility to verify the consent as it grants you more rights in PD processing than other legal backgrounds. You will not mindlessly use all possible types of consent to process the PD. However, if you rely on the consent given by the user, be sure that it complies with the GDPR. It must be certain, divided into types of the personal data use, clear, recognizable, independent, properly drafter and easy to withdraw. If your consent is not in accordance with these charateristics, amend the agreement and specify alternative options of obtaining the consent to process the PD.

⑧ Minors

Evaluate whether it is necessary to implement the system of age verifiation and obtaining the consent to process the PD from authorized representatives of the minor.
It is the first time when the EU regulation ensures special protection in relation to personal data of minors, especially in context of offering the commercial services, such as social networkd. If your organization proposes online services to minors and relies on obtaining consent from them, you may need consent of parents or guardian to process the personal information of the minor on lawful backgrounds.
According to the regulation, age when the minor may give the consent personally is equal to 16 years (however, this age limit may be decreased to 13 years - in UK). If the mindor is under the age hereinabove, you need to receive the consent of the authorized representative. Absence of such consent may result significant consequences to your organiation in case it offers online services to minors and collects their PD. Note that consent must be subject to verification and I the process of collecting the data about minors, the privacy noticce must be issued in a manner clear for minors.

⑨ Violations in relation to the personal data

Verify whether there are appropriate mechanisms to detect, notify and investigate violation of rights concerning personal data protection.

Even prior to the GDPR some companies were obliged to notify the regulatory body about data leaks. Now the regulation prescribes such obligation to any and all companies. What is more, in some circumstances it is required to notify the personal data subjects. Notification given only to the regulatory body is sufficient only when it threats rights and freedoms of wide scope of individuals. To illustrate, if the leak leads to discrimination, reputational harm, financial and confidential loss, any other significant economic or social damages.

If there is a high level of risk of violation of rights and freedoms in relation to particular individuals, you must notify them about existing hazard. Your obligation is to implement the mechanism allowing effective detection and investigation of personal data confidentiality breach. You may evaluate the character of personal data you maintain, as well as determine the format of notification in case of breach. Moreover, it is necessary for companies to develop the policy and procedures to eliminateviolations in relation to personal data. Non-compliance with requirements on mandatory nofifications regarding breach may be followed by penalties for violation of GDPR together with other laws.

⑩ Data protection and risk assesment

Even earlier regulatory bodies encouraged accepting additional measures on personal data protection, including PIA - Privacy Impact Assessment. The GDPR makes obligatory implementation of additional measures related to data protection using statement «data protection by design and by default». Thus PIA i DPIA become mandatory in certain circumstances. DPIA is required in situations when data processing may create high risks for particular individuals whose data are processed, including:

when new technologies are applied;
if there is a significant influence on individuals;
when the wide scope of special data categories.

If DPIA displays high risks of data processing and your impossibility to reduce them to the applicable level, you should take advice of the regulatory body of your country in the territory of EU. As a result of such interaction, regulatory will inform you about the extent to which yourdata processing procedures comply with GDPR. If necessary, you will receive recommendations regarding required amendments to reduce the risks.

⑪ Data Protection Officer

You are obliged to appoint an officer ensuring compliance of your activity with requirements of the GDPR. Verify whether you need such officer on the basis of criteria hereinuder.

You are required to appoint the Data Protection Officer (DPO) if you are:

Governmental authority (except courts acting in their own jurisdiction);
Company that regulatly and systematically monitors wide scope of individuals;
Organization processing special data categories such as medical data, information on criminal conviction and penalty.

It is important for your organization to grant some of your employees or outside person full responsibility regarding your policy of personal data protection. The officer have sufficient knowledge in such area to perform his functions properly.

⑫ International regulation

If your company operates in more than one of EU member states, you should define the appropriate regulatory authority you will be accountable to, as well as register with this authority. Your regulatory body is a governmental institution located at the place of the registered office of your company in the EU or the same place where general events on planning and data processinng take place. Such registration is required only when your company performs transnational operations on data processing, i.e has subdivisions in several EU member states, or, being located in another territory, significantly influences on individuals outside such subject. In such circumstances you should define the location of the most significant data processing operations, or the largest amount of PD to be processed. It will assist you to determine the main organization and apply to the relevant authority.

☞ Professional assistance is necessary for comprehensive and qualitative preparation to the GDPR. Professionals of our team perform thorough analysis of each project they participate in, give legal advice on compliance ith GDPR requirements, support preparation to the GDPR, prepare relevant documents and professionals. We will define the stage of your project and develop necessary steps especially for you. For more details regarding cost of our services you may contact us by the telephone or via email.