GDPR Click Here for more
Who must comply with GDPR?
Every organisation that is located in the EU or that is collecting, recording, organising, structuring, storing, adapting or altering, retrieving, concerned with consultation, using, transmitting, disseminating or otherwise making available, doing alignment or combination, restricting, erasing or destructioning personal data of people situated in the EU must comply with GDPR.
Who must comply with GDPR?
The regulation is binding for organisations with more than 250 employees. However, it is also binding, if smaller organisations (also one person units) if they are processing data in a systematic way… and systematic already starts with printed papers filed in a certain order or spreadsheets that are used regularly. Therefore, if we consider i.e. accounting or a customer database – every company – even with only a few or none employees – is concerned with GDPR.
Here we are listing some examples of activities that are concerned by GDPR.
If you do just one of these activities, you have to comply with GDPR:
- Sending an email-newsletter
- Using a customer database or any CRM system
- Accounting with invoice addresses of your suppliers and clients
- Analysing your website visitors with tools like Google Analytics
- Using cloud storage like Dropbox, Google Drive or OneDrive for personal data
- Employing people with wage accounting
- In some countries, like Austria, even image processing and video surveillance are concerned with GDPR.
You have to comply with GDPR if you are processing personal data of EU citizens like in any of these examples.
Why comply with GDPR?
You have to comply with GDPR for a couple of reasons - not only because it's a law! Think of your financial costs in case you have to recover data. And consider your reputation because you are GDPR compliant - your clients really appreciate that they can trust you.
At first - because you need to protect personal data
If you are a data controller or data processor it is your obligation to protect and secure “any information relating to an identified or identifiable natural person” (page 7) GDPR (9).
Second - to prevent high fines for your business
Starting May 25, 2018 there will be high fines if you are non-compliant (up to 4% of the yearly … or 20 Mio €)
Third - to keep your good reputation
Imagine you lose data because of security issues or all your data gets encrypted by ransom ware – you would need to inform people and even go public with the incident – this will cause a lot of rumour and loss of reputation.
Fourth - to limit costs after a data breach
If you lose data through a data breach or an angry employee that left your company, it might be very time and money consuming and to recover the data (if possible at all).
Fifth - to increase customer loyalty
If people can choose between a trustworthy online service with transparent security measures and public data protection regulations and an online service with non-compliance even if it might be more reasonable – this will be a fast decision for most of them. And you can use it as a marketing issue – people love to know that their data is safe and it is not transmitted to third parties.
That’s it! This is why to comply with GDPR!
If you were reading these lines until this point, you were probably interested because your have a business and store, process, copy, … personal data. Start today and be GDPR-compliant.
What is GDPR
You are probably here because you have heard about the GDPR and are full of questions. Maybe you've read something in the news, or read the European Union website (but probably not). And now you are curious about it and the consequences for your business.
The General Data Protection Regulation (GDPR) is European law to protect the privacy of European citizens. It concerns all companies and organizations that have work with data of European Citizens. Even companies and organizations outside the European Union that store data of people who live in Europa.
When EU General Data Protection Regulation (GDPR) will take effect in the European Union after May 25, 2018, for some countries there is not much change as they already have strict data protection regulations but before there were 28 different regulations or laws across Europe. One reason to install the GDPR was to simplify and enhance the transfer of personal data between organisations in different countries while protecting personal data in an appropriate secure way. To support the idea of data transmission, all business, including SMEs, as well as public or private profit or non-profit organisations must comply with set of rules to ensure a high level of data protection.
To comply with GDPR you have to provide documentation about your data processing activities and your data protection efforts. Furthermore, you probably have to update your privacy statement on your website. In some cases, you also have to make a data privacy impact assessment (DPIA) which is focused on data security and risk management. Of course, if the processing of data is your main business purpose, then you might need a data protection officer. All these steps are necessary to provide an appropriate level of data protection according to the EU GDPR.
