Starting May 25th, 2018, the General Data Protection Regulation (GDPR) will be of obligatory compliance. Companies which do not act in accordance with it shall receive penalties of up to 4% of the company’s global revenue or fines of up to 20 million Euros.
Although the GDPR must be recognized as the most resonating piece of legislation concerning cyber security within the EU; companies should take into consideration the due compliance of other regulations, such as the Directive of Payment Services (PSD2) – whose implementation is required by EU member States from January 13th, 2018, and which will affect payment services and new companies such as the FinTech and PSPs; and the NIS Directive, approved in July 2016 and in effect since August of the same year, providing as of January 2018, only four months for EU member States to include it in their national laws and a further six months to identify the essential services operators in their respective territories.
The GDPR supposes a completely different and more restrictive management than the currently applied and its compliance is of essential matter. Its scope of application is vast, since it has triggered the creation of the Data Protection Bill in the UK, which will act as the nation’s equivalent to the GDPR once Article 50 (Brexit) is finalized. Unlike the personal data protection standards gathered in the 95/46/CE Directive, the GDPR also affects companies outside the EU that offer goods or services to people from the EU or that control their behavior inside the EU. For example, it directly affects international data transfers and foreign companies that host websites accessible to people residing in the EU.
One of the great changes implemented by the GDPR is the application of the principle of proactive responsibility. The GDPR requires a reactive and proactive approach to security violations of personal data, not only the company that gathers it, but also by any third parties that process it in their name. Now, the final companies will be responsible for guaranteeing said protection, which implies “the need for the one responsible for the treatment to apply appropriate technical and organizational measures so as to guarantee and be able to prove that the treatment is in accordance with the Regulations”.
The most relevant aspects of the GDPR are:
- Obligation to audit and document the state of compliance of the regulations in the company before the update of the policies, protocols and texts relative to the treatment of personal data and their appropriateness regarding the regulations.
It is necessary for the audit team (internal or external) to be formed by professionals of the legal and computer related fields (Article 25 of the GDPR).
Obligation to maintain registers that detail the treatment activities, the access requests of those interested, security violations, the way in which consent is granted and impact evaluations relating to data protection for companies with more than 250 employees, or those in which the treatment probably entails a risk for the rights and liberties of those interested, is not occasional or includes special data categories, such as information about health, religion or sexual orientation.
- Unequivocal and explicit consent: The Data Protection General Regulation requires that people whose data is treated grant their consent through an unequivocal manifestation or a clear affirmative action. A marked change, concerning the Data Protection Act of 1998 does not specifically refer to individual consent. Therefore, the consents obtained before the date of application of the GDPR will only still be valid if they were obtained abiding the criteria of this new Regulation and the new ones cannot be obtained from the famous “softopt-in”. That is to say, the web user, for example, will have to check the box in which he expressly consents that the information provided will be used with commercial ends and/or given to third parties.
Likewise, the consent cannot be generic, the data can only be used for the purpose about which the user had been informed and in no case will they serve for other types of data treatment. Independent consents will be needed.
- Obligation to provide more information: Besides the data required by the Data Protection Act of 1998 (Article 7), which includes the purpose of the use of the data, recipients of the files, obligations regarding its release, rights of those interested and identity of those the data relates to, Article 30 of the GDPR demands the inclusion of the legal basis for the treatment of the data; the maximum time the data will be kept; the identification, if relevant, of the data Protection Delegate; whether there will be an international data transfer or not; the right to present a complaint; the existence of automated decisions.
During this transitory period the organizations should edit the privacy warnings of the web to adapt them to the GDPR, which are thoroughly explained in Articles 15-22, and be prepared to include them in contracts and forms.
- Risk analysis: In accordance to Article 33 of the GDPR, all companies without exception, must analyze computer vulnerabilities and potential breaches of security, guaranteeing that the most advanced techniques are being used to prevent, block or neutralize potential attacks. Besides, the company must establish a surveillance system with periodic revisions and updating of the analysis systems to avoid obsolescence. And, lastly, guarantee that at all times the data treatments are adjusted to the current data protection regulations.
It is obligatory to communicate to the Information Commissioner’s Office (ICO), in a timeframe of 72 hours since its awareness, security breaches that have happened. In the case that the breach is considered of high risk for those interested, the company has the obligation to directly communicate it.
- Data protection impact evaluations. There are certain companies which given the nature of the handled date, will need an impact evaluation. These are companies that perform a systematic evaluation of personal aspects based on an automated treatment, such as the development of profiles, based on which decisions with legal effects are taken or which affect them significantly; companies which perform large scale treatment of special categories of data or data regarding convictions and criminal infractions; companies that perform a large scale systematic observation of zones of public access.
The difference between impact evaluation and risk analysis is that, the former centers on measuring the risk to the rights and liberties of natural persons, in relation with data protection; whilst the latter analyzes the computer vulnerabilities and potential logic security breaches with the aim of selecting and implementing the best computer solutions to impede, block or neutralize the attacks.
