In this article, we are going to take a deep dive into personal data, data processing, data protection, and how process management may help you to achieve GDPR compliance (GDPR = General Data Protection Regulation).
Let’s first take a look at personal data from the GDPR perspective.
Definition (GDPR article 4)
Personal data or customer data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What Kind of Personal Data Do You Process in Your Data Warehouse?
First of all, there is personal information like
name, address, nationality, gender, date of birth, social security number (SSN), checking account information, credit & debit card information …
Then, you are processing personal information related to contracts:
contract number, invoices, billing statements, beginning & end of the contract, people involved in the contract, shipping address, billing address …
Furthermore, you are processing digital information. For example:
IP address, browser information, hardware information, payment information, e-mail, social media profiles, locations …
And perhaps, you are also processing sensitive data (GDPR Article 9 - special categories of personal data) like:
racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation
Are You As a Data Controller Aware, Which Kind of Personal Data You Are Processing And in Which Software These Processing Activities Take Place?
Process management can help you to achieve GDPR readiness and to be GDPR compliant.
And process management makes it a lot easier to carry out a data protection impact assessment. Data processing means to take care of the rules and regulations stated in the GDPR; to assure data security and data privacy; to understand how the processing activity works, and why the processing activity is allowed.
When processing data, you also have to take care of further additional laws and regulations which may apply to you like the California Consumer Privacy Act (CCPA), the Health Insurance Portability and Accountability Act (HIPAA), or specific laws of your country.
Processing Activities
To be GDPR compliant, it is not necessary to build up a process management organization. But is this helpful for you?
One aspect of GDPR readiness is that the data controller and the data processor have to set up records of processing activities.
These records of processing activities contain a lot of different data and are mandatory. You can find the necessary information in GDPR article 30 and in Recital 82.
But the records of processing activities are not process management. It is more like an overview of processes that you are processing in day-to-day business over the year. So, you are not able to see how exactly the process is carried out in this overview. Furthermore, nobody likes to take care of data protection, and due to that, it is always questionable if the records of processing activities are of an actual level. As a data controller, you are accountable for GDPR compliance and for the data processing activities in your organization.
Data Collection
Data collection or collecting data means that you are processing data. GDPR Article 4 (2) states:
Processing means any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
and GDPR Article 4 (6) states:
A filing system means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized, or dispersed on a functional or geographical basis.
So, you can be assured that if you are processing data from individuals who are located in Europe, then you HAVE to take care of the General Data Protection Regulation. And if your customers are located in California, then you HAVE to take care of the California Consumer Privacy Act (CCPA).
Software & Applications
What exactly does your software do? And in which software do you process personal information and sensitive data? Are several software connected? Do you have a data processor who can take a look at the personal information processed by your organization? Maybe in case of maintenance?
From my point of view, there are two different options in process management.
Your organization is smaller, you only use a few software to process data, and you know exactly where the data is stored. “Stored” is very important as it is your responsibility to know where the processed data is located. Do you use cloud storage? Do you use server structures? Where is your backup file located? If you can answer all of those questions in no time, then it is probably not necessary to set up process management.
If your organization uses different software tools, processes a lot of different data, and uses cloud storage or server structures, then it will be a good choice to introduce process management.
Relating to the GDPR, many other questions need to be answered:
Are you using encryption and/or pseudonymization to protect the processed data?
Are you able to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services?
Are you able to restore the availability and access to personal data promptly in the event of a physical or technical incident?
Which measures do you use to ensure an appropriate technical and organizational level of security?
Do you always carry out a Data Protection Impact Assessment when introducing new software or a new process?
Are you able to transmit the personal data concerning the data subject, which he or she has provided to your organization, in a structured, commonly used, and machine-readable format?
Are you ensuring data protection by design when creating new processes?
And what are you doing to ensure purpose limitation, data minimization, and storage limitation?
In a Nutshell
It is a lot of work to achieve GDPR readiness and it is a lot of additional work to achieve GDPR compliance. The European Commission has created an extensive data protection act which sometimes looks a little bit over-regulated. But it is as it is. And you should always keep in mind that there are extremely high fines (fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher - GDPR article 83).
So, what might be a good strategy to take care of data security and data protection and to finally achieve GDPR compliance?
GDPR Compliance Checklist
A GDPR compliance checklist is helpful to set up an individual strategy and to take care of the user data of EU residents and individuals under the territorial scope. If you are searching the internet for a GDPR compliance checklist, you will find a lot of different checklists. I have worked in the highly regulated German health insurance system for a long time, and it was always very complex to stay compliant. So, the focus of the checklist is
Why are you allowed to process data?