Personal data are all data of an identifiable natural person. This involves information that is either directly about someone or can be traced back to a person.
Consider, for example, ordinary personal data
- Postal code + city
- Phone numbers
- E-mail addresses
- Date of birth
But also data with which a person can be traced:
- IP addresses
- MAC addresses
Special categories of personal data
The GDPR mentiones special categories of personal data (Art. 9):
- racial or ethnic origin,
- political opinions,
- religious or philosophical beliefs
- trade union membership,
- genetic data,
- biometric data,
- data concerning health or
- a natural person's sex life or
- sexual orientation.
How to comply with GDPR?
When people learn about the GDPR the first question they have is: how to comply with GDPR? Do I really need a data protection officer? Do I need expensive consultants?
So this is how to comply with GDPR?
1. Install a record of processing activities
The first thing is to start with a record of all your processing activities. Each and every company, organisation, association, ... will need a record or index of processing activities with categories of personal data that are processed. These records will give you - and also the supervisory authority - an overview which kind of personal data you are processing, for which purpose, how long it is stored, if it is transmitted to recipients and so on. There is no specific format needed for this index but this is the most important point in how to comply with GDPR. (Article 30 GDPR)
2. Make contracts with your processors
Probably you will have processors that are storing, copying, using, or even destroying data because you told them so like your hosting company, your external accountant, your cloud storage provider,... As you are the controller and therefore responsible for the personal data your are processing, you have to make sure that your processors are also protecting and securing the data in a GDPR compliant way. For individual services you are using, you will have to make an individual contract with your processors. For mass services i.e. cloud storage, you will find terms and conditions of the processor and you will need to add this information to your documentation. (Article 28 GDPR)
3. Check if data protection impact assessment (DPIA) is necessary
When doing your record of processing activities you also have to do a documentation about your technical measures to secure and protect the data - this is also how to comply with GDPR. In case, that for an activitiy there is a high risk for the personal rights and freedom of the concerned people, then you need to do a risk assessment for this processing activitiy. Within this DPIA there needs to be a risk analysis with probability and impact of a data breach. You will have to find measures to reduce probability and impact so that the risk of the processing activities is minimised. If there would still be a high risk, you have to inform the supervisory authorities. (Article 35 GDPR)
4. Check public statements
After you have done these first three steps, you have gathered a lot of information and have already done some documentation. Probably you found out in which fields you are missing texts or statements about data processing to provide transparency and information for your clients. For example, you will have to check your website for your privacy statement, for cookie consent and eCommerce compliance. Maybe you need to update your general terms and conditions. (Article 13, 14 GDPR)
If you are a small company that is not dealing with sensitive data or is not doing any profiling then you should be done and settled now - this is how to comply with GDPR. You will need to re-evaluate on - at least - a yearly basis if there are any changes in your processing activities or internal processes. In case of changes you would have to update your documents of course.
Do you need a data protection officer (DPO)?
It depends on the scope and purpose of your data processing activities, whether you need a data protection officer (DPO) or not.
You must officially assign a data protection officer (Article 37-39) with your supervisory authorities,
- if your core activity is data processing activities that are by their nature, scope and/or purpose an extensive, regular and systematic monitoringof data subjects (i.e. insurance companies, professional detectives, tracking of people while travelling ...) or
- if your core activity is the extensive processing of sensitive data (i.e. hospitals or medical instutions) or data on criminal convictions or offenses.
However, a single physician does not need a DPO as the data processing is not in an extensive way.
The Article 29 Group is defining "Core activities", "regular" as well as "systematic" so it can be used for general interpretation:
"Core activity" can be considered as the key operations to achieve the controller’s or processor’s objectives.
