GDPR: it’s all about people
People’s personal data
The EU GDPR aims to harmonize data privacy laws across Europe and to give people control over their personal data. Yet, what is personal data? GDPR enlarges the definition to encompass any information that could identify – directly or indirectly – an individual in any format or medium: from names, phone numbers and addresses through to digital identifiers such as IP addresses, cookie IDs, digital fingerprints and user IDs.
In line with the GDPR, each organization must maintain a record with information of all activities processing personal data. More than personal data of customers, this also implies data of employees and third parties such as suppliers.
The legislation applies to all companies established in the EU, but it will also affect companies outside the EU if they:
- offer goods or services to data subjects in the EU, or
- monitor the behavior of EU data subjects as far as their behavior takes place within the EU.
If organizations want to process personal data, there are six legal grounds to do so: legitimate interest, consent, legal obligation, public interest, vital interest and contractual obligations.
‘Data subjects’, or those whose personal data is being processed, have the right to be informed that a company processes their data, the right to access it, the right to rectification, the right to erasure (i.e. the ‘right to be forgotten’), the right to restrict processing, the right to data portability, the right to object and the right to not be subject to automated decision-making, including profiling.
Quite challenging! How will you for example respond to the ‘Right to be forgotten’? You will have to ensure you have procedures to delete personal data because a customer for example doesn’t want to receive any mailings anymore. How will you guarantee you will never send a mailing to this person if you cannot keep personal data of the people who asked you to be forgotten?
The enforcement of individuals’ rights goes hand-in-hand with obligations for companies and organizations, including possible high fines. Companies and organizations must:
- define a data protection governance strategy covering clear roles and responsibilities, e.g. designation of a Data Protection Officer (DPO) if required by the GDPR, and people that follow up in case of data breach;
- take action to comply with the legal GDPR requirements, e.g. data processing agreements and transparency;
- support GDPR processes with appropriate policies, tools and systems, specifically those responding to data subjects exercising any or all of their rights;
- guarantee privacy by design and privacy by default;
- execute Data Protection Impact Assessments (DPIA) where mandatory;
- sufficiently invest in awareness and train employees on a new mindset, on new behaviors and responsibilities.
GDPR compliance, however, cannot simply be handled by legal or IT, as the regulation concerns much more than just contracts, databases and IT security. Even if all your contracts are compliant with article 28 of the GDPR, you’ve installed all needed processes and supported them with the needed tools or system adaptations, you risk noncompliance if the employees who handle personal data don’t change behaviors. In other words, awareness and trained employees are crucial for compliance.
So, make sure to take change management actions, including:
- clear definition of roles and responsibilities, along with a transformation period to install the new way of working;
- comprehensive awareness communication tuned to different target audiences;
- training covering the GDPR and related new responsibilities;
- engaged, supportive leadership, showing best practice and supporting people in changing their habits.
To underline the importance of the GDPR and incite organizations to protect personal data, the EU can impose fines in case of non-compliancy. Of course, as the GDPR and its supporting structures are still in development, it seems fines will not be directly issued. However, ensure that your organization has a plan in place by 25 May, and be able to demonstrate your progress. Of course, the basic GDPR priorities must be initiated before 25 May.
If you think chances are small of getting fines, are there still any risks? One slip could give all your customers and employees the idea that their personal data is not carefully treated. If your customers lose trust in you, they could stop doing business with you.
Let’s go one step further. Can you imagine an unsatisfied customer or employee who will misuse the GDPR to make your life difficult? Can they possibly damage your company? It is far more difficult to restore a damaged image than to (re)build one.
Will you take these risks?
People’s … responsibilityAnyone in the organization handling personal data has a huge responsibility. But don’t underestimate the role of the C-level and overall management. If your company’s leaders fail to take the necessary initiatives or show bad examples, how can you expect the rest of your organization to act responsibly?
So, what will be your GDPR strategy?