What should you do to keep the overview?
What are the necessary steps to achieve GDPR Compliance?
Perspectives of data protection
Why Are You Allowed to Process Data?
There are 7 principles of GDPR and 6 lawful bases for processing data. You can find the 7 principles of the GDPR in GDPR Article 5 and the 6 lawful bases in GDPR Article 6. You can find further information on the 7 principles in my post "Dealing with the GDPR - Part 1".
In day-to-day business, first, you should always take care of the 6 lawful bases on the GDPR as that is your base for lawful data processing. Normally, you will process data based on a contract or a specific law. It is always the best choice to process data based on a contract or a specific law as those regulations permit you to process data. But it is very important that you only process data where you are permitted to do so. If you are processing an e-mail address or an IP address and you don't have permission to do so, you are not allowed to process this specific data.
Processing data based on legal obligations, vital interests, public interest, or in the exercise of official authority is only common in specific businesses.
If you are not able to process data based on a contract or a specific law, then you normally need the consent of the data subject. Consent means that the person has given his permission to the processing of his or her data for one or more specific purposes. And it also means that if the purpose of the data processing is going to change or has already changed, then actualization of consent is needed. Do you already have consent management?
If none of the above sounds familiar to you, then your last choice of a lawful base is the legitimate interest.
You can find the legitimate interest in GDPR article 6 (1f):
Processing is necessary for the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Legitimate interest is always the weakest base of lawful data processing because before you are allowed to process any data of a data subject you would need to carry out a careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
If you did a careful assessment, then you are allowed to process the specific data for a specific purpose. It does not mean that you are allowed to process data in any way you like. And it is always good to have a second opinion on that assessment, perhaps like a statement from your data protection officer (DPO).
Or you take a look at the official information of Article 29 Data Protection Working Party. Legitimate interest must:
be lawful (i.e., by applicable EU and national law);
be sufficiently clearly articulated to allow the balancing test to be carried out against the interests and fundamental rights of the data subject (i.e., sufficiently specific);
represent a real and present interest (i.e., not speculative).
What Should You Do to Keep the Overview?
Either if you are a small or medium-sized company or a large company, it is always important that you have an understanding of your data processing activities, your data storage concept, the used software & applications, and your technical & organizational measurements.
So, if you want to take care of customer data and data security, you should at least implement the following “7 measurements”:
Records of processing activities (in the best case combined with process management)
Overview of software & applications and external processors
Technical & organizational measurements
Implementation of a Data Protection Officer
Data protection handbook
Ongoing information and sensitization of employees
Ensuring the rights of the data subject
What Are the Necessary Steps to Achieve GDPR Compliance?
First of all, you should focus on “Understanding the GDPR”. What is the GDPR and why might it be necessary for you to take care of the GDPR?
Next, you should concentrate on the “7 measurements” as mentioned above.
Every step will help you to get closer to GDPR readiness and achieving GDPR compliance. It is also important to build an understanding of data protection in your company. If nobody cares about data protection, then you will never achieve GDPR compliance. The fact is just that your employees need that understanding in their day-to-day business. If they don't understand the GDPR requirements, then you can be assured that your software will always contain data processed without a lawful base.
So, you should keep in mind that caring about your employees is a very important aspect.
Furthermore, you need a Data Protection Officer who can coach the organization step by step. You can't achieve GDPR compliance in a glimpse. It is a long way, and you must take the first steps as soon as possible. As the fines are very high, an organization must take care of all aspects. Otherwise, it could lead to bankruptcy.
GDPR compliance also needs regular audits and holistic risk management. Due to that, it is not a question of being GDPR compliant, it is a question of what you have to do to stay compliant.
Perspectives of Data Protection
The GDPR is a data protection law that protects the fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. Furthermore, it builds up a framework for the free movement of personal data within the European Union. Data protection doesn't focus on what happens; it focuses on what might happen if we are processing data in a specific way.
Due to that, risk management is a specific way to be considered in data security and data protection. You have to decide which risks you are willing and able to accept and in which situations you are feeling better to take a way that is risk-free or perhaps a way with low-level risks.
It is also important to “put on your customer's shoes” and to evaluate how a specific data processing does feel and looks from the customers' point of view.
Jumping in different perspectives is very helpful to achieve a holistic view of data protection and to achieve GDPR compliance.
If you have further questions, feel free to contact me.
