As a manager, you are responsible for ensuring that the company complies with rules and regulations. And now, the EU’s new data protection directive, which comes into effect in May 2018, must be taken into account. The “To do” list involves legal practitioners, technologists and specialists in (digital) communication and strategy, although much of the assessment can be carried out in house. Good strategic GDPR projects provide the basis for faster implementation time and less duplication of tasks.
What has to be assessed? What has to be done?
Management challenges resulting from GDPR
By Christer Dalsbøe, Stine Strandvik, Henning Dahl and Stein Opsahl – strategic consultants at Knowit Experience
Background
GDPR (General Data Protection Regulation) are new EU requirements regarding the handling and use of sensitive personal data and other personal information. The EU’s new legislation replaces outdated legislation that had originally been conceived for the storage of personal data on paper. The aim is to strengthen citizens’ data protection rights in a digital world. A new development is that a parent company will be financially liable for any penal sanctions resulting from a breach on the part of subsidiary companies in the same group. Thus, all businesses must be compatible with GDPR when the EU directive comes into effect on 25 May 2018.
The new EU directive is a tightening and strengthening of the prevailing regulations and, for the first time, European businesses and citizens will have to comply with one supranational regulation. Sanctions in the form of fines will be placed on an entirely new level, potentially as much as 2% to 4% of a company’s global top line. We must expect enforcement to be intensified by the supervisory authorities in both Norway and in the EU.
Knowit has a number of ongoing GDPR assignments in the Nordic countries, based on an holistic approach in which we see technology, communication users and legislation in context. We are anticipating a huge demand for our GDPR expertise in both strategy, communications and development projects leading up to 25 May 2018.
Different businesses, different needs
For businesses based on a subscription model and long-term customer relationships in the consumer market, GDPR simply means more of the same: honest customer dialogue. The new regulations pave the way for customers and consumers to be entitled to have information that they have made available to the company’s databases deleted, if they wish. A consumer will also have the right to be provided with all data your company has stored about him/her, such as CRM data, as well as which type of profiling you have carried out. In a cancellation situation, a consumer will be able to demand that this information can be transferred to one of your competitors.
The best response to this type of challenge is to streamline an open and honest digital customer dialogue. GDPR provides customers/citizens with more power, and you will probably have to make changes on the system side: to make data available for change, deletion and porting to your competitors, if the customer so desires.
GDPR is about digital customer dialogue
GDPR actually constitutes a huge marketing opportunity, and experienced managers who understand the customer should not be too concerned. In practice, this is about an open, honest and simple dialogue.
In the final analysis, GDPR means that you must think even more in terms of what is known as “privacy by design”. It means looking at data protection as a key principle when you develop solutions that store customer data. This has now become mandatory and very relevant because the technologies being used provide so many opportunities to come into conflict with GDPR. The customer’s right to be notified underscores the need for transparency with regard to how you look after and use personal data.
Consent challenges and practical consequences
Consent must be procured when storing all personal data that you otherwise have no legal grounds to store. The type of data being stored must be declared and specific consent must be procured for every purpose for which the data is being used. This means that if you have procured consent to store data to be used to promote an electricity supply agreement, you cannot send an email advertising a mobile phone subscription.
For many businesses, this means that consent must be procured again. These and other requirements mean that new systems must be established up to May 2018. The new sanction system gives the authorities the right to impose a penalty for violations in the case of gross breach of the directive. As any fines will be issued at group level, negligence and carelessness in a subsidiary company with few customers could have major consequences for the group.
So, how should you communicate with the customer?
The right to be informed means that users are given full disclosure regarding how their personal data is being handled. The important factor in this respect is to use ordinary language – tell the customer what data you are storing, why you are handling their data, how long it will be stored and who is receiving it.
This is one of the key points in GDPR and is something which necessitates that information is “concise, honest, comprehensible and easily accessible”. It is not permitted to use pre-completed check boxes but perhaps more important that the customer has always disliked this practice. GDPR is a greater challenge for businesses that ignore their customers needs than it is for companies for which the best possible customer experience is a fundamental principle.
Use GDPR as an opportunity
The purpose of GDPR is also to counter threats such as cyber attacks and identity theft, the consequence being that companies’ normal communication channel is threatened. There are many good solutions that both safeguard a company’s need for an effective, digital customer dialogue and also satisfy the new security requirements. GDPR is simply an opportunity for businesses to demonstrate that they are taking the necessary measures to ensure data protection for consumers and their own data security.
Questions you need answering
- Which data has been collected to date, what is it actually needed for and where is the data stored?
- Do we have a digital log of how we procured consent, for first-time email communication, for example, or of the history of the consent? If not, we must apply for consent from the customer on each occasion.
- Do we collect just a minimum of information, or far too much information?
- Are we prepared for enquiries from users who wish to delete, edit or move their personal data? Do we have procedures for this in place?
- Do we know how we can safeguard backups so that we don’t reload information about a user who wanted his/her data deleted?
- Are national identity numbers, membership numbers, mobile phone numbers, vehicle registration numbers or other sensitive information used as a key between tables and systems?
- Do we know how we create pseudonymised, synthetic data that can be used as test data?
- Is adequate access control in place to ensure the confidentiality of information internally in your organisation?
- Is Privacy by Default in place in applications and system development?
- Have we assessed what a breach of data processing could mean to our users?
Who should do what?
As previously mentioned, the “To do” list involves legal practitioners, technologists and specialists in (digital) communication.
- You must assess where and how you store personal data, whether the data security is satisfactory and what you are using the data for.
