Part 5: How to fulfil the regulation – privacy by design, internal organisation and consequences of non-compliance
In this fifth and final article about the implications and applications of the GDPR, we will go into further detail about how to fulfil the regulation. We will tell you about “privacy by design” and look at the company’s internal organisation and some of the consequences of non-compliance with the GDPR.
Privacy by design
Bitcoin is a buzzword, privacy by design is another. There are actually a few basic components to what it actually means:
- Companies to be proactive, not reactive
- Data traceability
- Data minimisation
- Processing minimisation
- Storage minimisation
- Access minimisation
- Integrity and confidentiality
Conducting business according to these requirements will be a key concern for companies.
One of the major changes is that the data protection authorities will require everybody to be proactive, not reactive. This means that regulators will no longer want to hear: “Oh, a problem has come up and now we need to clean up the mess.” Businesses will have to be more aware in their handling of personal data.
Companies must also start thinking about data minimisation – they should not process more data than actually needed and they should minimise the storage of data. Data access minimisation is another important topic. If the company employs 1,000 people, they do not all need to see the data. Employee access to data must be limited on a need-to-know basis.
Last but not least, companies need to think about integrity and confidentiality – how they handle data. For example, when running a demo for a customer, a company may not disclose or any way indicate actual persons.
Companies will also have to make internal changes to ensure that the regulation is fulfilled. As we mentioned in an earlier article, they must keep records of processing activities. They should have policies and instructions in place, which hopefully will just be documenting existing processes. The GDPR will bring some novelties with it, although in many cases these will just have to do with documenting things that companies should have been documenting anyway.
An internal structure and framework must be created relating to who is doing what in the company. There should be internal education ensuring that employees know what personal data is and how to handle it. Incident reporting processes must be implemented. As a rule, any data processor that handles significant quantities of personal data should appoint a DPO.
Companies registered outside of the EU need to appoint a representative in the EU.
Data security basics
The regulation does not specify exactly which measures each company should implement; each company decides these details for itself given its business model and operations. The GDPR does require each controller and processor to have appropriate technical security in place. This may be antivirus, limited access levels, firewalls, encryptions etc. In addition, there should be continuous testing of the technical security in place to ensure that there are no leaks or breaches and that, once implemented, the technical security keeps pace with overall cybersecurity requirements.
Needless to say, the GDPR also requires all businesses to implement such organisational security measures as appropriate structures for handling personal data, access rights, routines, instructions and policies etc.
Consequences of non-compliance
Both data controllers and data processors will face consequences for non-compliance.
With respect to data controllers and data processors, the local data protection authorities will have various rights, such as the right to:
- Carry out data protection audits
- Notify of alleged infringements
- Obtain access to personal data and other relevant information, as well as to premises and equipment
They will also be equipped with enforcement tools, including the ability to:
- Issue warnings/reprimands, order compliance with data subjects’ requests, order the communication of a data breach and/or order the rectification or erasure of data
- Levy a fine of up to EUR 20,000 000 or up to 4% of total worldwide annual turnover, whichever is greater
- Order the suspension of data flows to a recipient in a third country
- Impose a temporary or definitive limitation, including a ban on processing
There are no shortcuts
We’ve mentioned heavy penalties above, but it is important that all data processors understand that there are no shortcuts: the GDPR must be implemented by the book. You must:
- Implement the base principles (article 5)
- Identify lawful processing grounds (article 6)
- Identify sensitive personal details (articles 9+)
- Limit information and access to data (articles 13-14)
- Secure the rights of the data subject (articles 15-21)
The GDPR is a new regime that all data controllers and data processors will have to live by starting in May. As this is a brand-new regulation, there are still significant uncertainties as to how certain provisions should be followed and how the local data protection authorities will enforce them. Businesses will make mistakes when implementing the requirements, but what will be crucial is that you do your utmost and continue learning and improving as the data privacy regulations evolve.
This article was written by Nazar Paradivskyy, Head of Compliance at Pagero Group, together with Fredrik Hjorth, a consultant from Transcendent Group. He is currently helping Pagero to implement the changes required by the GDPR. Fredrik has long experience of legislation in the privacy field and has solid experience from banking and finance.