GDPR — my 70+ years old mother can get it
GDPR is complex. Not. If you manage personal data of any EU citizen, read on. A summary of what it is and what to do:
- in 1 sentence
- in 10 points
- in a longer format: writing about how to set up 3 processes & writing 2 documents
GDPR in 1 sentece
Do not piss off your subscribers, customers, clients with abusing their personal data.
GDPR is really easy. It is common sense.
What if my business is not in the EU?
If you handle, store, process data of any EU citizen, GDPR still applies.
What if I do not comply?
You will pay a penalty of 4% of your revenues or 20 Million EUR — whichever is higher.
GDPR in 10 points
- GDPR is about personal data.
If you have data about birds, cars, invoices — with no humans involved, that is NOT personal data. GDPR has nothing to do with it.
2. There were rules in place before GDPR — only the penalties increased. So if you were compliant before, you are now.
3. Personal data is anything that can be used — alone or in combination with some other data — to identify someone as a person. That person is a data subject.
4. Special categories of personal data is anything YOU would not like to be published about you. Easy.
Racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation
5. There are the areas where GDPR helps data subjects (=persons):
- Explicit consent — they have to agree with their data being stored in your database; there can be exceptions to this
- Right to be forgotten — erased from databases; there can be exceptions to this
- Right to be informed — who holds what kind of information about them
- Right to limit the handling of their personal data
- Data protection — you must build your information technology systems in a way that they will protect personal information
- Data transfer his/her personal data elements: to download in a format that can be taken to some other systems
6. Controller: anyone who actively manages personal data on his/her company’s behalf. Any other organization who holds personal data on behalf of other companies is a Processor.
7. Authority: yes, there is such an authority in your country, as well. They will be the bad boys. Your customers, clients, patients etc. can go and report you to them. Sounds too bad. They are not the guys winning the next beauty contest.
8. DPO: Data Protection Officer: someone who will manage GDPR stuff in your company and will be the contact with your customers should they have information requests or complaints. For details who needs a DPO — see below.
9. Incident: when personal data or the system that stores personal data is breached. You will know it, when, sooner or later. When you notice it, report it to the authority. Do not try to hide it, cover it up, it’s not worth it. If you are honest you have a better chance to survive.
10. Data protection and Personal Data Handling: Two main purposes of GDPR: one (protection) is about how you protect what you have and the other (data management) is about how you handle what you have.
GDPR IN LITTLE BIT MORE DETAILS — BUT STILL NOT TOO DETAILED
STEP1: Know if you manage Personal Data
Personal data is data based on which some real, concrete person can be identified. Be him/her dead or alive.
- a MAC address of a computer plus the network the computer logged in and the username together CAN be used to identify me.
- my picture that includes my face and a GPS coordinate can be used to identify me
- an e-mail address in itself can be used to identify me
Does your business store personal data?
If yes, then read on. If not, you can go and have a beer.
STEP2: Know who you are: Controllers and Processors
If your business determines
- the purpose of the data processing (Why ) ?
- OR the means of processing ( How) ?
THEN then your business is a Controller.
Otherwise it is a Processor.
Can your business be both? Of course. E.g. our 10xONE.COM business, which is an all-in-one cloud business software service provider, is both:
- it handles its own employees and customers data as a Controller
- it stores several (100’s of TB’s) of its customers own business data as a Processor
STEP3: UNDERSTAND THE BASICS: WHAT IS GOING ON?
Legal basis: this is key, this is the heart of GDPR: GDPR does not say that you MUST do this or that. It just says that
- you have to have a basis for what you are doing and
- that you have to prove that you did some thinking about it
All you have to do is to apply judgement and document it for each data element you identify. See the next point on this.
