What is good GDPR handling?
Does your business have a good handle on GDPR and on how you process personal data?
Virtually all businesses that come into contact with personal data are subject to local laws and regulations. In the EU and EEA that means GDPR. For this reason it’s important that you know the requirements for how you correctly process personal data.
Below you can read about the EU directive and how it applies to personal data – as well as get a few tips on best practice for processing personal data:
- What is the General Data Protection Regulation (GDPR)?
- What businesses are subject to GDPR?
- What is a Data Manager and a Data Processor?
- What is a DPO (Data Protection Officer)?
- How to comply with GDPR
- Storing personal data – when and for how long?
- Rights of private individuals
- Ongoing audits and the principles of accuracy
What is the General Data Protection Regulation (GDPR)?
GDPR, or General Data Protection Regulation, is a regulatory framework and directive in EU law on data protection and privacy in the European Union and the European Economic Area.
The regulation applies to all personal data, as well as the transfer of personal data outside the EU and EEA. It was implemented in 2018.
Its official name is:
“Regulation (Eu) 2016/679 Of The European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”
As an EU regulation and directive it is, strictly speaking, not an actual law. Instead it’s a legally binding agreement between all EU and EEA countries, which they are required to then interpret and implement in their local law.
That means that, while GDPR is binding and sets out to give specific directions regarding personal data, there can be variations and minor differences from country to country. It often acts as a basic framework that is then expanded upon by the individual country.
Oversight: Different countries in the EU and EEA have different supervisory or regulatory agencies. These ensure that GDPR is upheld and guide local governments, businesses and organizations in how to be GDPR-compliant.
Which businesses are subject to GDPR?
GDPR applies to virtually all processing of personal data i.e. all information that can be connected with or identify a specific person.
Read more about personal data and the different categories.
As the regulation is geographically specific to the EU and EEA, it only applies:
- When the data manager or data processor is in the EU, regardless of whether the actual processing is conducted in or outside the EU.
- When the person whose personal data is processed is in the EU, regardless of the data manager’s or data processor’s location.
- When the processing of personal data pertains to a product or business in the EU, or involves surveilling behavior inside the EU.
To be concise: almost all businesses with an affiliate with the EU, whether this applies to them or their clients/customers, are subject to GDPR.
What is a Data Manager and Data Processor?
And what’s the difference?
According to the GDPR, it’s important to fundamentally separate the two specific roles that both process personal data.
You can either be a data manager or a data processor.
There are different requirements for the two roles. That’s why it’s important to know which is which and who is who, before you start to process personal data.
Data Manager
The data manager defines the purpose and procedure for how personal information is processed. As data manager you are obligated to ensure that:
- You have a legal right to process specific personal data
- You’re capable to provide insight to the registered parties, at their request
- You register violations of personal data security to the relevant oversight, supervisory or regulatory agency.
Data Processor
As a data processor you solely process the personal data on behalf of the data manager. You do not have any influence on the purpose or procedure you operate under.
A data processor can, for example, be a software provider for the services used to store data on the servers, or a different type of provider of an automated processing of personal data, wherein you do not directly have any access to the data.
Because the relation between data manager and data processor involves the exchange of personal data, it’s important that there is a data processing agreement in place that clearly defines the exact relation between the two. A template for this can be found on GDPR.eu.
What is a Data Protection Officer (DPO)?
There can also be a third role: DPO or Data Protection Officer. You might have come across this term before, but what does it mean? And should your business have a DPO?
The role of DPO is to advise on the requirements of GDPR and guide the data manager in how they can fulfill these requirements. It’s important to note that the DPO is not responsible for whether or not the business is compliant with GDPR or local law.
Governmental agencies are required to – regardless of whether they’re data managers or data processors – appoint a DPO. Private companies are only obligated if all of the following three conditions apply:
- Processing of personal data is a core work activity
- Personal information is processed in vast quantities
- Processing consists of regular and systematic surveillance or contains sensitive personal data (‘special categories of personal data’)
When is processing of personal data a ‘core work activity’?
Most organizations perform some type of processing of personal data but GDPR differentiates between non-core work activities and core work activities.
Non-core work activities can generally be said to be activities that support core work activities. For example, most businesses come in contact with a certain amount of personal data in regards to employee data and personal data related to sales and different types of support. These are considered to be non-core work activities.
According to GDPR, the processing of personal data is a core work activity, if what a business is looking to sell is irrefutably connected to personal data. This could, for example, be:
- Insurance companies whose product is tailored on the basis of personal data
- Providers of market research
- Search engines
- Businesses related to headhunting of new employees
These are all examples of business activities that are centered around processing personal data, and where the output depends on the information obtained and processed.
How to comply with GDPR
GDPR necessitates a risk-based approach similar to, for example, anti-money laundering initiatives.
A risk-based approach means that, whether or not the business is a data processor or a data manager, you are obligated to perform an assessment of the types of data that is stored or processed by the business. Then you need to make sure that there are organizational and technical security measures or safeguards in place that correspond to the assessed risks.
Technical security measures
Examples include strong firewalls, ongoing updates of codes and systems, encryption and a strong IT-infrastructure.
Organizational security measures
Examples include described procedures, businesses can enact organizational security measures such as clear policies for personal data, security access, courses in correct data processing, and the further education of employees.
To comply with GDPR, businesses need to have:
- Risk assessments
- Policies and procedures
- Audits and documentation
How do you perform a risk assessment?