"regular" is interpreted as one or more of the following:
- ongoing or occurring at particular intervals for a particular period
- recurring or repeated at fixed times
- constantly or periodically taking place
"systematic" is interpreted as one or more of the following:
- occurring according to a system
- pre-arranged, organised or methodical
- taking place as part of a general plan for data collection
- carried out as part of a strategy
Tasks of Data Protection Officer
A data protection officer (DPO) has to to fulfill the following tasks:
- Informing and advising the controller and the employees on their obligations for GDPR.
- Monitor and review data protection compliance and privacy policies, including the setup of responsibilities, awareness and training of staff.
- If applicable, consultation in the context of the DPIA and monitoring of its implementation.
- Contact for and cooperation with the supervisory authority.
Data processors within GDPR
Data processors are processing data on behalf of the controller. You need to ensure that your processors are GDPR compliant.
Generally, data processors are only allowed to process personal data on documented instructions (=contract) from the controller. The processor also has to ensure that through technical and organisational measures.
Record of processing activities for data processors
- Name and contact details of processor, if applicable: data protection officer
- Name and contact details of controller (and representative and if applicable: data protection officer) for whom the data is processed
- Categories of processing activities that are processed on behalf of the controller
- Transmission of data to 3rd countries or international organisations
- if data is transmitted: documentation of guarantees that process is EU GDPR-compliant
- General description of TOMs (technical and organisational measures)
If a processor engages another processor or subcontractor, the controller needs to be informed prior to and has to confirm the processing activity.
Technical and organisational measures
With appropriate technical and organisational measures you must protect the personal data for which you are responsible and ensure processing in accordance with the principles of the GDPR.
The GDPR stipulates the following possibilities to ensure the security of personal data with an adequate level of protection (Article 32 GDPR):
- "the pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing."
How can you implement these technical and organisational measures?
You can use the following measures to ensure the protection and security of the data:
- Access control: e.g. Access to server rooms only with key or chip card, office rooms secured with alarm
- Integrity: e.g. User authorisations are restricted to tasks (marketing department only newsletter, accounting also HR data)
- Pseudonymisation: e.g. Replacement of user-related data by random codes
- Encryption: e.g. Hard disk encryption or cloud solution with encryption
- Transmission control: e.g. SSL certificate for websites (https: //) to transfer data within forms
- Confidentiality: e.g. password policies
- Recoverability: e.g. backups that are regularly checked for successful recovery
- Evaluation: e.g. annual review of technical and organisational measures on effectiveness and plausibility
Depending on the risk, you must choose the appropriate technical and organisational measures. In the future we will provide further examples here.
How to create a Privacy Statement?
Whenever you collect personal data from a natural person you have to inform the person about who you are, the purpose of the processing, recipients of the data, how long you are keeping the data,... One way to inform people is in a privacy statement.
There are two different cases to inform people about data processing:
- if personal data is collected directly from the concerned person
- if personal data is not collected directly from the concerned person but received by someone else.
In the second case - if you receive the data not directly from the concerned person - you have to inform the person before you process the data for the first time, but at least within a month.
Here we will give you some information about how to update your privacy statement i.e. for your website. However, for other activities you have to inform the people as well about your data processing and the according information like purpose, contact details, ...
What you have to state in your privacy statement:
- for what processing activity you are collecting the data
website tracking, newsletter,...
- data controller (contact details) or representative
name, email, phone,...
- what is the legal purpose
fulfilling a contract, consent,...
- if you are transmitting the personal data to other recipients
cloud storage, newsletter software, accountant,...
- if you are transmitting the personal data to recipients outside the EU, what kind of security measures you are using to ensure data protection.
privacy shield, corporate binding rules,...
- how long you are going to save the data
general inquiries for 6 months, tracking data for 14 month,...
- how the user can take his/her rights to access, cancellation, restrict processing, data portability and the right to object
state a contact and inform about local authorities
- if you have automated decision processes (profiling) you have to inform the users as well
You should publish this privacy statement i.e. on your website.
There are many privacy generators online, however you will have to check about their quality and if all obligatory information is included.
What is a DPIA - Data Protection Impact Assessment?