Wait: “legal basis” is not crystal clear: yes: this is the case: you have to apply judgement and document it that you did. As such there is no clear definition for “legal basis”. You always have to run the same test:
IF Personal data protection > Your basis for processing THEN stop processing
STEP4: ASK YOUR IT GUY TO DO THESE SIMPLE THINGS
A fundamentally fundamental base main truth-not kidding
When it comes to personal data, you can do 3 things with it to prove that you practiced “data protection by design and by default”:
- Pseudonymize means that you do something to the data so it cannot be used anymore to identify a given person. E.g. you shuffle characters in names, mix up birth dates and e-mail addresses in your database. You can do this if your software supports this. If not, then you may want to write scripts or the worst option is that you do it manually. You may want to do it a) immediately, if you have processes statistical data b) after a given amount of time
- Encrypt: this MUST be your default default for default. Did I say default? Do it. Talk to your IT guy. Now. Encrypt: your phones, your laptop discs, your desktop disks, your server storage disks and use secretcube.com to store your data. Encryption, if done right, does not hurt. You need a password, and that’s it.
- Delete: yep. You may want to do it a) immediately, if you have processes statistical data b) after a given amount of time
You may not do it alone, but ask your IT guy and do not let him/her go until these are solved.
S/he will say that it is not easy.
Believe him/her. It is not. But it is not impossible.
A few more things to ask from your IT person:
- Firewall: have one and keep its software up-to-date. This may be some100’s of EUR’s, but for this amount there are quite a few basic firewalls available. Or buy secretcube.com (are we pushing this just way too hard:)?)
- VPN: your IT administrator will know that if you handle files remotely or upload or download data, you have to use it
- Https: fundamental, mandatory. Google will also punish your website if you do not have one. If you have any username, login, email address entered on your website or anything like this, you should have https as well. If your IT person says you this is expensive, show him this (click). Free https certificate. For anyone. Anywhere. Forever. No, not our business. This is not advertising.
STEP5: DO THESE SIMPLE THINGS
Set up 3 processes. A process is something you do again and again. Call the routines. Or stuff I always do. Whatever.
STEP6: SET UP GOVERNANCE AND REPORTING
Get a piece of paper. Google docs. Google sheets. Any place where you can write.
Write down these and assign a name next to each:
-P1 — GDPR governance and reporting-Responsible: Adam
-P2 — GDPR analysis and compliance-Responsible: Eve
P3 — GDPR personal data (subject) handling-Responsible: God (<- not the best choice, choose someone else; God is responsible by default but s/he cannot testify in a court)
STEP7: SET UP ANALYSIS AND COMPLIANCE
OK — it is easy. Again. This is something that you do once — now.
And then: you have to do it again and again. That’s why this is a “process”, too.
SET UP a) Analyze your systems and document results and assing rules-it is not that complicated
Piece of paper, Google docs, Sheets etc. OK: Microsoft Excel, is OK, too.
Write down what kind of systems you have and below them what kind of personal data they hold.
- Whatever Webshop: e-mail, name, gender, age, personal address
- Whatever Invoicing app: name, personal address
- Whatever E-mail app: name, e-mail
Then set up rules for each data elements; create a table like this:
Rules: any kind of rule that suggests what you do with that data element to ensure compliance
SET UP b) Assign a Data Protection Officer — if needed
You need a DPO if:
- Your business is a public authority (expect for courts)
- Data processing requires regular monitoring from individuals
- Data processing involves large amount of data categorized as special or data relating to criminal stuff
- Other — according to your country
According to our understanding any business that has an e-mail database manages a “ large amount of data “. Bad news.
No. The GDPR has no clear definition for this.
What DPO is supposed to do?
- Inform, advise your staff on data protection processes
- Monitor compliance
- Cooperate with supervisory authorities
- Point of contact for individuals
SET UP c) Set up compliance in the systems you use — you may need your IT person for this
- set up rules to delete or pseudonymize data
Ask your IT person for it to happen.
