GDPR Obligations for Companies

The GDPR deadline has come and gone. There don’t seem to be any catastrophes. The buzz has disappeared. So can we now forget about it?

The answer is no. The GDPR, and how it affects the way you ‘do’ business, is now the new normal. Being GDPR compliant is not only what the Information Commissioner’s Office (ICO) expects, but what customers, website users and employees expect.

You mustn’t think that just because the hype has gone, you can relax your GDPR processes.


What does the GDPR mean for your business?

You no doubt did a great deal of reading in the run up to May 25th 2018. We won’t cover the same ground, but let’s just recap a little.

The GDPR is about protecting the storage and usage of personal data. There are also ‘special’ categories of personal data, such as sexuality or race. The premise is that the individual should be in control of any data concerning them, including being removed from your records entirely.

Infringements can lead to fines from the authorities. They can also lead to the individual seeking compensation. You’re also responsible for reporting yourself if there has been a security breach, within 72 hours.

The upshot is that GDPR compliance is dependent on your success with procedures and systems.


Your obligations under the GDPR

There are six fundamental obligations you have as a business. Your procedures and systems need to meet these.

  1. Rights of individuals

Whenever you consider data now, you need to consider the individual. Put their rights at the front of everything you do and you’ll get things spot on. Individuals have specific rights under the GDPR:

  • Right to be informed.
  • Right to access their data.
  • Right to having any errors rectified.
  • Right to have their data erased.
  • Right to limit and restrict how their data is processed.
  • Right to data portability.
  • Right to object to how their data is stored or used.
  • Specific rights in relation to how their data is used for automated decision-making.
  1. Right to be informed

You have a responsibility to ensure that all clients, customers and website visitors are fully informed about how you use their data. You should ideally seek their consent (although contrary to popular belief this isn’t the only way you can legally use data). A privacy policy enables this.

  1. The right to be forgotten

An individual has the right to have their data deleted where there isn’t a strong reason for the data to remain. There are instances where you may, lawfully, refuse this request.

  1. You likely need a Data Protection Officer (DPO)

If you carry out large-scale processing, or use special categories of data (such as criminal offences), then you will need to appoint a DPO. The DPO is your business go-to regarding everything covered by the GDPR. Even if you aren’t required to, it can be useful to appoint a DPO.

  1. The responsibilities of Data Processors

Your business, if it uses personal data in any way, is a Data Processor. As such, you must have in place steps to ensure the security of any personal data which you store or use. Data Processors are legally responsible for sticking to the GDPR.

  1. Carrying out a DPIA

Data Protection Impact Assessment (DPIA) is a process for checking you comply with the GDPR. The aim is to identify areas where you aren’t complying, so that you can fix them quickly. It can be used on individual projects. It is part of your obligation as a Data Processor. You can use the ICO’s suggested DPIA template if you like, which is available here.


What do these obligations mean in practice?

The reality is that for all businesses, there will be some elements of GDPR compliance which are unique to you. As long as you apply the principles to all of your processes, then you should be in a good position to be compliant.

However, now that the GDPR has a few months under its belt, we’re discovering that some common questions are coming up repeatedly. Understanding your obligations in specific scenarios can help you understand the impact of the GDPR overall.

Let’s take a look at the common themes.


Securing mobile devices

Mobile devices (including laptops, tablets and mobile phones) have always been a potential headache for security of data. Under the GDPR you simply can’t afford to make a mistake. According to a Gartner report on GDPR requirements and mobility:

“loss of a managed mobile device containing personal data constitutes a breach with fines up to €20 million, or 4% of total yearly worldwide turnover (whichever is higher).”

This is understandably frightening reading. So what should you be doing to prevent this?

You should be using enterprise mobility management (EMM) tools which enforce encryption and password authentication. Gartner also recommends setting up dual different access to devices for personal and business use, as this is an area of weakness in data security, if devices cannot be kept for separate use. It also applies to when a worker uses their own device for work purposes (known as Bring Your Own Device – BYOD).

Collection of mobile data should also be restricted to what is essential only. Given the GDPR extends what classes as personally identifiable data, to include things such as IP address and email address, mobile devices need to be used carefully. A data inventory will help you see what data is on mobile devices and how it is used.

Importantly, GDPR focuses on ‘data protection by design’. This means looking at IT systems to embed security processes right from the start.

EMM tools: EMM tools allow mobile devices to be controlled and managed from one central point. This means that the business data can be stored separately to personal data on a device. It can also be removed by the central controller. It will also provide a clear view of any access attempts which aren’t authorised.


What happens if someone loses their company device?

If a worker loses their company mobile device or their BYOD, which has customer data on it, this is obviously a concern under data protection.

If you’ve taken the steps above, the breach is less concerning. Nonetheless, you will still have to report the loss to the ICO. This breach then goes on your ICO record. Reputational damage is an additional concern to the fine you may receive.

The reality is that your workers themselves are often the weakest link in your data security protocols. This is where an EMM, regularly and routinely policed, will pay dividends. An EMM also makes it possible to remotely wipe data from any device, should the device be lost or stolen.

Additionally, workers themselves need training on how to protect personal data which they are storing or using. Training will need to cover everyday things that could be security breaches such as working on their device in public, or downloading apps to the device.


What are the consequences of a breach or abuse of data?

There are two distinct levels of fines under the GDPR. Individual infringements are looked at on a case-by-case basis, depending on things such as whether the breach was intentional, preventable, and how many data subjects were affected. The ICO also looks at whether there have been previous infringements and how serious the consequences of the breach have been.

The smaller fine is up to €10 million or 2% of the company’s global annual turnover (whichever is highest). These fines apply for breaches and infringements under Article 83 (4) of the GDPR. This includes such things as failing to carry out a DPIA, or failure to notify of a breach to the ICO or the data subject.

The higher fine is up to €20million or 4% of the company’s global annual turnover (whichever is highest). These fines are levied on breaches listed under Article 83 (5) of the GDPR. This includes such breaches as failure to meet basic principles of processing data or transferring data to another country.

In the instance that several infringements or breaches have occurred, the total fine won’t exceed the fine for the most serious infringement.

The consequences of infringement aren’t limited to fines only. When an infringement has occurred, the ICO can also take enforcement action. This is when they investigate the business and highlight any areas which don’t meet the GDPR requirements. The business must then address these issues before a further review.

Furthermore, as mentioned previously, a data infringement or breach can lead to reputational damage. Just because this is harder to quantify doesn’t mean it should be ignored. Customers and clients take their data protection seriously and are likely to avoid a business which has been shown to breach their data protection obligations.


What should you do if there is a data breach, or risk of a breach?

Risks should be managed by your processes and procedures, in line with DPIAs.

If a breach actually occurs you will need to take the steps you have identified within your organisation to mitigate loss. This may include using the EMM to wipe the customer data from the mobile device.

You also have an obligation to report certain types of data breaches to the ICO. This must happen swiftly, within 72 hours, or sooner. You must also inform the individuals affected, again without delay. Furthermore, you need to take all possible steps to contain the breach. You absolutely must not try to hide the breach – the consequences will be dire.


Reassurance for businesses

In reality, the public are aware that sometimes data breaches cannot be foreseen. Sometimes they are a matter of ‘when’ not ‘if’. However, the real problems come when data breaches could have been prevented through better management, processes and procedures.