Keep Records of Data Collection and Processing for GDPR Compliance
Under the General Data Protection Regulation (GDPR), the legislative act of the European Union (EU), any organization collecting personal information from residents of any EU country must respect the individual right to privacy by collecting and handling personal data in carefully prescribed ways.
Why should the whole world concern itself with an EU legislation? Because it's predicted that most countries will eventually either adopt the GDPR or create legislations similar to it. In fact, the California Consumer Privacy Act that's slated to come into effect in 2020 has many similarities to the GDPR.
So, what does this all mean for those who collect personal data from residents of the EU, and why is it so important?
- 1. When the GDPR Applies
- 2. The GDPR and Subject Data
- 3. A Bit of Background
- 4. Let's define some terms
- 5. How should you be collecting information?
- 6. What should your business or organization be recording?
- 7. On a Happy Note
- 8. Key Concepts for Best Practices
- 8.1. 1. Transparency, Transparency, Transparency!
- 8.2. 2. The Subject Rules
- 8.3. 3. Keep Your Friends Close and Your DPO Closer
- 8.4. 4. Protect Subjects' Privacy as if You Were Protecting Your Own
- 9. A Brief Review
- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
When the GDPR Applies
The GDPR applies to:
- Any business in the world that sells goods or services to EU countries
- Any organisation in the world that for any reason observes and records the behavior or collects the personal data of residents of EU countries
Let's suppose, for example, that you start up an online social network from your basement in Mexico. Anyone in the world can join your network, so naturally citizens of EU countries will be getting on board. In order for people to join the network they're going to have to provide at least their names to you - and probably a whole lot more.
Bingo. You're now required to comply with the GDPR. While guarding the safety of your clients' personal information you'll need to maintain written and electronic records of how you collect and use that information - and how you protect its privacy. You'll also have to have a specific, legal need for every bit of information you request.
Now let's suppose that you're doing research on the voting habits of people in a certain Canadian county. Because you're going to be transferring this information to academic colleagues in EU countries and probably duplicating the study somewhere in the EU, it might be a good idea to be ready to comply with the GDPR even if you're not yet legally required to do so today.
The GDPR and Subject Data
There are a number of principles that businesses and organizations need to grasp in order to properly comply with the new law:
- Because of the GDPR, people in the EU now legally own their own personal information. Individuals are the sole arbiters of who receives their personal information and what the receiver is allowed to do with that information once it's collected.
- The individual, or "subject," as the law terms it, must be clearly informed of their rights in understandable language.
- There has to be sound reasons for requesting this information from the subject, and no information can be gathered unless it supports the legitimate goals of each undertaking.
- Subjects have the right to contact the enterprise (for this reason contact details must be made available) and demand that their personal information be removed from that enterprise's records (i.e. they have "the right to be forgotten").
- Subjects have the right to make formal complaints to authorities if they believe the organization didn't make reasonable efforts to protect their security.
A Bit of Background
The GDPR is made up of 99 legal articles that speak to the longstanding need to protect privacy and security in the digital age, wherein the power - and the motivation - to collect and profit from personal information just keeps on expanding.
The EU first began discussing privacy protection reform as early as 2010, and in 2012 the European Commission proposed legislation whose implementation appeared all the more urgent just one year later with the Edward Snowden case.
Snowden's activities drew public attention to the degree of freedom some businesses and political leaders are willing and able to grant themselves in the exercise of power over our personal information.
By the following year, Cambridge Analytica had managed to illegally acquire the personal information of over 50 million Facebook users with the intention of selling it to political campaigns.
It came as a shock that the world's largest social media platform was privy to large swaths of private information that it simply was not protecting. Clearly, such breaches posed a severe threat to the integrity of democratic elections.
The GDPR continued to undergo years of fine-tuning (it was by then the most heavily lobbied legislation in history) and after four years of debate, the EU Official Journal published it in May of 2016. In May of 2018, the GDPR became law.
Let's define some terms
The following are some key terms that must be understood if the law is to be applied correctly.
Subject/User: This is the individual from whom you wish to gather personal information. The privacy rights of this individual are what the GDPR seeks to protect.
Controller: This is the person responsible for gathering or using information about the subject for a business or organization.
Processor: This is the person who handles the subject's information - storing it, analyzing it, organizing it, etc. - on behalf of the controller.
Data Protection Officer (DPO): This is the expert you may need to hire to monitor compliance with the GDPR. It's necessary for every public authority, as well as any business or other organization conducting large scale monitoring of personal data, or monitoring data of a sensitive nature, to appoint a DPO.
Third Countries: Third countries are those countries not included among the 28 member countries of the EU. In the event of any data transfer to third countries the controller must ensure that the data is safe.