SET UP d) OPTIONAL — FOR THE ADVANCED WARRIORS, BUT WE STRONGLY ADVISE YOU TO WRITE ONE AND WRITE PROPERLY. Write a Data protection and handling policy and publish it
You can find tons of examples for it on the internet. Get. It. Written. It takes maybe 2 hours.
OK if you are a Fortune500 business, maybe 2 months.
Then publish it. You know: if you swim across the ocean and you do not tell anyone….
SET UP e) Write a Business Continuity Plan and get it accepted by those involved what to do if s#>*t happens
Have a nice 2 page Business Continuity Plan. Again, there are lots of such sample plans on the internet. Include at least:
- Impact assessment: name a group of people who decide the severity of any data breach happening.
- Reporting to the authority in your country: if the breach involves personal data — report on it.
- Notifications: whom to call and when: a simple table that contains phone numbers of all your important technology vendors including your internet service provider
SET UP f) Training
Have at least a short training where you go through with your people at least on these:
- GDPR basics — in this article
- Business Continuity Plan
- Data Protection and Handling Policy
Document this training on a piece of paper.
SET UP g) Data protection by design and by default
If you build any system there MUST be a way to:
- identify personal data (tag data that “yes, it is personal”)
- encrypt and / or delete and / or pseudonymize personal data
Again, ask your IT guys to prove it. If you design a new system from scratch, be sure to include these criteria. If you change any existing system you have to check if it complies with these rules. If not, build them in.
SET UP h) Build an incident registry, log and start to use it
Be it a ticketing system or a Google sheet.
Choose a system that assigns a time-stamp and a unique ID to each incident. Without these one may think that you just forged your records should an incident occur. So if you think about it, a Google Sheet or Excel will not do.
STEP8: SET UP DATA LIFECYCLE MANAGEMENT
Oh my God! This sound complicated, right? It is not.
Set up 3 processes:
- Ask for explicit consent in any case where there is no a contract or there is no legal obligation for you to handle personal data. Practically it means a check-box and a link, next to the check box, to your Data protection and handling policy in every place where you ask for personal data.
- Add your Data protection and handling policy link to your website to a visible place. Do not hide it. Be proud of it.
- Allow people to get removed. Show an e-mail address in your Data protection and handling policy who is to receive removal and information etc. requests. Removal is the most important one: when someone is pissed off with you s/he will ask for it. If s/he cannot find it how to, s/he will report you to the authority.
- Additional stuff you may want to include: rules for data change, request for information.
Add these processes to your Data protection and handling policy.
Yes, there are plenty of other things. And it can become complex.
But: if you have not done these, above, yet, you can do all these above in a few hours. Get your lawyer and your IT guys at the end of the line, while doing it. They will help.
Do not accept advise from anyone who
- Says that s/he can make you 100% GDPR compliant. The rules are still not 100% clear and there is no 100% compliance. As there is no 100% certain contraceptive.
- Asks for an irrationally large sum of money to ensure compliance-just to identify steps YOU have to execute anyway. If you think so, hire someone. Why not. But do not spend all your money you have this year for development or information technology. There are much better projects with better return on investment than ensuring GDPR compliance.
- Who says that you do not have to do anything. It is very unlikely that with “do nothing” you will be OK. Unless you are the NSA. Or the CIA. Or NASA. Or…
ABOUT THE AUTHORS
We have 3 businesses, 2 out of these 3 has something to do with privacy:
10xONE: http://www.10xone.com/ an all-on-one cloud business software that has been ISO27001 certified for long as we considered data safety and security being a primary issue from the start. We never said it is 100% bulletproof-but we do what we can. Even more.
SecretCube: http://www.secretcube.com/, this is an on-premise (in your home or office) all-in-one easy to set up and use file storage box that is encrypted by default and safe: everything is duplicated on it. You can even have secret boxes for each user on the cube.
iAGE working on information technology system change and modernization for more than a decade. Well. This is the only business of ours that is not significantly concerned with privacy.
We are happy to help you. Drop us a mail at firstname.lastname@example.org or email@example.com