A spectre is haunting Europe – the spectre of GDPR.
It seems to be the one thing everyone in the data security industry is talking about, Equifax aside…
Articles are being written, consultancy firms are popping up, and businesses are quietly panicking.
Yet, like so many grand legislative changes, many people are unsure what GDPR is, how it could affect their business, or whether they should even be worried about it at all.
In this article, we’ll be looking to clear up some of those misconceptions while presenting actionable steps for how companies can go about adjusting to the coming changes. We’ve scoured the available resources to find the answers to our concerns about GDPR and now we’re sharing it with you.
(Still employ a consultant though. As you’ll see, there’s too much at stake not to!)
We’ll explore not just the impact on European companies but also companies outside the European market who process or control data which could come under the scrutiny of these EU measures. SaaS companies like Process Street will find themselves needing to adapt their services for their large European clients, and if you work within the SaaS field you might have to do so too.
Before we go further, let me give you a Too Long; Didn’t Read:
The best short summary of the ethos of GDPR I’ve read comes from Wired:
For companies that have more than 250 employees, there’s a need to have documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place
The GDPR broadly sets out:
- You need to have a system in place to manage data and security.
- You need to have that system fully documented.
- You need to operate with the parameters of the GDPR, e.g.
- Consent boxes cannot be auto-filled as “yes”.
- Companies must respond to access requests from users within 1 month.
- Requests for personal information must be processed free of charge.
At the end of this article, you’ll find a free Process Street checklist which uses ICO recommendations and Article 29 Working Party advice to guide you through assessing your company’s GDPR readiness!
What is GDPR?
General Data Protection Regulation, commonly referred to as GDPR, is a new piece of European Union legislation intended to standardize data regulation across Europe while providing greater protection and control over data to the consumer.
The legislation wasn’t particularly controversial.
It comes as the product of four years worth of work performed by the European Commission in consultation with the 28 member states and as an upgrade to the previous data laws originally ratified in 1995.
Times have changed and so must the law.
GDPR was passed through the European Parliament and the European Council in April 2016 and published publicly, beginning the transition period, in May 2016 in the EU Official Journal. The transition period allotted to the legislation is 2 years which means that come May 2018 companies failing to comply could be liable for punishments.
And, my, what punishments they are!
In 2016 TalkTalk were fined £400,000 for security failings which resulted in customer data being accessed by hackers. Pharmacy2U received a fine £130,000 for a similar failure to protect their customer data adequately. These fines of hundreds of thousands of pounds sound big, but are nothing compared to the punitive powers available once GDPR has come fully into action.
Recent research by the NCC Group has suggested that under GDPR rulings, TalkTalk would have received a whopping £59m fine and Pharmacy2U would have had to shoulder a fine of £4.4m.
In fact, the average fine under GDPR is expected to increase by 79 times against existing punishments.
In general, the structure of fines will be in two broad categories. Smaller offenses will carry a fine of up to£10m or 2% of a firm’s global turnover, whichever is larger. While more serious violations will result in fines up to £20m or 4% of a firm’s global turnover, again depending on which is larger.
This is likely the source of the panic and the reason so many consultants see this directive as a potential gold rush.
However, just because these fines are available to the governing authorities doesn’t mean they will be aggressively enforced. Many regulatory bodies have been quick to make clear that they are willing to work with businesses to encourage compliant behavior and don’t want to punish companies making welcome contributions to their economy.
Elizabeth Denham, the UK’s information commissioner, is quoted in Wired as saying:
“We will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways,” she says. “But we’ve always preferred the carrot to the stick”
You can read more on Denham’s view of GDPR, the role of consent, and its impact on industries in her post on the ICO News Blog.
She makes clear in the article that companies need to show they have lawful reason or justification for processing people’s data. The commonly discussed change is a stronger enforcement of the importance of user or customer consent to their data being processed. However, as Denham demonstrates, there are other legally valid justifications for gathering and processing data. If we look at the new guidelines we see 6 different justifications for why a company is processing data:
6(1)(a) – Consent of the data subject
6(1)(b) – Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
6(1)(c) – Processing is necessary for compliance with a legal obligation
6(1)(d) – Processing is necessary to protect the vital interests of a data subject or another person
6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
6(1)(f ) – Necessary for the purposes of legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
Which brings us on to one of the key distinctions within the GDPR: the controller and the processor.
Wired again give us useful short summaries of how these two terms are used within the context of the law:
Controller: A controller is an entity that decides the purpose and manner that personal data is used, or will be used
Processor: The person or group that processes the data on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data
The reason for this distinction is to broaden the scope of application of the law while also allowing the minutiae of the legislation to be more accurately tailored to the different ways companies interact with data on a practical level.