The GDPR applies to any information that can be used to identify an individual. Some of these bits of information might include (but certainly aren't limited to):
- Place of residence
- Credit card numbers
- Sexual orientation
- Religious beliefs
- Political affiliations
- Photos and videos of the subject
How should you be collecting information?
The GDPR lists six principles of data protection that go towards how information should be collected and maintained:
- Information must be gathered legally and transparently
- It must be gathered for specific reasons
- No more can be gathered than what is necessary to the legal goals of the enterprise
- The information has to be accurate
- The information must be held for a limited time
- Information must be processed in a way that ensures security
What should your business or organization be recording?
From now on your information-gathering activities will be divided between:
- Collecting personal data
- Guarding that data's safety, and
- Showing yourself as accountable for the data's safety
Article 30 of the GDPR says that an organization must keep written (electronic counts as written here) records of the following items and be ready to provide these records to the authorities when asked:
- The contact details of all controllers, processors, and DPOs
- The methods and processes by which information is gathered
- The categories of information collected
- The categories of subjects from whom the data is gathered
- The categories of recipients of this information
- For what purpose this data is being collected
- How the information is being used
- The specific groups affected by this data-gathering
- All transfers of this information to third countries
- Whenever possible, an estimation of how long the data will be retained
- A description of the security measures undertaken to protect subjects' personal data
If controllers or processors don't obey the GDPR the organization can be fined up to four percent of its previous year's revenue, or two million euros - whichever sum is greater.
On a Happy Note
Yes, the prospect of implementing this legislation can appear daunting in terms of the extra time and money required, but the picture's not as dire as it first appears.
- Techies around the world have been tripping over each other to provide artificial intelligence solutions to help companies and organizations cope with the sudden spike in red tape. However you feel about information technology, there's no doubt that this is the kind of job that artificial intelligence can conceivably make short work of.
- The law is flexible, taking into account the needs and limitations of organizations and striving to avoid becoming a hardship.
- There are a number of guidelines and templates available online that can help you organize your information and keep it up to date.
- The GDPR doesn't require you to record every last detail. Records of your information processing methods, for example, can be summarized to show compliance with the Regulation.
- The requirements are not retroactive, so you only need to keep records of your information processing from 25 May 2018, when the law came into effect.
Key Concepts for Best Practices
How can you guarantee that your organization not only upholds the GDPR but is also a shining example of how data protection ought to be carried out? The easiest way to plan procedures and organize the flow of information is to use spreadsheets.
In addition it will help you to write the following four concepts on sticky notes and put them up all over the office.
1. Transparency, Transparency, Transparency!
When it comes to gathering and processing personal information, everything you do and how you do it must be clear and out in the open. No more hiding behind reams of fine print written in legalese that ordinary people wouldn't understand even if they did bother to read it. No more secret schemes to profit from others' private information down the road. Everything out in the open. Period.
Conduct a privacy law self-audit so you know exactly what privacy practices your business engages in and what information you need to disclose to your users.
Note that you're not required to publicly reveal the intricacies of your security plan if doing so would pose a risk to your business or to your subjects' private data.
2. The Subject Rules
The subject - that is, the individual from whom you seek information - is legally in control of any information about themselves. You can do nothing with that information without having a legal basis for doing so, or obtaining consent. The subject also has a number of additional rights under the GDPR that you need to be aware of and accommodate.
3. Keep Your Friends Close and Your DPO Closer
If yours belongs to the category of undertakings requiring a DPO, make sure your DPO has all the resources they need to do a superlative job of assessing security risks and monitoring your company's compliance with the GDPR. Encourage excellent working relationships between them and your other employees. Keep communication open and listen carefully to their warnings. Better to hear it from your DPO than to have to defend yourself in court.
4. Protect Subjects' Privacy as if You Were Protecting Your Own
This one comes from Amita Kent, Senior Vice President and Legal Global Data Privacy Officer For Almirall, S.A., in Barcelona. (Kent also happens to have been my roommate at King's College in Halifax, and a very dear friend. She was kind enough to answer my question about privacy while touring New York recently.)
"The most important element is to protect personal data in its collection, use, and storage, so companies should adopt policies that protect third party data privacy rights as if they were protecting their own personal data."
A Brief Review
To sum up what the GDPR means for you:
- The GDPR protects the privacy rights of all individuals living anywhere in the EU. If you already have customers, clients, or research subjects in those countries you'll need to comply with the law, regardless of where your business itself is located.
- Whether or not you see the GDPR pertaining to you and your enterprise, you should understand it and take steps to begin complying with it as you're almost certain to be required to obey this law (or one very much like it) in the near future.
- Recordkeeping helps businesses stay transparent about how they're handling personal data, which in turn helps protect data subjects.
- You should set up and oversee a system that accommodates regular updates, uses spreadsheets to maintain accurate records and can be presented to authorities at their request.