Over the past few years, we have been developing a number of privacy notices for clients in Europe and in the US. By now, US clients envy the EU for the GDPR compliance, specifically when their data is being compromised over and over again.
Digital transformation and privacy are inextricably linked. The former encompasses much more than technology. It’s a process and mindset, which affects our business outcomes.
For example, in the minds of many businesses, implementing data privacy regulations – in particular the General Data Protection Regulation (GDPR) – simply consists of a ticking-the-box task. In reality, GDPR compliance is a matter of building digital trust.
“While drakonian GDPR fines for large players (British Airways, Facebook, ..) present just a fraction of their annual turnover, for smaller companies the reputational and herein, financial damage often outweighs the actual fine.”Dr. Priya E. Abraham at the 2021 Leadership Speaker Series speaking about Succeeding in the Market by Building Digital Trust organised by the Discovery Center at the University of Wisconsin-Stout
But these same businesses have an opportunity to do so much more than simply meet GDPR compliance. It is an opportunity to become a leader in embracing a privacy culture and mindset. This can be achieved by adopting new practices that pave the way to greater innovation. At the same time, these innovative practices will support greater security and resilience.
The GDPR came into effect in 2018, but staying compliant and doing so effectively is an ongoing pursuit for large enterprises and SMEs alike. Here, we cover the basic principles of the GDPR. We also highlight why moving beyond tick box compliance can benefit your business.
Any organisation required to implement GDPR is presented with a number of duties and obligations for achieving compliance.
GDPR Compliance Requires Some Key Processes
Here are the selected key process mandate by the GDPR:
- Ensure data protection by design and by default
- Provide for security of personal data
- Guard the rights of EU customers – understand lawfulness and consent
- Demonstrate accountability and compliance
What is Privacy by Design?
Privacy by design – the guiding principle of the GDPR. In essence, this means that data privacy for individuals should be the default action and must be designed into all organisational and technology processes from the ground up.
Coaches and advisors – How to set up sign-up forms?
We often see coaches and advisors using one consent for all. Take the example of setting up a new website. One needs to ensure that the sign-up forms for newsletters and other offerings meet the necessary consent requirements. Ensure that each sign-up is designed to serve a unique purpose. This means that the consent provided by the user for newsletter sign-up applies only to the newsletter, not for any other offerings.
SaaS – Design stage MVP Privacy
Another example can be found in SaaS, specifically in the design stage of MVPs. For SaaS founders, it’s often blood, sweat, and tears to make the go-live of their MVP. During that hectic period, all too often, the team forgets to build in the mandated principles of privacy by design. As early as in the onboarding phase of the user, the team must consider how users’ personal data will be processed for data analysis, when advancing functionalities in the future – think machine learning (ML) and artificial intelligence (AI) in later releases.
Companies need to commit to data protection even before developing their software solutions or other offerings.
Importantly, GDPR did not invent new principles, but rather created a legal framework to mandate following and executing them. For solutions that require a lot of customer data, companies must find a smart approach to technology, which is also efficient, affordable and customisable.
What is the relevance and importance of personal data security?
It is essential that organisations must understand the concept of personal data. If you collect, store, or use any of the following: name, address, localisation, online identifier, health information, income, or cultural information, then you have to abide by the rules.
The GDPR also requires you to maintain records of the type of data you hold, where it came from and with whom you share it, all of which requires documentation. Beyond that, organisations must then ensure that this data is handled securely to prevent a data breach.
If a security breach takes place, you will have to report data breaches to regulatory authorities within 72 hours. In high-risk scenarios, to follow this reporting by notifying the individuals whose data may have been compromised. All data must have appropriate technical and procedural measures to ensure a level of security appropriate to the risk that it carries.
How are EU customers impacted?
Arguably, with the GDPR, the biggest change to the data privacy regulatory landscape was the regulation’s extended jurisdiction. Especially since it applies to all companies processing the personal data of subjects residing in the EU, regardless of whether the company’s location is in the Union. The GDPR includes individual rights:
- to be informed;
- to have the right of access;
- to have the right to rectification;
- to have the right to erasure;
- to have the right to restrict processing;
- to have the right to data portability;
- the right to object;
- and the right not to be subject to automated decision-making including profiling.
This means that your EU customers have the right to request access to and erasure of their information. In addition, you need to provide them with easier access to personal data, with clear and easily understandable information on processing. Making this information available gives your customers insight into how their information is used.
The conditions for consent have been strengthened. Under the GDPR the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Consent has strict requirements, including the fact that it can be withdrawn at any time.
How do companies demonstrate accountability and compliance?
As entrepreneurs, you should expect regulators to potentially exercise their powers to access data and premises. They should also be able to demonstrate compliance with the GDPR principles relating to personal data. Mechanisms to assist with providing this proof include carrying out Data Protection Impact Assessments (DPIAs) and adhering to codes of conduct.
As explained earlier, the GDPR makes privacy by design and default an express legal requirement. Privacy compliance extends deeper than mere privacy and cookie policies. For example, in certain circumstances companies are required to keep DPIAs (formerly known as Privacy Impact Assessment or PIAs).
A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:
- where a new technology is being deployed;
- where a profiling operation is likely to significantly affect individuals; or
- where there is processing on a large scale of the special categories of data.
For more information on the other “beneath the surface” documentation, check out our previous article.
Business Success – Why and how to move beyond tick-box compliance?
Against the background of growing privacy awareness, companies have the chance to leverage a holistic approach to creating a culture of privacy that goes far beyond tick-box compliance. This new culture puts the protection and proper handling of information – specifically personal data – at the heart of their business processes.
That means fostering environments where employees actively protect customer data and rights to privacy at every point in the value chain. Although the strengthening of data privacy and information security throughout your organisation will require more effort, the results will be seen in new business opportunities and reduced security risks.
When examining the GDPR from a broader perspective, its essence lies in understanding and improving business processes. Along with this is the ability to identify the assets of an organisation and its risk posture, closely linking it with other good business practices such as quality management, risk management or information security management.
What is the best way to establish this new type of business culture that is conducive to both cybersecurity and privacy? Stay tuned – we’ll dive into this question in our next article or contact us.