10 GDPR Implementation Steps for Complete Compliance
The General Data Protection Regulation (GDPR) has been in effect in the European Union (EU) since May 25, 2018. Many enterprises think they’ve done everything to eliminate any GDPR-related problems, and that they have the policies under control. Many companies in the U.S. assume the GDPR doesn’t have any influence on their business. Is that really the case? Here’s what you should know about the GDPR if you conduct business in Europe.
What Is the GDPR?
The GDPR is a law in the European Union. It establishes a single set of rules, directly enforceable in each EU member state, regulating the privacy and protection of the personal data of EU citizens regarding transactions that occur within EU member states. Despite the fact that the GDPR deals with the protection of EU citizens’ personal data, it applies not only to organizations located within the EU, but also to any organization regardless of location that might “offer goods or services to, or monitor the behavior of, EU data subjects”. So what exactly does this mean?
What types of personal data are protected under the GDPR?
The definition of “personally identifiable information” given by the GDPR is “any information relating to an identified or identifiable natural person.” The GDPR states that any information “specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person” is under protection. Here is a short list of personal data types the GDPR protects:
- Basic identity information (name, address and ID numbers)
- Web data (location, IP address, cookie data and RFID tags)
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Who is responsible for data protection?
The GDPR states that personal data controllers and processors must comply with its requirements. The definitions of the terms “controller” and “processor” are given in Article 4:
- “‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
- “‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
The GDPR requires companies to obtain consent to collect data and report breaches to those whose data is compromised, obliges data controllers to give users access to their data when requested, gives EU users the right to be forgotten (i.e. the right to request that their data be deleted from a controller’s system), and provides strict requirements for data security.
Non-compliance with the GDPR could cost companies dearly. Hefty fines are a good reason to implement GDPR compliance.
What Is the Fine for Non-compliance?
Companies should not try to avoid or ignore GDPR implementation. Non-compliance comes at a significant cost to data controllers and processors. Article 83 of the GDPR outlines a two-tiered structure for the administration of sanctions. This article stipulates provisions for assessing the severity of a breach and the appropriate punishment, i.e. fines and penalties.
The GDPR’s criteria for determining the fine on a non-compliant firm are:
- Nature of the infringement. Number of people affected, damages they suffered, duration of infringement, and purpose of processing
- Intention. Whether the infringement is intentional or negligent
- Mitigation. Actions taken to mitigate damage to data subjects
- Preventative measures. How much technical and organizational preparation the firm had previously implemented to prevent non-compliance
- History. (83.2e) Past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
- Cooperation. How cooperative the firm has been with the supervisory authority to remedy the infringement
- Data type. What types of data the infringement impacts
- Notification. Whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
- Certification. Whether the firm had qualified under approved certifications or adhered to approved codes of conduct
- Other. Other aggravating or mitigating factors may include the financial impact on the firm from the infringement
The amount of a fine depends on the severity of GDPR provision violations. As the directive says “if a firm infringes on multiple provisions of the GDPR, it shall be fined according to the gravest infringement, as opposed to being separately penalized for each provision. (83.3)”.
There are two levels of fines depending on the infringement gravity. Lower level fines, amounting up to €10 million, or 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:
- Controllers and processors under Articles 8, 11, 25-39, 42, 43
- Certification body under Articles 42, 43
- Monitoring body under Article 41(4)
Upper level fines can reach up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, and shall be issued for infringements of:
- The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9
- The data subjects’ rights under Articles 12-22
- The transfer of personal data to a recipient in a third country or an international organization under Articles 44-49
- Any obligations pursuant to Member State law adopted under Chapter IX
- Any non-compliance with an order by a supervisory authority (83.6)
However, there is a chance that an infringement will not lead to fines. There are other corrective powers and sanctions used by the ICO (Information Commissioner’s Office) to enforce the GDPR, including:
- Issuing warnings and reprimands
- Imposing a temporary or permanent ban on data processing
- Ordering the rectification, restriction or erasure of data
- Suspending data transfers to third countries
In any case, the provisions are not to be taken lightly. The first year the GDPR was in effect was considered by many as a mild enforcement period, but even then some companies were fined at the maximum rate.
Who Was Fined?
In 2018, there were three notable cases where businesses were found guilty of breaching the GDPR and faced fines.
In October 2018, a small local business in Austria was fined €4,800 by the Austrian Data Protection Authority because its CCTV camera captured too much public space. The Austrian DPA considered this a violation of the GDPR because under the GDPR, putting public spaces under CCTV surveillance is of non-legitimate interests to companies (or entrepreneurs). Moreover, the transparency obligation under the GDPR was violated as the video surveillance was not sufficiently marked.
