SUMMARY
1. Get
clear on your ‘controller’ and ‘processor’ relationships
2. Prepare
for GDPR investigations
3. Make
sure you have an automated response system in place for GDPR requests
DETAIL
1. Get clear on your
‘controller’ and ‘processor’ relationships
GDPR divides the responsibilities of handling personal data
into two roles: controller and processor. The legal responsibilities change
depending on which role you play.
Controllers control personal data – any information that
could identify a person (name, email, address, location, etc.). Processors
process that personal data on behalf of controllers. This distinction creates a
messy, Russian-doll system because your company could be a processor in some
relationships and a controller in others. You could even have multiple
processor-controller relationships with one company.
Do your sales and marketing teams use Salesforce? You’re the
controller, and Salesforce is the processor. If customers ask you to delete
their Salesforce record, exercising GDPR’s “Right to be forgotten,” you’re
responsible for fulfilling the requests. Salesforce is responsible for enabling
you to fulfill the request. Processors make the delete button; controllers
click it.
B2B companies beware: One processor might serve another
processor. For example, my company makes an IT service management (ITSM)
platform. Customers store personal data in our Help Desk solution. That makes
our customers controllers and my company a processor. However, our cloud
platform runs on Amazon Web Services, so Amazon is a processor to us. Amazon
controls personal data of some of our employees, perhaps in a CRM file or in an
Amazon.com shopping account. But those are separate, unrelated relationships.
Get clear on which role you play in every relationship.
Before GDPR is enforced, every contract will need an addendum defining who is
controller versus processor. Don’t assume your vendors or clients are clear on the
differences and responsibilities.
I have already been writing letters to data processors
(payroll and government ) on behalf of clients and already guided on having
forms, templates and rehearsals for subjects access requests
2. Prepare for GDPR
investigations
They used to say the only certain things in life were death
and taxes. Add cyberattacks to that list. No company is immune to a data
breach, which is one of the best ways to get slapped with GDPR’s top fine: €20
million or 4 percent of revenue, whichever is greater. Regulators don’t just
send a bill to whomever they assume is responsible – they investigate.
After a breach, controllers have 72 hours to alert
regulators and must notify people at risk “without undue delay.” Processors are
expected to notify the controller ASAP if they detect the breach first. More
importantly, EU regulators want to see that your company (whether you’re the
controller or processor) did everything reasonably possible to prevent the
incursion and protect personal data. They’ll focus on your cybersecurity
processes – what you say you do – and governance – how you track and enforce
execution of these processes.
Consider the Meltdown and Spectre vulnerabilities that just
swept headlines. Had they surfaced after May 25 and led to data breaches, the
EU would have investigated. GDPR doesn’t say, “Thou shalt encrypt all personal
data.” Still, if a company leaked unencrypted data due to Meltdown or Spectre,
regulators might deem that company negligent in addition to blaming the
processor manufacturers. Until investigators set precedents, GPDR is open to
interpretation.
In other words, GDPR doesn’t prescribe how to protect data,
but EU regulators still judge whether you took sufficient precautions (fair,
right?). Update your processes and governance as if you we’re expecting an
investigation. Be ready to show that you took exhaustive measures to protect
personal data.
3. Make sure you have
an automated response system in place for GDPR requests
Under GDPR, EU citizens can ask you to reveal, correct, or
erase their personal data. They can also ask you to stop processing their data
in specific ways (e.g. no personalized advertisements) and may even ask for a
portable, machine-readable copy of their data (check out GDPR Chapter 3 for
details). You do not want these requests bogging down your IT and support
staff. Simulate GDPR requests and figure out how to automate them.
As a processor, consider what your customers (especially
controllers) will need to do in your system. Draft an FAQ that, rule by rule,
explains how your controller can meet the “Rights of the data subject.” At my
company, we’re building our FAQ into workflows that will guide IT staff through
GDPR requests. That way, our controllers can respond quickly and independently.
We know that investigations are possible, so the workflows document each step
and stamp actions with a time and date.
Controllers in the consumer tech business especially need to
invest in self-service for GDPR. Note that Google already had a tool for
account holders to download data and highlighted it in an article on its GDPR
preparation. Facebook hasn’t announced much about GDPR. However, you’ll notice
that its Ad Preferences page, buried in your privacy settings, can handle GDPR
requests such as shutting off targeted ads (a type of data processing). Your
platform might have GDPR tools that just need to be organized into one,
well-labeled user interface.
The bright side to GDPR
The rules of GDPR are nebulous, tricky, and unpredictable.
That’s why it feels like a force of nature and has caused so much
scaremongering.
On the bright side, GDPR enshrines the principle that people
are the masters of their own data. This philosophy could be a turning point for
cloud technology vendors.
Many European companies have hesitated to adopt the cloud
due to the lack of governance around data. But under GDPR, cloud vendors acting
as processors share the legal burden of protecting data. Beginning May 25, they
will pay a price for shirking that responsibility.
Note: If this article sounded like gibberish, or GDPR still
seems like a natural disaster, stop Googling articles and go find a GDPR
consultant.
ORIGINAL ARTICLE
NEED SUPPORT WITH GDPR?
Jersey Community Partnership and Association of Jersey
Charities are looking to co-ordinate resources and suppliers, and there may be
grant funding available.
Jersey Charities Q&A
Jersey Data Protection Association list of GDPR events
Data Protection Reform in the Channel Islands
CONTACT
TimHJRogers@AdaptConsultingCompany.Com
+447797762051 Skype: timhjrogers TimHJRogers@gmail.com
No comments:
Post a Comment