At 25 May 2018 the current Data Protection Directive will be replaced by General Data Protection Regulation, GDPR. The new regulation set higher requirements to all organisations that collect and use data from European citizens. This requires many organisations to, in less than a year, take action to meet the new legal requirements.
In 1995 the current Data Protection Directive was adopted. A directive sets a target which all the EU countries must achieve. This has led to differences in national laws within the EU. The new law is a regulation which is a binding act that must be followed in its entirety throughout the EU. This will uniform the data processing of personal data regardless of where in the EU the data processing takes place. The common law will improve the conditions and security for the EU citizens to continue trade and be mobile within the EU.
General Data Protection Regulation has the same basics as the current Data Protection Directive. Some areas has strengthened and some new parts has been added. The regulation covers what and how personal data shall be processed and who may process the data. This is expressed in seven principles:
- The right to be informed
- The right to access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
All organisations that collect and use personal data from the EU citizens are covered by the new regulation. For all registers it shall be possible to tell the purpose of registration and which data that are used. There shall also be processes to remove data without a purpose. Some personal data are extra sensitive and shall be treated with extra care.
To organisations with more than 250 employees there are additional requirements that will apply. The regulations requires e.g. more documentation of the existing registers and the processes to keep the registers updated. In these organisations a Data Protection Officer, DPO, shall also be appointed. The DPO will, in the organisation, be responsible for the GDPR-compliance.
For you who haven’t started the process towards GDPR-compliance you have less than a year until the new regulation applies. It can be plenty of time but it may not be enough depending of the amount of personal data and how structured your registers are. From my experience the process towards GDPR-compliance can be divided into five steps.
- Create a project organisation
- Inventory of the use and collection of personal data
- Perform a GAP-analysis and set up an action plan
- Implementation of the action plan
- Information and education about the law
The first step will be to appoint a group of resources that will take responsibility to lead the work towards compliance. This project group will be the organisation expert group in GDPR and help the organisation to succeed. It is important to have resources from the company with good contacts to the different parts of the organisation. It can also be valuable to use external resources. It can be e.g. legal expertise to interpret the laws but it can also be as project management to lead the work.
The second step and the first activity for the project group to do is an inventory of the use and collection of personal data. This is a time consuming task that involves large parts of the company. The project group will prepare information and templates that will be used by the resources in the organisation who have the detailed information about the registers.
The inventory is an important step in the process to find which areas that does not conform with the coming laws. It is also difficult since there are often areas in the organisation that are not associated with personal data and easily will be left out. It could be areas like system backups, system logs, presentations, intranet, photos etc.
The large amount of data that will be collected during the inventory will be analyzed in step three of the process. The project group will, by performing a GAP-analysis, find which areas the organisation are not GDPR-compliant. In this activity the legal expertise will be invaluable to find the critical areas.
The analysis will result in a list of areas which are not compliant to GDPR. These areas will generate an action plan containing the changes that needs to be implemented before 25 May 2018. The activities in the list needs to be prioritized based on severity, risk and time consumption.
At this time in the process you have a possibility to see how much work you have ahead of you. You have the action plan with all the tasks that needs to be solved and it will be a matter of time and resources to solve it. This can be the most time and resource consuming step. The changes can relate to both system and organizational changes and can, most probably, be assigned to many different resources in the organisation.
This is a step that can run at the same time as the process and is about information and education in GDPR. It is important that the participants in parts of the process get basic information about GDPR. It is also important that all employees that will be in contact with personal data get a basic information in how to process personal data.
In my experience it is, in practice, impossible to control all processing of personal data and it is therefore important that all employees have a good knowledge in the subject to get full GDPR-compliance without full control.
When you have come this far you have adapted your organisation to the new regulation and taken actions to avoid the scary fines as you probably heard of. Even if there was a massive work to get here this has only been the initialization project to be compliant. The detailed processes and routines in how personal data are processed needs to be maintained and improved so the organisation is compliant for many years. Details about that will be a new chapter.