EU General Data Protection Regulation: What Really Matters
On May 25, 2018, the new EU General Data Protection Regulation (GDPR) is going to take effect throughout the European Union. The topic of data protection thus gets more media attention today than ever before. But what does really matter when it comes to the implementation? And what is Intact’s approach, being a software solution provider? Here you can find out more.
It’s All about Personal Data
The GDPR affects only data that can be related—alone or in combination with other data—to a natural person and that can be used to directly or indirectly identify the person. A personal reference can also exist if there is information that in combination makes a particular person identifiable. Thus, the data record „male; age 45; 1234 Vienna, Hauptstraße 10a“ can, in combination, be personal data, if there is only one male resident aged 45 years at the given address.
If the personal reference of data is removed permanently and irretrievably, the given data is no longer affected by the GDPR. Furthermore, the GDPR is not applicable to legal persons (companies). However, since a company always includes natural persons (owners, employees, contact persons …), it is best to make no difference in this case.
The Three Roles in the GDPR
Before we look at the different aspects of the GDPR in detail, we have to clarify the terms used therein. Particularly relevant are the following three roles, which are distinguished in the GDPR.
The Data Subject is the person whose data is processed (e.g., stored). This can be a website user, a customer, or an employee.
The Data Controller is the entity that determines the purposes, conditions and means of the processing of personal data. This can be a service provider such as a certification body or an employer.
The Data Processor is an entity which processes personal data on behalf of the data controller. This can be for data analysis, data preparation, or other similar reasons. The important thing is: the data processor must not use the data for his own purposes.
The Right to Erasure – What You Need to Know
The public’s reception of the GDPR almost exclusively concentrates on the data subject’s rights in general and the ‚Right to Erasure‘ in particular. Most often, we hear people saying that any natural person has the right to ask any company to erase all data stored about them. But is that really true? Many of our customers were unsure about this—and so were we. How could we possibly fulfill our tasks and meet our requirements if we were no longer allowed to store customer data?
Here we can say with certainty: it is allowed to store data as far as this data is absolutely necessary for the performance of a contract to which the data subject is party. This applies, for example, to an employment contract between employee and employer or the inspection or certification contract between a customer and a certification body. In this case, a consent statement is not required. However, the data subject still has to be informed—amongst other things—which data are processed by whom, why, and for how long.
So, when do you need to delete data? There is no need to delete data during the contract period, provided that the data is required for the performance of the contract. And even after the end of the contract, business-relevant documents, correspondence, and accounting-relevant documents must be stored for another seven years. After that, you have to delete them. If there is a risk of litigation, the data should even be stored for a total of 30 years after the end of the contract. As an alternative to deleting the data, these can also be permanently and irretrievably anonymized. Then, the GDPR is no longer applicable.
Start with the Contracts
More important than dealing with the right to erasure is, in our opinion, the adaptation of all contracts to the new provisions. Above all, it is crucial to whom data is transfered (data transfer and data dissemination).
It is crucial that every company is clear about all its data transers and data transmissions. It is even mandatory to keep a record of processing activities, according to the GDPR. Once you have set up this record, you will have a good overview of all data streams from and to your company. With this you are also able to efficiently meet the principle of transparency and the duties to provide information to the data subject. It is furthermore mandatory to have contracts with all data processors, which ensure that the requirements of GDPR are met. We recommend our customers to work out these contracts in cooperation with their legal counsel and have them signed by all data processors by May 25, 2018.
Let’s take Intact GmbH as an example: We will conclude these contracts with all freelance employees as well as with our service providers (data processors), such as our advertising agency or the creator of our website. Wherever Intact acts as a data processor, our customers are responsible to set up a contract about regarding all data we process on their behalf. However, in order to support our customers in this matter, Intact is going to actively develop such an agreement and propose it to them.
Like with the processing of data, a legal basis is also necessary for data dissemination; this may consist of a legal obligation (e.g., the transfer of data to the tax office or social security) or the need to fulfill a contract. If no other legal reason is fulfilled, consent declarations of the data subject are necessary. These must be drafted with the lawyer and signed by the data subject.
Continue with the Processes
Self-responsibility is a guiding principle of the GDPR. Thus, it is the data controller’s own responsibility to maintain the record of processing activities or to report to the data protection authorities in case of data loss. For these and other matters, processes have to be defined and put into effect. Intact strives for certification according to ISO/IEC 27001, in which all relevant and necessary processes are obligatory. However, the effort required to obtain it is very high and thus only interesting for specialized software development companies or IT hosters. With a certification according to ISO/IEC 9001 you are also on the right path. However, it may be necessary to adapt or supplement the corresponding processes.
Last but Not Least: Technical Implementation
Let’s get back to the rights of the data subject. As a company, you must be able to meet the rights to data access, erasure, and data portability (the right to receive one’s personal data in a structured, commonly used, and machine-readable format).
Intact has therefore evaluated the requirements of the GDPR with regard to their applicability in Ecert, our solution for audit and certification management. The result: In principle, Ecert is already 100% compliant with the GDPR and Intact’s Operations Team will gladly support our customers on meeting all data subject rights. In order to improve the usability and increase the customer benefit, we will of course also offer a technical implementation. Once the GDPR is established in practice and more specific requirements emerge, we will push our development efforts in that direction.
Bureaucracy Monster or a Chance for Europe?
To summarize: Yes, the new General Data Protection Regulation means more bureaucracy for companies. But it can also be seen as an opportunity; as an opportunity for Europe to further expand its pioneering role in the protection of personal data and thus to remain (or become even more) interesting as a safe and attractive location. Let’s make the most of it: Intact is prepared and goes this way together with its customers.
This article on the subject of the EU General Data Protection Regulation is not to be understood as legal information and in no way replaces the need for legal advice. The Intact GmbH has received legal advice for the interpretation and implementation of the GDPR and here extracts the key knowledge gained from it in extracts.