In November 2018, German social media/chat platform Knuddels.de was fined €20,000 for data storage practices. The fine followed a breach notification, which stated that the personal data of over 300,000 platform users was compromised. The provider disclosed that users’ passwords were stored without hashing. The DPA of the German state of Baden-Württemberg imposed the fine of €20,000 because the platform provider violated the obligation to implement adequate security measures (Article 32). The fine was modest since the platform provider notified the DPA of the breach in due time and cooperated with the DPA to establish the proper level of data security in accordance with the DPA’s recommendations.
In December 2018, a Portuguese hospital near Lisbon was fined €400,000 for using doctors’ bogus accounts to access patients’ data. The fine was imposed by the Portuguese Supervisory Authority (CNPD) because, according to its investigation, the hospital's account management practices were deficient. The hospital’s staff, psychologists, dietitians and other professionals (296 members of staff in total) accessed patient data through false profiles (985 registered doctor profiles). Additionally, any doctor had unrestricted access to all patient files, regardless of the doctor’s specialty. The hospital tried to argue that it was simply using the IT system provided to public hospitals by the Portuguese Health Ministry. However, the verdict was that the hospital was responsible for ensuring adequate security measures were implemented.
The most recent and largest fine goes to Google. In January 2019, the American multinational technology company was fined $57 million by the French data regulator CNIL for transparency and consent in advertising personalization, including a pre-checked option to personalize ads. CNIL’s statement says:
“The infringements observed deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations… The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR — transparency, information and consent.”
It is the first, but most likely not the last fine for a U.S.-based company. Now it seems clear that U.S. companies must be aware of GDPR requirements and comply with them if they do business related to the personal data of EU citizens.
U.S. Companies Can’t Escape the GDPR
U.S. companies may think they can circumvent the GDPR because they are not physically located in Europe. But the astounding case of Google’s fine shows that both EU and U.S. companies should keep in mind the risk of receiving fines for non-compliance, both from official regulators and individual legal practitioners seeking to file lawsuits.
The specific criteria for companies required to comply with the GDPR are:
- The company is present in an EU country.
- The company is not present in the EU, but it processes personal data of European residents.
- The company employs more than 250 employees.
- The company employs fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.
According to a PwC survey cited by CSO, 68 percent of U.S.-based companies expect to spend $1 million to $10 million to meet GDPR requirements. Another 9 percent expect to spend more than $10 million.
The enforcement of the GDPR is also supported by U.S. laws and procedures. For example, the Judicial Redress Act of 2015, extends certain rights of judicial redress established under the Privacy Act of 1974, 5 U.S.C. § 552a, to citizens of certain foreign countries or regional economic organizations. In December 2016, the EU initiated the approval of an executive agreement between the U.S. and the EU (the “Parties”) relating to privacy protections for personal information transferred between the U.S., the EU, and the EU Member States for the prevention, detection, investigation, or prosecution of criminal offenses. The Agreement, commonly known as the Data Protection and Privacy Agreement (the “DPPA”) or the “Umbrella Agreement,” establishes a set of protections that the Parties are to apply to personal information exchanged for the purpose of preventing, detecting, investigating, or prosecuting criminal offenses.
The Privacy Shield Program was established by the U.S. Department of Commerce, and the European Commission and Swiss Administration, “to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce”.
Evidently, GDPR compliance is a must for U.S.-based companies that want to run a business related to personal data collection and management.
GDPR Implementation Guide
Even if you are not a GDPR compliance specialist, you can develop efficient data protection and privacy strategies based on compliance requirements. Here are some checkpoints to follow:
- Have formal tracks for compliance. Your company must have a GDPR implementation plan and all persons involved must know the key concepts and articles regarding the GDPR.
- Consent management. The GDPR requires clear and unambiguous user consent for personal data management. Make sure all your users are aware of their rights (e.g., right to access, right to be forgotten) and give their clear and unambiguous user consent for data collection and processing. They must know they are the owners of their personal data.
- Ensure data processing control. Provide a clear data sharing/ownership map, contracts, and standards so everyone in your company can understand how data moves in your organization. A self-assessment tool like a GDPR Data Map Template can help you understand how data flows through your organization and find out whether your data policy is GDPR compliant.
- Establish a proper data management and security policy. Your company must have formal internal rules and data flows. Train your staff to follow these rules.
- Ensure you have a Data Protection Officer with a clear role and clear responsibilities. The GDPR requires some organizations to designate a DPO. These include public authorities, organizations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organizations that process what is currently known as “sensitive personal data” on a large scale.
- If your company develops software, ensure your products’ design security. You can find more information about this issue and a compliance revision table here.
- Engage a GDPR implementation consultant to make sure everything is taken into consideration and works well.
Our team is ready to help your company develop GDPR-compliant solutions and implement them into your business processes.