02 Jul Human and organisational aspects of the GDPR
We have all heard about GDPR, the new General Data Protection Regulation drafted by the European Commission that entered into force on 25 May 2018, with important implications for businesses and individuals across Europe and beyond.
If you are a citizen, the advantages are remarkable: now, you can access any social network database and look in your personal locker. You are also able to rummage in and choose what to keep and what to throw away. Your name, your age, your photos, your taste, and your political, sexual and religious orientations: from 25 May 2018, nobody can save these data without your permission.
If you are an organization, things are a bit more complicated, but if you make the effort to comply you will receive great advantages too.
A lot of articles have been written on what GDPR is, and about its general principles. We want to focus on organizational aspects of the processes that a company must implement, and especially on those concerning human factors. Our aim is to guide organizations step by step into applying GDPR and, if required, offer consulting services.
Let’s start answering to a first, important question:
Which organisations are affected by the GDPR?
Almost all of them. Even if the GDPR mainly involves big companies (social network platforms, banks, insurance companies, public sector and multinational corporations), it has a big impact also on SMEs. If your company does manage personal data of European citizens, whether they are customers or your own staff, GDPR must be applied. It is not necessary that your organisation is based in an EU-State: it’s enough to be owner of data of European residents.
Depending on a company role, the regulation distinguishes two different figures: data controller and data processor. Here you can find a guide about the difference between them.
What do organisations have to do?
At the base of data protection there are two main issues: understanding what data a company holds, and why. Organisations need to start analysing what kind of data they acquire, hold and process, and which is the legal basis for that.
Much attention must be given to privacy and data subject rights, which need to be designed into systems and processes. To do this, the first step is the adoption of the Data Processing Register.
The second step concerns the risk assessment (both economic and reputational) of a possible loss of information. In case of data breaches, organisations must communicate possible violations to the Guarantor. But this may not be enough: if the loss represents a threat for people’ rights and freedom, the holder must inform all interested parties in a clear, simple and immediate manner and offer indications on possible solutions to limit the damages.
What does GDPR deal with the human factors?
A first answer comes from a GDPR Summit held in London in June, where Ardi Kolah, Editor-in-Chief, Journal of Data Protection & Privacy said that it is a “mistake if your starting point, when looking at GDPR is fines or sanctions”. On the contrary “trust is the starting point. If GDPR can create trust, companies can do more not less with personal data”.
This is exactly the point. GDPR means to create a more comfortable environment in which the technological, legal and organisational aspects of a company can coexist better, and in which people feel they can trust companies with their data.
Recreating a relationship of trust between people and the organizations that keep their personal data is crucial. A recent survey by ForgeRock on “What the Internet of Things means for consumer privacy” shows consumers’ concern for their privacy. Indeed, 86% of global consumers say they want to control what personal information is automatically collected, 74% are concerned that small privacy invasions may eventually lead to a loss of civil rights and 57% are worried that they have shared too much personal data online.
But organizations face also other human-related security risks. In a company, even small or medium sized, every day employees can access the stored data to carry out administrative, marketing or communication actions. Each access point used for these actions represents a vulnerability for the personal data, that could fall into the wrong hands. For this reason, another focal point of GDPR concerns the organisational aspects of companies.
The GDPR is a complex reform. To be applied in its entirety, it requires a careful study that includes also human factors aspects, such as the difference among actual work-practices and written procedures, the usability of data management and protection technologies, the identification of organisational and human-related vulnerabilities that can favour data breaches. Therefore, it is also highly recommendable to contact a consultancy to put GDPR in place. But there are some important principles of data protection covered by GDPR that we want to highlight:
- Lawfulness, fairness, and transparency: no more incomprehensible information, the rules for users must be clear and simple, and can be changed at any time.
- Purpose limitation: personal data, especially the most sensitive ones, can no longer be disseminated without explicit permission.
- Data minimisation: only the fundamental data can be kept, while there are strict rules for sensitive data.
- Data retention: more rules for companies, more security for people.
- Integrity and confidentiality: greater care and attention in data retention.
- Data accountability: the Data Protection Officer shall be responsible and must be able to demonstrate and verify compliance with GDPR.
So, have you got a plan?
We can’t eliminate risk altogether: eventually, we will have a data breach. But when it will happen, we need to have done enough to ensure a breach does minimal harm. And we need evidence to show we have taken the necessary steps to minimise risk, to avoid fines up to €20 million or equal to 4% of the company’s global annual turnover of the previous financial year. So, the key is to have a plan.
GDPR could also be a great opportunity for companies, to simplify rules and organizational processes and to save money. Indeed the EU’s 1995 directive allowed member states to interpret the rules as they saw fit when they turned it into local legislation. The nature of GDPR as a regulation, and not a directive, means it applies directly without needing to be turned into law, creating fewer variations in interpretation between member states. The EU believes this will collectively save companies €2.3 billion a year.
Finally, GDPR doesn’t want to complicate the life of businesses; on the contrary it wants to make it easier and cheaper for companies to comply with data protection rules. Don’t miss this opportunity!