Risk assessments will typically evaluate, or assess:
- What types of data is stored by the business (there are for example differences in sensitivity between storing e-mail addresses and copies of passports)
- Consequences for data leaks (for example, phishing, hacking or accidental internal leaks of material pertaining to personal data)
- The security measures in place to minimize the above risks
On the basis of these factors you can assess whether the risk is acceptable, or if you need to implement new safeguards to minimize the risk of data being stolen or leaked.
There are also requirements for documentation of your considerations regarding the procedures.
Policies
Most businesses have set procedures and policies in place that streamline and systematize work activities. In the same way, it’s a good idea to define policies and procedures for the processing of personal data.
Typically you’ll divide personal data policies into whether they pertain to personal data about employees or clients/customers. A personal data policy for clients could, for example, contain the following:
- A clarification of whether you’re acting as data manager or data processor.
- Where the personal data is stored – on internal or external servers or storage units? If it’s stored outside of the EU/EEA then what did you do to ensure a sufficient level of security?
- Whether you have a DPO, and if so, what the DPO’s assignment is and how you’ve secured the DPO’s position in the organization.
- What the stated purpose is for storing data, specifically your legal rights and the legitimacy of the purpose.
- What your policy for deleting or erasing personal data is, and for how long you store data after the termination of a client/customer relationship.
- Optionally, which technical and organizational security measures you’ve implemented to protect against data leaks, and how you’re planning to react in the case of a leak.
Business procedures
The business procedures should be in an internally accessible document that has been written to support the work flow and procedures you’ve agreed upon. A business procedure is often a relatively detailed description about how you handle personal data with specific procedures for how your business – in its day-to-day activities – make unnecessary data is deleted, and how you share data with others whether that’s with colleagues or external data processors.
Audits and documentation
Simultaneously you need to be able to document that your processing of personal data is in accordance with GDPR and local law. You, for example, need to document how you delete personal data after the end of a business relationship.
A business can have multiple procedures regarding how and how often they delete data. But according to GDPR it’s essential that it’s written down or somehow documented, so that the proper regulatory agencies can audit your actions and thus ensure that you’re complying with GDPR.
The documentation requirement can be supported by IT solutions that can even automate some of the necessary processes.
Storing of personal data – when and for how long?
Businesses can store personal data as long as they:
- Have a legal right to it.
- Have a legitimate purpose for storing the data.
The legal right regarding storage of personal data is defined as:
- The business has obtained consent from the person whose personal data is being stored.
- It’s written in the law that the data must be stored.
- It’s necessary in order to uphold an agreement or contract.
- The business has a legitimate interest in storing the personal data. And this interest has a greater value for the person’s own interest, than if it was deleted.
Normally, the business or governmental agency has sufficient legal right if just one of the above criteria have been met.
A legitimate purpose is basically defined by common sense.
Ask yourself: What is the purpose of storing the given personal data?
If you don’t have a legitimate purpose then the data needs to be deleted.
Example
Six months ago the company had a job posting looking for a legal aid. They had many applicants but have since closed the entire department and do not plan to hire legal aids ever again.
Does the business still have a legitimate purpose for saving resumés and applications? Here, the answer is no.
As long as a business has the legal right and a legitimate purpose, then the business can continue to store data. As soon as this is no longer the case, the data should be deleted.
Rights of private individuals
With the implementation of GDPR, private individuals gain the right to access the data businesses store about them. This is often called access rights or subject right:
- In principle, you have the right to access all personal data about yourself that the data manager is responsible for.
- A data processor cannot grant access, because they are not responsible for the registered data.
The data and information you can request includes:
- How your personal data is processed
- What purpose there is for the processing
- Who the information is shared with
- For how long the data is stored
- Where the personal data originates from
This is to ensure that the data is verifiable, accurate and that the processing is performed on the basis of sound legal authority.
Ongoing audit and the principle of accuracy
As a business you are obligated to make sure that the stored personal data is accurate and that wrong or false information is deleted.
This is also called the principle of accuracy.
The principle does not only revolve around the duty of deleting or correcting information that you’ve been informed is wrong. You also have an obligation to actively seek out and verify the accuracy of your data.
This could for example be done by you continuously comparing the data you obtain with searches in registries and databases with publicly available information, or that you periodically request verification from the individual that the information is about.
The extent of how thoroughly you need to verify the information’s accuracy and authenticity, and how frequently you need to repeat this process, depends on the data you are processing. The more sensitive – and therefore the greater importance the information holds to its owner – the more procedures and fail-safes you need to implement to protect against this outcome.
Cases at Meo
Meo has also collaborated with a lot of different companies that have benefited greatly from the Danish software platform, Meo. Among them is the law firm Bech-Bruun, which recently commented on whether the platform has provided clarity on the secure handling of information and data from new clients in accordance with the GDPR law.
This focus is something that is reflected in the opinions of our various partners and customers, who all believe that our software platform has created security for them in connection with the exchange of data and information with clients or partners.
We at Meo therefore help to create clarity over administrative tasks as well as the security of your business and the exchange of data.
Meo – Processing personal data easily and securely
If you’ve read along from the top, and have lost your breath over the challenges of working with GDPR and personal data, then you’re not alone.
Luckily, there are a number of good solutions for the business challenges of processing data.
Meo is a software platform that since 2015 has made it possible for businesses and individuals to exchange information in a transparent and secure way.
For businesses there are a number of benefits from using Meo:
Onboarding
Onboard your clients digitally on secure channels.
Validation
Setup your own requirements for validation of information.
Documentation
A full audit trail and overview of the performed actions and consent for processing.
Processing
With Meo you comply with all legal requirements, both GDPR and AML.