A data protection impact assessment (DPIA) is necessary if a type of your data processing might result in a high risk to the freedom and rights of natural persons.
DPIA - Data Protection Impact Assessment
Within GDPR, controllers (= responsible person) must ensure the protection of personal data that they are processing. In case, that for an activitiy there is a high risk for the personal rights and freedoms of the natural people, then you need to do a risk assessment for this processing activitiy.
Within this DPIA there needs to be a risk analysis with probability and impact of a data breach. You will have to find measures to reduce probability and impact so that the risk of the processing activities is minimised. If there would still be a high risk, you have to inform the supervisory authorities.
The Article 29 Data Protection Working Party has published guidelines on how to do a DPIA and it is not necessary for all processing activities. A DPIA can also assess multiple, similar operations at the same time.
In the same statement (2017, p. 9-11), the Working Party has also named 9 criteria for processing operations that might lead to an assessment - if at least two criteria are met:
- Evaluation or scoring
- Automated-decision making with legal or similar significant effect
- Systematic monitoring
- Sensitive data or data of a highly personal nature
- Data processed on a large scale
- Matching or combining datasets
- Data concerning vulnerable data subjects
- Innovative use or applying new technological or organisational solutions
- Processing in itself "prevents data subjects from exercising a right or using a service or a contract"
Consider also that the DPIA needs to be carried out before the initial start of the data processing activity or application. DPIA is a useful way to determine the risk and impact of your data processing and if your activities are GDPR compliant. (Article 35 GDPR)
How to do a processing index?
In order to comply with GDPR, the first thing you have to do is a record of all your data processing activities - we call it a processing index.
Get started with the processing index
In the records of your processing activities, you have to list the following information (Article 30 GDPR):
- name and contact details of the controller (= responsible person)
- if applicable: name and contact details of the controller's representative and data protection officer
- the purpose of the data processing:
accounting, marketing, newsletter, payroll, video surveillance, ...
- legal justification
legal obligation, fulfilment of contract, legitimate interest of controller, consent, ...
- data categories:
employees, clients, suppliers, interested people,...
and categories of personal data:
name, address, IP-address, birthdate, ...
- categories of recipients:
hosting provider, cloud storage, external accountants, legal authorities, ...
- if applicable: transfers of data to third countries or international organisations and suitable safeguards
- deleting deadlines for different data categories:
bookkeeping documents for 7 years, website interests for 1 year, ...
- general description of technical and organisational security measures:
encryption, pseudonymisation, backup, access control, ...
This is a processing index you have to create and maintain in order to be compliant with EU GDPR because this is the basis for all further analysis, information and documentation.
If you are processing data for other companies, you are - in terms of GDPR - a processor on behalf of the original controller. In this case, you have to maintain a record of all processing activities you are carrying out on behalf of the controller. This processing index has to consist of the following content:
- name and contact details of processor
- name and contact details of controller on behalf of which the processor is acting
- if applicable: name and contact details of the representative and data protection officer
- categories of processing
- if applicable: transfers of data to third countries or international organisations and suitable safeguards
- general description of technical and organisational security measures
Processing index completed ... and now?
While creating and recording your activities, you will find out what kind of data you are processing. For GDPR, you have to ensure through technical and organisational measures (TOM) that this personal data is stored, transmitted, processed, ... in a safe way. Specially, if you are
- processing huge amounts of data or
- special categories of data (Article 9 GDPR) or
- there is a high risk for freedom and rights of natural persons
you need to implement a DPIA. In other cases, you have to conduct a DPIA if there is a high risk in a processing activitiy.
After completing the processing index, you also know with which processors you will have to make a contract to guarantee appropriate technical and organisational measures for data protection and safety.
You will also have to check all your public statements about data processing and you have to ensure that you are informing the people in advance whenever you collect or process their personal data. If you receive personal data from a third party, you have to inform people about the data processing activity before you process it for the first time - at least within a month.