I, like most other company directors, understand that data protection laws and terminology can be very confusing – e.g. General Data Protection Regulation (GDPR), Data Protection Officers (DPOs), ePrivacy, privacy by design, etc. Most company directors just want to know, in simple terms, what they need to do to keep their customers and staff happy and stay on the right side of the law. Particularly for the latter, the consequences of not staying on the right side of the law can be severe. Fines, customer complaints, bad media publicity and reputational damage are just some of the negative impacts of getting data protection wrong.
If this sounds familiar, then look no further. This article can be used as a refresher on some practical steps all directors should have in place to ensure your company is compliant with GDPR and other data protection laws.
Educate Yourself on the GDPR Principles
First things first, here is a reminder of the GDPR principles. These principles form the building blocks of the GDPR regime, which is fast becoming the standard in the global data protection landscape.
The GDPR lays out seven key principles:
- Purpose Limitation: The purpose(s) for which data is collected should be explicit and legitimate.
- Data Minimisation: The data collected should be relevant, adequate and limited only to what is necessary.
- Accuracy: The data collected on an individual should be accurate and, where necessary, kept up to date.
- Storage Limitation: The period that personal data is stored should be limited only to what is necessary.
- Integrity and Confidentiality (security): The data collected should have appropriate security of access and confidentiality. This means that techniques such as encryption should be used where appropriate.
- Accountability: Take accountability for demonstrating your company’s compliance with the principles above.
The GDPR principles don’t give hard and fast rules but they embody the spirit of GDPR and data protection. When building a data protection programme, these concepts should be referred to for best practices. Being aware of them and what they mean is important in your role as a director. If you understand them properly, you should have a good sense of ‘right and wrong’ in the world of data protection.
Know the Difference Between Data Privacy vs Data Security
‘Data Privacy’ and ‘Data Security’ both come within the scope of data protection but both terms are often used interchangeably. It is important to be aware of the difference between them as the responsibilities for each are notably different.
What is Data Privacy?
Data Privacy is concerned with proper handling, processing, storage and usage of personal data. It is all about the rights of individuals with respect to their personal data.
What is Data Security?
Data security is focused on protecting personal data from any unauthorised third-party access or malicious attacks and exploitation of data. Data security ensures the integrity of the data, meaning data is accurate, reliable, and available to authorised parties.
Know Your Company’s Legal Ground(s) for Processing Data
The lawful bases for processing personal data are set out in Article 6 of the GDPR. At least one must apply whenever you process personal data of your staff or customers:
- Consent: The processing is based on consent you have obtained from the individual. Consent must be freely given, clearly distinguishable from other matters and simple to withdraw at any time.
- Contract: The processing is necessary for a contract you have with the individual.
- Legal obligation: The processing is necessary for you to comply with the law.
- Vital Interests: The processing is necessary to protect someone’s life.
- Public Task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate Interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Failure to have an appropriate legal basis for processing personal data is one of the most common reasons for authorities to issue fines. So you need to get a handle on the types of personal data your company is processing and be confident you can rely on one or multiple legal bases for processing it.
A practical way to do this is to simply list out all the applications your company uses (e.g. AWS, Google G Suite, Salesforce, HubSpot, Mailchimp, Stripe, etc.) and check the types of personal data held in each. You should then ask simple questions like, “Why do we process this data?” and “Do we actually need it?”
Whilst your website only forms a small part of your overall data protection compliance approach, it is a very important one, usually serving as the first point of contact with your customers. It is important therefore that you establish a strong foundation of compliance on your website, making it easier to build your overall compliance programme.
This robust foundation should be formed of three key parts:
- Cookies Compliance: This should be formed of a cookies policy and a cookie consent tool.
- Data Subject Rights: Ensure you have mechanisms in place for your customers to exercise their data privacy rights.
Appoint Someone to Manage Data Protection
Arguably the most difficult task with data protection is staying up to date with the complex and constantly evolving landscape of data protection laws. For example, if your company is doing regular business with the UK, you may need to know what impact Brexit has on your data protection practices (see here for further information on Brexit and its impact on GDPR).
As a director, you are likely to have numerous other responsibilities and burning priorities in the daily running of your business. Because of this, data protection can often move down the priority list or become an afterthought until a significant event triggers some urgency (e.g. a data access request, a customer complaint, a due diligence process to win a large contract or an enforcement letter from the Data Protection Commission).
The most practical way of staying on top of data protection matters is to appoint someone (internally or externally) to manage data protection for your business. Naturally, not all businesses have the budget to employ a data protection officer full-time or pay thousands of euro to external consultants.
If your company is a small or medium-sized business, there is a high likelihood that any internal resource you appoint to look after data protection will also wear ‘other hats’ and be responsible for other areas of your business. In this instance, the best approach is to purchase a product that removes a lot of the heavy lifting for data protection and automates your obligations around policies, cookies consent, access requests, etc. Another benefit of this approach is that the product itself will stay up to date with data protection laws, which will alleviate the burden of this for your company.
Hopefully, this guide has provided a refresher overview on some key areas some of your company’s data protection practices. All great customer relationships are built on trust and we believe that having a robust data protection programme is the ideal way to show users that you respect them and take their wellbeing seriously.
Similarly, the pressure of complying with data protection laws is always increasing and authorities are regularly receiving increased funding to promote enforcement (e.g. the Irish Data Protection Commission is regularly receiving additional funding to support enforcement). So, it is never too late to enhance your data protection practices and now is as good a time as ever to give this area of your business the attention it deserves.
If you found this article helpful or would like to understand how Dataships products and services can help your company automate its data protection obligations, please reach out to Ian Madigan in Dataships at firstname.lastname@example.org to discuss in more detail.