Who is affected by GDPR?
Well, in short, the GDPR applies to both controllers and processors of data.
If that sounds vague in world where every business seems to operate closely with data, then we would be on the same page.
These regulations apply to companies doing business in the EU, not just businesses registered in the EU.
As mentioned previously in the article, the GDPR sets out certain conditions depending on the size of the company. For larger companies or ones which handle vast amounts of data the requirements are more stringently applied. This makes sense, of course, as larger companies will be better prepared to deal with incorporating new regulations than startups would be, and the impact of data breaches where larger amounts of data is concerned is likely be greater.
The extraterritoriality of the data has lead to the extraterritoriality of the law.
This means that it doesn’t matter whether you are based outside of the EU. If the data has come from within the EU then the law still applies to its storage and usage.
It even includes a series of other data protections which will probably prove difficult to work with for a number of companies. For instance, all customers or users will have the right to request and data held on them, the right to have that data deleted if its original purpose has ceased, and the right to have that data transferred to a different provider.
These all sound like strong individual protections but they come with some added difficulties.
In order to provide an individual with the right to request, delete, or move their personal data, the individual must be aware that you as a company have the data to begin with. Without their awareness of you accessing or holding data pertaining to them they have no actionable right. As such, use of user or customer data through third party providers is likely to become quite complicated.
According to Atlantic Leap:
Additionally, if a business sources personal data from a third party, it will likely have to communicate with the data subject, providing contact details for the data protection officer, an explanation of the legal basis for processing, and details of the objection or opt-out process. For the latter, a publicly available notice on its website is not enough: data subjects must be notified directly.
David Reed, Director of Research for DataIQ, believes that one potential impact this might have is a massive drop off in the adtech industry, particularly B2B adtech. He predicts the industry will have to feel its way toward a more B2C model in order to ensure compliance with these new individual protections.
In the words of cybersecurity firm Varonis:
Ultimately, the GDPR applies to EU based companies and companies that collect data of EU citizens, regardless of a physical presence in the EU.
Why should SaaS companies be concerned?
Hopefully, you’ll see already why SaaS companies should be concerned.
To quote Joe Curtis, writing for ITPro:
‘Controllers’ and ‘processors’ of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.
Ultimately, that’s what SaaS firms are: processors.
A SaaS company might not consider European citizens to be amongst their audience – unlikely, but roll with it – yet if one of the companies a B2B SaaS company provides a service to has EU citizens as their audience, then they’re possibly processing a load of European data.
And that’s the scenario I could think of which is most detached from business in the EU! Many SaaS companies will have European clients as standard anyway.
According to Irene Bodle, on Bodle Law, who specializes in the legal landscape for SaaS companies:
The GDPR applies to data controllers (SaaS customers) and data processors (SaaS suppliers) and in particular SaaS suppliers should be aware that some of the GDPR applies directly to data processors who will be subject to compliance requirements and sanctions for non-compliance.
For further clarification in case you needed it:
The GDPR will apply not just to EU SaaS customers or suppliers but also to non-EU SaaS customers or suppliers who:
- offer goods or services to data subjects in the EU; or
- monitor the behaviour of EU citizens to the extent that behaviour takes place in the EU.
This legislation affects you.
In case you think being outside of the EU’s authority will help you, remember that the EU are currently going to the European Court of Justice to make Google enforce their right-to-be-forgotten laws on global searches; a case Canada has already won on the other side of the Atlantic.
So, how can you become compliant? Read on!
How to comply with GDPR
In this section we’ll give you a couple of key pointers on how to protect your business. These are general guidelines. Depending on the nature of your company, you may not have to follow all of these. Alternatively, you might have to follow all of them and more.
Data Protection Officer
It is best to nominate someone to be your Data Protection Officer even if you are a small company and suspect you can fly under the radar.
The idea behind companies appointing Data Protection Officers is to bring data security up to the boardroom. This makes a structural change in organizations which the EU hopes will result in a cultural shift to recognizing the importance of individual data rights and adherence with the GDPR.
The Data Protection Officer should be someone appointed as a result of having a level of expertise in the area. Not my words; the legislation states that it should be someone with reasonable capacity for the job.
Really, a Data Protection Officer is needed in two scenarios:
- When an organization’s core business involves processing personal data along with monitoring data subjects.
- When the company deals with a large amount of sensitive data.
For the purposes of best practice, it would be wise to appoint one anyway.
You should make sure to document all aspects of your company’s interactions with data.
- Why was the data gathered in the first place? What is its purpose?
- Upon what legal basis are you justifying holding that data? Consent or legal requirements?
