GDPR – To-do List
Jul 11, 2018
The European Union General Data Protection Regulation (GDPR) became effective on 25 May 2018. The regulations impose great obligation and penalties for non-compliance on any organization and person with economic activities that handle personal data of persons within the EU. In particular, identification, protection, and management of all personally identifiable information (PII) of EU residents are required even if the organization is not based in the EU. Previously, our firm has written an article about GDPR and recommendations on how corporations can prepare for the changes (https://ailaw.co.jp/en/blog-en/general-data-protection-regulation-gdpr/). In this article, we will provide a to-do list for organization to get started with compliance if haven’t already.
1. Appoint a Data Protection Officer (DPO) within the Organization
The duties required under GDPR is quite extensive. While it may not be necessary for smaller organizations to appoint a new person specifically, it is best a specific person be appointed and assigned the duty to oversee the compliance process. The DPO should also act as the point of contact for data subjects who may inquire about their personal information.
Appoint a Data Protection Representative (DPR) (if Article 27 is applicable)
The Data Protection Representative should not be confused with the above. This role is specifically for organizations that are based outside of the EU but are under the scope of GDPR. The DPR acts as a bridge between the organization and the authority and data subjects in the relevant EU country.
It should be noted that under Article 3(2), an organization established outside of the EU can be under GDPR if it offers good or services to people in the EU or monitors behaviours that take place in the EU.
However, there are several exemptions, including public authorities as well as the Article 27(2)(A) exception. An organization is said to be exempt from the need to appoint a DPR if the organization only processes data occasionally which is not large scale processing of sensitive data or criminal offences and the processing is not likely to result in a risk to the rights and freedoms of people. Given the purpose of the GDPR, it is recommended that organizations err on the side of caution and interpret the exemption narrowly. When in doubt, please consult with a professional.
2. Identifying the relevant Controllers and Processors
Article 4 (7) defines a data controller as one “which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
Article 4(8) defines a data processor as one “which processes personal data on behalf of the controller”.
For example, a company distributes paper surveys on the street and collects personal information of subjects for the purpose of developing a new product. The completed surveys are then given to a market analyst who turns the surveys into an electronic database and analyses the statistics. In this case, the company is the controller and the market analyst is the processor.
An entity can be both a controller and processor depending on the context. In the above example, the market analyst is a processor of the survey information. However, the analyst has many clients and holds personal information of the main contact persons. In the context of personal information of the people who work for the analyst’s clients, the market analyst is a controller.
3. Perform an Information Audit within the Organization
We recommend following the UK Information Commissioner’s Office’s guides and checklist. A typical information audit would consist of the following:
- Data map – Map out how personal information flows throughout the organisation and any sharing and processing with other branch or third parties.
- Information asset register (or similar documentation) – record of personal data you hold, where it came from, who you share it with and what you do with it. Need to include: the name and details of your business, each controller you are acting on behalf of, and the controllers’ representative (if relevant), your representative and the data protection officer); categories of the processing carried out on behalf of each controller; details of transfers to third countries including documentation of the transfer mechanism safeguards in place, if applicable; and where possible, a general description of technical and organisational security measures.
If you have fewer than 250 employees you only need to keep these records for processing activities that:
a) are not occasional;
b) could result in a risk to the rights and freedoms of individuals; or
c) involve the processing of special categories of data or criminal conviction and offence data.
- Identify the Legal Basis – There needs to be a legal basis that allows you to process an individual’s personal information which are: consent; contract; legal obligation; preservation of life; public interest duty derived from law; preservation of legitimate interest. Note that for special category data or criminal offence data, there is another additional obligation to inform the information subject under Article 9 condition.
4. Review and Update How Consent is Obtained and Reviewed
Consent, when required, needs to be indicated by a clear positive action from the information subject. Controllers need to offer people a genuine choice by informing the purpose and use for such information and provide a system for subjects to “opt-in”. It is recommended that the consent to process personal information be separate to other terms and conditions and written in plain language for ease of understanding.
Information subjects have a right to know what information about them is kept by an organisation and have a right to withdraw consent. Controllers should therefore inform and set up procedures that answers to subjects’ requests. New consents should be obtained when the Controller change their circumstances.
Organizations should refer to Article 13 for the details of what should be included.
The notice should explain:
- what information is kept;
- how is the information processed (explain about any transfer of information when applicable);
- where is the information kept;
- why the information is kept (legal basis);
- how long the information will be kept;
- rights the data subjects have;
- who the organization’s Data Protection Officer is; and
- how the Data Protection Officer can be contacted.
6. Perform a Data Protection Impact Assessment (DPIA) (if applicable)
The GDPR requires a DPIA be performed if the organization fits the following category when collecting personal information:
- A systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.
- Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.
- Systematic monitoring of a publicly accessible area on a large scale.
A DPIA must:
- describe the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
7. Update Internal Protocols and Security regarding Data Management
Under Article 32, organizations must implement appropriate safeguards to protect data they are handling. In the event of unauthorized access, penalties may be imposed if it becomes apparent that the organization has failed in implementing appropriate security measures.
Members of the organization, especially those who have access to personal data, should be trained to understand the significance of GDPR. As part of risk management, access to data should be limited to relevant people only. Organizations should also evaluate how long data should be kept for because of the responsibility attached. Implement a clear chain of reporting and communication procedures regarding the everyday maintenance and also in the event of an emergency. Organizations should test their security measures and contingency plan periodically to ensure the system in place is effective and understood.
Depending on the circumstances, it may be beneficial for organizations to engage professional help or consider restructuring their services to decrease the amount of personal information collected. It is also considered good to utilise encryption, pseudonymization and backups.
We welcome interested persons to contact us to book a consultation regarding GDPR. Our office collaborates with many professionals in the EU countries and may provide tailored assistance to address your concerns.