In Part Two of our three-part series, we discussed key elements such as consent and online data technologies, privacy notices and cross-border transfers.
Here, in Part Three, we will dive into understanding individual rights and the obligations of a data controller and data processor.
It is important to determine if, based on the data that you process, whether or not you are a data controller or a data processor.
Essentially, the controller makes the decisions about the data. Generally, companies are controllers over its employee data, business customer data, or vendor data.
When a company processes personal data on the behalf of another company, they are considered a processor. The processor receives instructions from the data controller on how to process the data. Cloud service providers and payroll companies, for example, are processors. A data processor is directly accountable to those whose data they process.
Controller and Processor Obligations
Companies need to disclose in their privacy notice how they use personal data, how long they store it, and how they use third parties, as a few examples. It’s important to know that a privacy notice needs to be provided to all individuals from whom personal data is collected. This includes employees, vendors, customers, and consumers.
Data controllers must select data processors that can provide sufficient guarantees that it has technical and organizational measures in place to meet requirements under GDPR. Processors must process personal data per the controller’s instructions. This means that processors have to comply with many of General Data Protection Regulation (GDPR)’s requirements, per the controller’s instructions.
If you are in a controller/processor relationship, you need to ensure you have a very strong communication plan in place, updated contracts, and a solid understanding of the GDPR requirements for each side.
Honoring new privacy rights for individuals
It is important for SMBs to recognize that GDPR introduces the concept of individual rights such as the right to be forgotten, portability rights, and right to not be profiled. The data subject makes this request to the controller. To meet the request, the controller may need to rely on its processors. The controller must be able to meet the requirements for these new rights.
The right to be forgotten allows a person to request data to be erased upon request. There are some exceptions such as it cannot supersede any legal requirement that an organization maintains certain data. For US companies, this would include HIPAA required records.
Once you determine that you are technically capable of handling the right to be forgotten, you need to know how that will be managed by your company. Employees will need to be trained on how to receive such requests.
Data subjects can demand their personal online data be ported to them and reuse “their” data for their own purposes and across different services. Examples could include a list of media such as books, songs, movies, photos stored in a cloud, transaction history.
There is also the concept of the right to object to profiling. Does your company use data to make automated decisions that could profile a customer (this includes online behavioral advertising). You will need to ensure that the user has the ability to opt out of such profiling.
Report a breach within 72 hours
Many SMBs may not have dedicated resources or a large staff to manage a data breach. For SMBs, it will be critical to review what the procedures would be if you suffered a data breach.
Under GDPR, it is expected that if your company experiences a data breach, you must notify the local Data Protection Authorities (DPA) in the member states of those affected within 72 hours of identifying or confirming a data breach occurred.
SMBs need to start thinking now of who needs to be involved (lawyer, c-suite, consultants, marketing/PR firm), create an incident response plan, ensure all their personal data is well protected and review all these measures often.
Documentation and Accountability
SMBs must not only comply with GDPR; they also need to be able to demonstrate compliance. To do this, there must be documentation that shows all the data processing activities, what type of data is collected, where it is stored, the purpose for which it is being used and the privacy notice provided. Consent, as described above, must also be well-documented.
What to do now?
Start tackling GDPR now with these 5 steps!
- Document what data is collected, where it is stored, how it is being used and under which mechanism it is ok to use (e.g, consent, legitimate interest).
- Determine what privacy notice and to whom it is shared. Are any updates required?
- Review your marketing practices and determine what consent measures need to be updated.
- Ensure you are prepared for the 72-hour data breach notification requirement.
- Create processes to handle the individual rights requirements.