Think GDPR Only Means Reporting Data Breaches Within 72 Hours? Think Again
Welcome to the last installment of our three-part GDPR series. In this post, we’ll dive deeper into a few more key concepts like data controllers vs. data processors (and how you can determine which one you are), the new 72-hour rule for data breach reporting, as well as the newly defined role of a Data Protection Officer.
The 72-hour breach notification mandate has received a lot of press and attention, but it’s important to note that it’s just one part of GDPR. This post will cover the other elements that IT needs to know about as well. And if you haven’t already read Parts One and Two, we recommend you check them out. They’ll give you a good overview of the regulation and why you need to start preparing now.
Data controller vs. data processor: Which one are you?
The basic definition
Let’s begin by understanding the difference between the data controller and the data processor. It’s critical to know which one you are since the obligations under GDPR can differ for each.
Controller – “The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data…” Basically, the controller makes the decisions about the data. This can mean employee, customer, or vendor data. Every company to some extent is a data controller, since at a minimum it’s responsible for its employee data or those of its clients.
Processor – “The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.” Basically, the processor receives instructions from the controller on how to process the data. Cloud service providers and payroll companies, for example, are processors. A data processor is directly accountable to those whose data they process.
Sometimes companies can find themselves in a joint-controller situation, where two or more data controllers determine the purposes and means of processing of personal data. Companies also can be both a controller (for its employee, customer, and vendor data) and a processor (for its main line of business).
What does a data controller need to do?
Be very transparent
Companies need to disclose how they use personal data, how long they store it, the use of third parties, etc. This is normally done in a privacy notice. Keep in mind that a privacy notice needs to be provided to all individuals whom personal data is collected from. This includes employees, vendors, customers, and consumers.
Report data breaches within 72 hours
So what constitutes a data breach under GDPR?
A “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.” This is beyond just the risk of fraud or identity theft common in the US data breach laws.
Controllers are responsible for reporting a data breach without undue delay and, where feasible, not later than 72 hours after becoming aware of it. Processors are responsible for reporting a data breach without undue delay to data controllers after becoming aware of it. There is a close-knit relationship between controllers and processors.
There are a few reporting exceptions. One is if “the personal data breach is unlikely to result in a risk for the rights and freedoms of natural persons.” With no guidance or case law yet, it will take some time to fully comprehend what will result in a risk to the rights and freedoms of a person and what will not. It is advisable to err on the side of conservativeness.
Select processors and sub-processors
Data controllers must select data processors that can provide sufficient guarantees that it has technical and organizational measures in place to meet requirements under GDPR. Processors must process personal data per the controller’s instructions. This means that processors have to comply with many of GDPR’s requirements, per the controller’s instructions.
The data processor can also use sub-processors with the controller’s specific or general written consent. This consent can be obtained at the beginning of the contract. Companies should review all their contracts with third parties that process data on their behalf to ensure compliance. They need to make sure both parties’ obligations and responsibilities under GDPR are clearly defined.
Honor new privacy rights for individuals
GDPR creates new individual privacy rights, like the right to be forgotten and the right to data portability. The controller must be able to meet the requirements for these new rights.
A data subject has the right to go to a data controller and request their data be deleted (aka the right to be forgotten) or made available to them (aka the right to data portability). Then, the controller will inform its data processors (which could be you if you are a data processor) what information needs to be deleted or made available to the data subject.
Controllers and processors will need to thoroughly vet this process and determine how requests will be managed. Once determined, this should be covered in the written agreement.
Create contracts between data processors and data controllers
Data controllers and data processors will need to specifically outline the requirements and responsibilities in their contract. The contract should cover the term, the nature and purpose of processing, the types of data to be processed, as well as the obligations and rights of the controller.
Additionally, the contract needs to specifically address that data should only be processed at the direction of the controller, that the data processor will need to report any breaches to the data controller without undue delay, and finally, how the data processor may need to assist the data controller to fulfill individual rights obligations under GDPR (such as the right to erasure or data portability).
A new role: Meet the Data Protection Officer (DPO)
Do you need to appoint a DPO?
Well, it depends. Under GDPR, companies will need a DPO if it is processing personal data that requires “regular and systematic monitoring of data subjects on a large scale” or where the core activities of the processing involve large amounts of sensitive data. Examples include companies that must process health records to serve its patients, or engage in online tracking and profiling (like email retargeting, location tracking, or processing customer data at a bank).
There are some exceptions for companies who have fewer than 250 employees. However, it is dependent on the types of data being processed. Appointing a DPO applies to both data controllers and data processors.
What does a DPO do?
The DPO is the company’s main point of contact to a supervisory authority as well for any data subjects. The contact details for the DPO need to be published (often in a privacy notice) and communicated to the supervisory authority.
Additionally, the DPO’s role is to inform the company about its obligations under GDPR, monitor compliance, and advise on privacy impact assessments. While it is not specified, the DPO should have knowledge of data protection law and practices. A DPO can be an existing employee or a contractor. The DPO should report to the highest level of management (including the board of directors) but will work independently.
What to do next: A 10-step checklist
Now that you have an understanding of the fundamentals of GDPR, what should you do next? Here is a 10-step checklist to get you jump-started on your path to compliance.
1. Designate a GDPR resource in the company who will lead the project. Consider outsourcing for additional help.
2. Know what data you collect, hold, share, and store including cloud applications that are processing or storing your data. This likely involves performing a data inventory.
Remember: GDPR is bigger than just personally identifiable information (PII). Personal data under GDPR includes online identifiers like cookies, location data, and sensitive data like race, political views, and biometric data. This is just a short list!
3. Collect only necessary data.
4. Limit processing of “sensitive” data such as race, ethnicity, political views, religion (reminder: all of these need consent).
5. Review and update agreements with all data processors and third parties (where applicable).
6. Conduct or respond to inspections and audits of data processors either directly or through an external auditor to ensure compliance.
7. Make sure processors only use personal data for the designated purpose. If you are a processor, make sure you process data only for purposes you have agreed upon in the contract and for which consent was provided.
8. If you work with a sub-processor, make sure that you have the appropriate agreements and notices in place to do so.
9. Ensure security measures are in place for both data controllers and processors to protect personal data from loss or unauthorized processing. Here are some essential points to review:
- Does the vendor have a well defined and clear access control policy?
- Who can access your company’s data and when? Is this access tracked?
- Does the vendor have a designated person responsible for security and data protection?
- How does the vendor secure data?
- What is the company’s data retention policy?
- For data that is to be deleted, you need to ensure that data is not copied and located in multiple places and that there are mechanisms in place to evaluate that the data has been deleted when required.
10. At the end of the service term and if requested by the controller, the processor must delete or return all the personal data to the controller relating to the processing. It must also delete all existing copies (unless the EU or the Member State law requires storage of the personal data). Processors can request an inspection to ensure that this has been done.