- A new figure, The Data Protection Delegate (DPO): According to Article 37 of the GDPR, the professional figure of the Data Protection Officer, is created in order to guarantee compliance.
The Data Protection Delegates (DPO) will be appointed according to their professional qualities and in particular for their specialized knowledge of Law and practice in terms of data protection, as well as their capacity for the performance of their duties (Art. 37 GDPR). ICO does not state the exact professional capabilities of the DPO, yet they establish that he or she must follow the professional guidelines stated in Article 37. The DPO is of obligatory compliance for companies that collect or process EU citizens’ personal data. You can consult the “Information Commissioner’s Office’s (ICO) website for further information.
- Third-party contracts: The GDPR has taken the greater steps into regulating the companies that may have access to personal data. However, GDPR regulations extend to third-party vendors of GDPR-applicable companies. furthermore, the existing contracts between GDPR-applicable companies and third-party must too be modified to comply with new regulations.
The contract between controllers and processors must appear in written form and should specifically detail, the outsourcing regime, confidentiality and the fate of the data after finishing providing the service.
ICO has provided an extensive guideline which compresses all the necessary stipulations that must occur when contracting with any third party.
A few months away from the implementation and application of the GDPR, companies should take the opportunity to revise the existing contracts that refer to commissions with a vocation to prolong themselves in time, so as to by May 2018, have them be compatible with the provisions of the Regulation, and start to include in the new contract terms all the elements that the Regulation considers necessary.
Sanctions apart, no company that wishes to be competitive can be left out of the new legal framework. Therefore, immediately adapting to the new regulations and to the multiple developments and programs that the GDPR brings is a most desired solution.
They must review all the processes and data treatment systems of the company and evaluate all the processes that have an impact on the privacy of users, clients and workers. Furthermore, it’s important to invest on tools that make the privacy by design and default evaluations easier; the development of systems that serve as support in the implementation of proactive responsibility processes on behalf of the company.
In conclusion, the GDPR reaffirms three basic principles relating to personal data, that can be summed up in:
- Data protection:
The gathering of data must be specific, explicit and legitimate, limiting itself to what’s necessary for the set goal.
The protection of data and the right to forget, modify, eliminate and rectify information must be done in a way which is as simple as the collection of said data. And the storing of the former must be agreed upon in accordance to a specific end.
Besides, its storage and treatment must guarantee security, including protection in the face of loss, destruction or damage, as well as illicit or non authorized access.
- Authorized treatment: it will only be considered authorized if:
- The interested party has given consent for the specific goal;
- If the data is necessary for a contract;
- A legal obligation exists, such as the tax declaration;
- They are of public interest or in the exercise of public powers, and;
- They are necessary to protect legitimate interests unless the interests, fundamental rights and liberties of the interested party prevail.
International transfers: The GDPR maintains the steps delineated in the Directive 95/46 and national transposition regulations. The GDPR contemplates that the international transfer can only take place outside the EEE –European Economic Space- if 1) this is performed to countries, territories or specific sectors or “international organizations” that have a recognized adequate level of protection, or 2) have offered adequate guarantees regarding the protection that the data will have at their destination. Said guarantees must be offered by the exporter, whether it is the one responsible for the treatment or in charge of it. 3) Exceptionally due to reasons of necessity linked to the self interest of the owner of the data or to general interests (with no guarantee of protection).
You can check the current privacy and security policy applicable to the products offered by Oracle NetSuite. Many of these policies are available in this link and in this other one and they are a robust framework of privacy and security applicable also after the implementation of the GDPR. For example, the Oracle Data Processing Agreement for Cloud includes clear indications about intention and usage limitation, is adjusted to the requirements about security breaches, security controls and incorporates clauses relative to the security in international data transmission.
From NoBlue we are working to adapt the contracts and all the personal data gathering mechanisms to adapt them to the new regulations. However, if during this process you wish to know the situation of your data, you can turn to firstname.lastname@example.org to withdraw consent from the treatment of your personal data; accessing your data, as well as its correction or suppression («the right to forget») on our part or by third parties that might have had access; to be informed of the existence of any automated treatment of the personal data (including the development of profiles); to the opposition to certain kinds of treatment, such as, for example, direct marketing or decisions based only on an automated treatment and to be informed about how long the personal data will be kept.
If you have any additional doubts regarding the products and services offered by NoBlue and Oracle NetSuite, do not hesitate to consult us.
The information contained in the present document aims to just be a consultation guide and cannot be interpreted as valid legal counsel regarding the content, interpretation or application of the GDPR, DPB, NIS or any other regulation. We recommend our clients to contact the Information Commissioner’s Office (ICO) or a specialized legal consultancy to understand the reach and applicability of the regulations and of any law or regulation relating to the processing of personal data, including the use of services and products from suppliers.