What can get you in trouble?
Non-compliance with the following may result in fines of upto 20M Euros or 4% of global revenue, whichever is higher.
A good way to look at this is as an opportunity to take control of your data in order to turn it into a competitive advantage. Remember that along with giving citizens back control of their data the objective of GDPR is also to unify the fragmented regulatory environment and to create a single digital market.
See also: What is GDPR?
Not seeking consent
Consent is the primary mechanism by which you inform data citizens that their private data is being collected.
See also: Who does GDPR apply to?
Not minimising private data
There are two aspects to data minimisation. A design aspect where private data that is collected is assessed to see that it does not exceed what is required for processing. And, an implementation aspect where periodic audits are made to determine the extent of Data Sprawl of the private data collected.
Data sprawl ensues when there are copies, mutations, aggregations or transformations to data. See how Kinant can help with Data Inventory.
See also: What is Private Data?
Not securing private data
Technologies like encryption and pseudonymisation should be used where appropriate. Periodic audits would reveal data from the primary database that has been copied, mutated, aggregated or transformed leading to Data Sprawl.
It is often hard to find out where Priavte Data lie and who has access to them, especially if you have private data in unstructured stores. Kinant can help you Discover and Secure Private Data
Sending private data outside the EU
The regulation restricts the transfer of private data of citizens to countries outside the European Economic Area (EEA). A Data Protection Impact Assessment (DPIA) would reveal any requirement for private data to leave the EEA.
A challenge here is to monitor the accidental or malicious movement of such data. Kinant helps you Track Data Movement
Not being able to produce or rectify an individual’s private data
A data citizen has the right to request for a copy of, or ask for corrections to their private data. The important thing here is to make sure that systems that store data are highly available.
Not being able to erase an individual’s private data
Commonly referred to as The Right to be Forgotten, this means that a citizen has the right to have all records of his private data erased.
Note: The challenge here is to discover and ensure that all copies of private data that are mutated, aggregated or transformed are deleted. See how Kinant can help with Private Data Discovery
Storing private data longer than required
Unless required for public interest a citizen’s private data should not be stored longer than needed.
Not doing a Data Protection Impact Assessment
The DPIA is the most important document to demonstrate GDPR compliance. Check out the section on DPIA.
See also: DPIA
Not designating a Data Protection Officer
A DPO needs to be appointed if:
- Private data is collected or processed by a public institution.
- Private data is processed regularly or on a large scale or is interlinked with core operations.
- Data about ethnicity, political opinions, religious beliefs, trade union membership, genetic or biometric data, data relating to health, sexual orientation etc. are processed on a large scale.
It is possible for many organisations to share a DPO as long as the DPO has the ability and autonomy to discharge her duties and is easily accessible by each organisation.
See also: What is Private Data?
Not notifying a breach within 72 hours
A breach is accidental or malicious loss, modification or disclosure of private data. On noticing a breach the designated supervisory authorities need to be informed within 72 hours. The data citizen(s) whose data has been breached need to be informed as soon as possible.
Note that the supervisory authorities will take into consideration the amount of preparation put into securing data.
Note: Ideally the time lag between breach and breach detection should be short, for which a real time breach detection solution is the best. Kinant implements Realtime Data Monitoring and helps you notify regulatory authorities immediately.
See also: Supervisory Authority
Data Protection Impact Assessment (DPIA)
What is a DPIA?
A Data Protection Impact Assessment is a process to assess:
- What data needs to be processed.
- Whether the data collected is proportional to what is to be processed.
The DPIA is the responsibility of the Data Controller. A documented DPIA is the primary mechanism by which GDPR compliance is demonstrated. Failure to conduct a DPIA, or incorrectly conducting one can result in fines upto 10M euros or 2% of worldwide annual revenue, whichever is higher.
Is a DPIA mandatory?
The regulation states that conducting a DPIA is not mandatory if the processing of private data does not result in high risk. But determining whether there is high risk is not possible without an assessment. So it is advisable to conduct a DPIA even if you think that the risk is low.
When should a DPIA be conducted?
- Periodically, at least once in 3 years.
- When new technology is introduced.
- When type or quantity of data collected changes.
- When there is a change in data processing. Like when more systems are used to process or store data.
- When there is likelihood of transfer of data outside the European Union.
Note: This process might be cumbersome and using some form of automation for the above is advantageous.
What is prior consultation?
If there is residual risk that cannot be addressed by the data controller after conducting a DPIA, then the controller should seek prior consultation from the supervisory authority, providing them with the DPIA report.
What should be the Content of the DPIA report?
- Purpose of processing.
- Description of processing operations.
- Assessment of necessity and proportionality of processing.
- Assessment of the risk to rights and freedoms of data subjects.
- Measures taken to address risks and demonstrate compliance with GDPR.
Should the DPIA report be published?
Under normal circumstances it is not mandatory to publish the DPIA, but publishing a summary of the DPIA is recommended to foster trust and demonstrate accountability and transparency.
International Data Transfers
Are some countries exempt from transfer restrictions?
Some countries deemed to approximate the GDPR in spirit are exempt from transfer restrictions. As of November 2016 the following countries are exempt:
- Canada (commercial organisations)
- Faeroe Islands
- Isle of Man
- New Zealand
Can multi-national companies be exempt from transfer restrictions?
If multinational companies have internal processes that comply with the GDPR guidelines, then they can talk to their supervisory authority for a Binding Corporate Rules (BCR) waiver.