In the first part of a blog series about the General Data Protection Regulation (GDPR) we want to give a brief insight into the currently highly debated topic that concerns all data processing companies. Therefore we are providing you a checklist that sets out the key requirements to become GDPR compliant.
On the 25th of May 2018, the General Data Protection Regulation (GDPR) will become enforceable after a two-year transition period. This EU data protection regulation affects all companies that process data of European citizens and operate from or outside the EU.
These regulations have a lot of impact due to the financial penalties resulting from an infringement of the provisions. The administrative fines are up to 20.000.000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover, whichever is higher.
Therefore we’re making huge efforts to deploy state of the art technology and always put privacy first. In accordance with the new GDPR we aim to use privacy by design, which means that data protection, as well as privacy, are deeply considered when developing new technical assets. One example is the implementation of a flexible permission modeling system within the core of our system. This allows granular configurations in terms of “who is allowed to see which messages?” and other conversational details.
More insights on how we at Mesaic meet the GDPR requirements in Part 2 of this series. It’s coming soon so stay tuned.
The implementation of technical and organizational steps requires attention. The compliance in terms of data protection law must be ensured and the fulfillment of this obligation must be proven. You are also required to secure the rights of data subjects by taking into account the state of the art. Even though this should have been considered before, now it is essential to avoid financial penalties.
Furthermore, most companies are required to designate a data protection officer who may be a staff member or a contractor. In either case, it must be ensured that there is no conflict of interests resulting from other tasks and duties. Therefore it might be useful for a contractor to take ownership of the data protection topic.
A record of processing activities must be maintained at all times. Each business has to take inventory of data processing activities under their responsibility. This includes e.g. the purposes of the processing, a description of data subjects, personal data and where possible, a general description of the technical and organizational security measures. An implementable example can be found at Bitcom. If the processing of data is likely to result in a high risk to the rights and freedoms of natural persons, in addition, a data protection impact assessment (settled in article 35 of the GDPR) must be carried out prior to the processing.
The rights of the data subjects which include the rights of access, rectification, and erasure (right to be forgotten) by the data subject were strengthened. Additionally, the data subject has the right to receive all personal data concerning him or her (right to data portability). This data must be provided in a structured and machine-readable format. If the data subject wishes, this personal data should be directly transmitted to other controllers if technically feasible.
In the case of a personal data breach the supervisory authority must be notified. This shall be done not later than 72 hours after having become aware of it. The notification contains the type of data as well as the approximate number of data subjects and personal data records concerned. Additionally the personal data breach must be communicated to the data subject.
Next to the requirements directly resulting from the GDPR, there are some guidelines recommended to follow to minimize the risk of personal data breach:
One of the basic actions to carry out is the upgrade of outdated operating systems due to the recommended avoidance of the usage of Windows XP for computers. In addition, it must be ensured that other security software like virus scanners, spoofing- and spam filters are not only installed but also up to date.
Furthermore, all mobile devices should be encrypted. This does not only include Notebooks and Smartphones, but also USB sticks. This could prevent a data leak even if the devices get lost. In the case a mobile device dropped away, do not forget to notify supervisory authority about the potential personal data breach as mentioned above. This must also be done if a mail account of your staff was hacked. In this case, personal data could not only be read but also used to communicate to your contacts in your name.
Another essential component is the security of passwords. They should have a certain amount of complexity regarding the length and type of characters. Also beneficial is a regular change. To make sure every password is unique and not used for different services a password manager should be used. In case a password has leaked there is an additional security step which could help. Two Factor Authentication (2FA) requires not only a password but also something that only that user knows. This could be an app-generated code, a code from a text message or some other piece of information.
When sourcing out services you are obliged to enter into a data processing agreement. This agreement should answer questions regarding the location where data is stored, in which period of time a data breach must be reported, when data will be deleted after the contract ends, how and in which scope the contractor can be audited and many more. Also, it should define if the data can be processed by other subcontractors. This is not only meaningful in accordance to the requirements following the GDPR.
The last but probably the most crucial part is to share this with your team. Not only with your data protection officer, but with everyone. They are all affected and need to understand why and how this security guideline can be applied. This can be done by in-house training and workshops or by using some e-learning platforms.
How do we promote awareness at Mesaic for these new data regulations? Within internal presentations on a regular basis as well as the implementation of the latest GDPR guidelines into our onboarding process for new team members topics such as Two-Factor-Authentication, shared Passwords etc. will be discussed.
Though the new regulations may sound as if they could block some business models, they really don't. Because there are new and more privacy requirements which must be met it might get a little harder to implement new technologies, but it is certainly still possible.
Don't miss the next part of our blog series in which we will show how GDPR and messaging services are directly or indirectly related, what we at Mesaic are considering and which necessary steps we are taking.