- Who has access to that data?
- How are you protecting that data from breaches?
- What else is that data being used for?
Through documenting your processes you will have a much stronger understanding of your own company’s data management strategies and realities, as well as bringing yourself into compliance.
One definite piece of documentation to do is a data protection impact assessment (DPIA).
Given the importance the EU have placed on personal data, it comes as no surprise to see they want relevant stakeholders made aware when it has fallen into other hands.
In the case of a breach, the company must inform the relevant regulatory body within 72 hours of finding out about it. That 72 hours is a cut off point and best practice is to inform the regulatory body as soon as is possible.
The same applies to the individuals you hold data on. The company must contact all individuals to make them aware that their data has been breached if this is seen to pose a danger to their rights or freedoms. This more likely applies to sensitive data like credit card information, but it depends on the specific scenario.
There are a few exceptions:
- If the data has been encrypted to the point of being unintelligible.
- If the data controller has taken the necessary steps to make sure the breach doesn’t put rights or freedoms at risk.
- If it would involve a disproportionate amount of effort to inform each individual. In this scenario a public announcement would suffice.
That last point appears to be quite vague, but I’m sure we’ll have a greater understanding of what is deemed a disproportionate amount of effort once enforcement begins and precedents have been set.
Data subject rights
Data subjects receive a host of new rights under GDPR, many of which have been covered at points in this article.
Here is a short summary from Irene Bodle of the particular subject rights you should be aware of as a SaaS company:
- data portability;
- the right to be forgotten;
- the right to prevent profiling;
- the right to object to processing;
- the right to rectification and erasure.
- subject access requests (“SARs”).
As mentioned, these subject access requests are free and should be responded to by the data controller within one month. However, there are grounds for the data controller to charge the subject for relevant administrative costs if it can be demonstrated that the request is “manifestly unfounded or excessive”.
This way, the individual receives the rights while the companies receive some protection against subject abuses of their rights.
How you can use Process Street to help your compliance
In order to help you further, we’ve decided to create a checklist which you can use in your company to assist your implementation period.
This Process Street checklist embedded below is an interactive version of the ICO’s 12 step preparation guide.
You can save this as a template to your Process Street account and run it as a checklist to help guide you through the process of becoming GDPR compliant.
For many large companies, you won’t have to run this checklist only once, but many times. Different teams or wings of the company will need to analyze their activities for non-compliant structures or processes. This checklist should hopefully help each team tackle their problems.
All data entered into the checklist will be saved in the template overview tab so that the appointed Data Protection Officer can monitor the responses and information from each team. This is designed to help large companies create a system of oversight quickly and easily.
Act now and protect your business
Hopefully this article has highlighted the risks of not following GDPR and demonstrated what you need to start doing to become compliant.
We always recommend, however, when so much is at stake to consider bringing in specialized consultancy services. These experts can then assess your compliance and recommend any further steps to take before the deadline of May 2018 rolls around.
The law, according to Denham, is only a “step change” from the legislation already in existence within Britain and shouldn’t pose too many hurdles for companies looking to be compliant.
Yes, there are likely to be kinks early on. All laws have kinks; some people too. But those kinks will be worked out, and it pays to keep up to date with data security issues as they unfold once the law comes into enforcement.
Document your processes, update your procedures, and structure your business to avoid the heavy hand of EU law damaging your profits.
Have you implemented changes in your business in order to be compliant with GDPR? How did you find the process? Let us know in the comments below!
Thanks for this article. I would argue that meeting the new regulations are a major challenge even for companies compliant with existing data protection legislation. The Law Society warns that “if you appoint a DPO voluntarily, you must still comply with the full range of compliance obligations as if the appointment had been mandatory”.
And, yep. I would consider it best practice for a company to ensure adherence with the scope of GDPR even if they’re uncertain about which sections might apply directly to them – or be mandatory for them.
Nevertheless, it’s probably wisest for someone to bring in an external consultant or firm to evaluate the business from top to bottom. Given the size of those fines, a good consultant may well pay for themselves multiple times over.
As a SaaS company, we’re getting DPA (Data Processing Agreements) sent from clients, they want us to sign, or they’re asking for our DPA that they sign. I can’t believe there has to be signed anything specifically here, between SaaS and client or users right? Isn’t it enough to update our TOC that link to our DPA (that describe how we handle data according to GDPR) and do a broad marketing email to our users telling we’ve updated TOC? Does anyone has to sign, check, or do anything manual action to “agree” ?
Really helpful article.
Thanks for the article. keep blogging
Do we need to make sure our website has an SSL certificate in order to be GDPR compliant?