20,000,000 Reasons to Protect Your Data
The EU General Data Protection Regulation (more familiarly GDPR) has been applied for one year. One of its most significant effects is that data protection has become a matter for top management in the company rather than a minor issue. This is mainly due to the increased responsibilities of the controllers and the high administrative fines (up to 4% of global turnover or 20 MEUR whichever is the greater) and the extensive liability for damages that may result from the breach of the regulation.
The entry into the GDPR was prepared on a broad front, especially last spring. When May 25, 2018 finally arrived everything was suddenly silent. There was no huge burst of fines, comparable to the big bang and the sun rose normally the next day. The new Y2K? Not exactly because the data protection authorities in different EU countries are now awakened and empowered by their new powers. An EU-wide fine of around 55 MEUR has already been imposed on businesses for violations of data protection obligations. Of course, much of this is Google’s 50M fine from the French Data Protection Authority. In Finland the Data Protection authorities have recently announced that they will start inspections on businesses, something that the Dutch data protection authority has already taken as their business.
So unlike Y2K, this topic is therefore still and increasingly relevant. Below is a summary of the steps you can take to make sure that your business doesn’t end up in these statistics.
I Analyze
What personal information does your company handle and for what purposes? In other words, do data flow mapping; what, why, where. Do not process any information that is not necessary for the purpose. Keep in mind that domain information (such as IP address, cookie ID, etc.) is considered as personal information in current practice.
What is the basis for processing personal data and is it appropriate for all processing operations? There must be a legitimate basis for the processing of personal data, in most cases, the contract basis (personal data is processed for the delivery of a product or service), the consent (such as digital direct marketing), the legitimate interest (such as direct marketing) or the statutory obligation (such as employment or accounting legislation) is most appropriate.
How is security ensured? Are the technical means used appropriate to the sensitive nature of the personal data being processed? For example, the processing of health data or personal IDs requires more stringent security arrangements than processing basic personal data.
Are subcontractors involved in the processing of personal data? These include, for example, CRM providers that are offered by SaaS, providers of infrared services, or even your neighbor Pasi, if he participates in processing your personal data for your company.
II Build processes and document
Build a process for organizing the implementation of registered rights in your organization, eg what happens in an organization when a registered request for verification is made. The same applies to the detection of security breaches and notifications to the authority or to the data subject, that is to say, what happens if systems containing personal data have been broken into and the data of customers or employees have been stolen from there.
Build a data protection organization and name responsible individuals. Depending on the nature of the activity, the appointment of a special data protection officer may also be necessary and will never be wrong anyway.
Document. Document the findings and results of the analysis (risk assessment, data flow, possible balance test for legitimate interest, and possible remedial actions), create a security policy that describes the security tools used by the company, and document processes to enforce registered rights. Also describe the data protection organization / persons responsible.
III Update or create documentation for information
Privacy Policy. These documents have many names, but the importance of this document cannot be underestimated. It enables individuals whose personal data is processed to have access to essential information related to the processing of their personal data. This document will be placed in those contacts when personal information is obtained (web pages, etc.) or is communicated, for example, in the context of a direct marketing message, if the information is obtained from elsewhere. However, please keep in mind that “polishing” the old register / privacy statement does not mean that processing is in compliance with the GDPR, but a little more is required.
Make a description of the handling procedures. This document should not be confused with the previous one. This is an internal company document that is provided to the authorities upon request. For example, if a registered person requests such a document, they can be directed to your privacy policy.
IV Make agreements with subcontractors involved in the processing of personal data
The GDPR requires that data controllers commit themselves to contractual compliance with GDPR requirements. This agreement is commonly known as under the name of Data Processing Agreement (DPA). In addition, GDPR requires that only handlers capable of meeting GDPR requirements may be used. So do not use your neighbor Pasi as a handler unless you have first confirmed Pasi’s ability to take care of your data security.
Finally, it is worth remembering that there is not always one right answer to data protection issues, but many factors have to be taken into account when assessing the lawfulness of a case. The interpretation of data protection legislation is partly very opinion-oriented, which is why there are almost as many different views on the same issue as people proposing them. However, everyone agrees: Fooling with personal data is not worth it.
Sami Tenhunen is an attorney at Iconics Consulting Oy, which specializes in business law consulting.