- Review the agreements you have with data-related suppliers (CMS, hosting, office support, consultants, etc.)
- Review practice in relation to performance marketing (Google AdWords, Analytics, Facebook, etc.), customer communication and other digital marketing.
- Review practice with regard to data protection policy, consent, deletion, portability, etc.
- Revise and strengthen internal control routines (compliance), including warning routines in the case of enquiries and regulatory breaches.
- Define clear areas of responsibility and roles within the field of data protection (comprehensive) and clarify whether you need a dedicated Data Protection Officer.
10 reasons why GDPR is important
1. Supranationality within the EU and EEA
2. The law affects a wide range of data.
3. The law also applies outside the EU/EEA.
4. The law applies to data processors at every stage, including employees in the USA or outsourcing to India, for example.
5. Accountability is prioritised throughout. Buyers, programmers, etc.
6. The rights of the individual have been strengthened and many companies will have to rectify multiple irregularities in their CRM systems
7. Any breach of processing obligations must be reported within 72 hours, at the latest
a. “Sensitive information” refers to race, religion, health and sexual orientation. (For example, if Peder’s next of kin is called Jens.)
8. For many companies, a Data Protection Officer will be designated at group level
a. Separate Data Protection Officers can also be designated in subsidiary companies
9. In many instances, data export will be difficult
a. It must be encrypted (https, vpn, etc.)
b. Stored personal data must also be encrypted. For example, an outsourced resource in India that can access files in Norway
10. The law provides the opportunity to impose huge fines in the event of serious breaches. The Data Protection Authority can issue fines equal to up to 4% of the group’s global topline.
a. Datatilsynet (the Norwegian Data Protection Authority) will become the EU’s DPA.
b. In practice, a Swedish authority can decide whether we are doing something wrong in Norway, and vice versa.
Data, applications and processes must be assessed
Data
1. What are the company’s data categories?
2. Can databases and files be merged and reduced?
3. Is data flow monitored, documented and described?
4. Is an active approval in place from a currently registered user?
5. Does the registered user have the option of editing his/her personal information?
6. Is the data encrypted in situ and in transit?
1. For example, payslips must be sent as “an envelope within an envelope”. In other words, the payslip must be an encrypted attachment with a password that is only known to the recipient. Then the personal data is encrypted in situ and in transit and will only be available to a recipient who knows the encryption key.
Applications
1. Which applications currently process affected information at the company?
2. Is data flow for the application monitored, documented and described?
3. Is an active approval in place from a currently registered user in a current individual application?
4. Does a registered user have the option to edit his/her personal information in an application?
5. Is Security by Design incorporated in the application? (Confidentiality, Integrity and Availability)
6. Are threats and risks assessed during application development?
7. Has Privacy by Design been incorporated in the application?
8. How do you handle children’s acceptance?
9. Has the basis for the collection of specific information been properly described?
10. Is it easy for a user to request to see which information has been collected?
11. Is it easy for a user to ask to edit personal information?
12. Is it easy for a user to ask that personal information is deleted (without being in breach of other statutory requirements)?
13. Is the minimisation of data collection, transparency, active acceptance, proactive securing of collected data in the form of encryption, etc. being addressed in the application?
Processes and documentation of implementation of management and control activities.
1. Have agreements with data processors and their subcontractors been assessed and documented?
2. Can data processors submit documentation of control activities?
3. Is a risk assessment being undertaken of the criticality of the application/data?
4. Is a procedure for incident reporting in place?
5. Is a process for enabling the procurement of a user’s information upon request in place?
Terminology
- Data Subject
- The person whose data is being collected and who can be identified, directly or indirectly, from the data.
- Data Controller
- Organisation that defines the reason for data collection
- Party responsible for determining how the data shall be collected and processed
- Party with immediate responsibility for data storage
- Data Processor
- A person or unit who acts on behalf of the Data Controller in order to store or process the information
- For example:
- consultancy companies
- outsourcing company
- offsite storage supplier
- cloud supplier
- Marketing organisation that runs random promotions
- Supervisory Authorities (Regulators)
- Public bodies established by the authorities in EU countries that advise data controllers and the data subject about the law and the enforcement of regulations.
- They can investigate breaches and impose fines on register managers and data processors.
- Sometimes referred to as Data Protection Authorities (DPA).
- Data Protection Officer (DPO)
- A Data Protection Officer who shall be designated for
- Statutory authorities
- Businesses at which Data Controllers and Data Processors regularly and systematically monitor data subjects on a large scale
- Units at which a business handles sensitive personal data on a large scale
- The formulation “over 250 employees” has been removed from the new regulations.
- A Data Protection Officer who shall be designated for
- Personal Data
- Name, address, date of birth, national identity number, private email address,
- company email address and phone number.
- Online identifiers from different devices and data programmes including IP address, information capsules or other identifiers such as RFID codes.
- Data used on its own or together with other data to identify an individual/person.
- Sensitive personal data
- Genetic or biometric data
- Physical or mental health
- Race or ethnic origin
- Political views
- Trade union membership
- Religious or philosophical convictions
- Sexual preferences
- Data on criminal acts and sentencing shall be treated separately in (Directive 2016/680). May only be processed by national authorities.
- Genetic or biometric data
Christer Dalsbøe and Stine Strandvik are strategic consultants at Knowit Experience in Oslo. Henning Dahl is a strategic consultant at Knowit’s office in Bergen and Stein Opsahl is director of strategic consultancy, Knowit Experience in the Nordic countries.
The authors would like to thank Jan Bjørnsen at Knowit Secure for his contribution to this article.