On May 25, 2018, the new EU data regulation (GDPR) will be effective for all companies operating in any EU member state. The impact is already massive. Every company must be ready to capture consent, transfer customer and employee data to third parties and be able to prove that they manage personal data effectively. This GDPR guide will teach you how to get your processes ready for this.
The main impact comes from the fact that the GDPR shifts the burden of proof to the company. What does this mean in practice? Imagine that you’re driving on a country road. All of a sudden, a policeman pulls you over. Now, he asks for you to prove that you didn’t drive faster than you should have during all of last year! This may sound absurd but with the new EU regulation, this is what we all need to do. You need to demonstrate that you follow the rules. It’s not up to the regulatory authorities that to prove that you are in compliance! As a result, this puts the burden of proof on your organisation. Fortunately, this GDPR guide will cover everything you need to know.
GDPR will have a large impact on organisations that have not described their processes and have not documented how they follow those processes. If they can’t then they risk fines of up to €20 Million or 4% of their annual turn over – whichever is the highest. In addition, regulatory authorities may even forbid violators to manage any personal data. So, this is clearly a risk that you must manage. The question is how? I’ve written this guide to prepare our own activities and thought it would be worth sharing.
This GDPR guide seeks to answer the five questions that I found myself asking when Gluu first started getting ready for this:
Checklists for the six main GDPR requirements
1. Obtain lawful consent from each individual
2. Document all personal data related processes
3. Report on personal data breaches
4. Risk analysis
5. Privacy-by-design
6. Portability
How do you start?
Analyse our current state
Map any missing processes
Analyse and close gaps in relation to GDPR requirements
Prepare control system
Prepare operations
First to some basics.
Sign up for a 30-day trial.
No credit card required.
The GDPR covers all personal data. Personal data is information held which covers individuals. Everything from the IP address of a consumer to the address details of an employee. The EU regulatory site states it like this:
“Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
So as you can see the scope varies with your business model. In our case, we’re selling an online platform to businesses, so we have no personal data on private individuals. To decide on where to start, we made the following priority list:
These priorities helped us to decide which processes to look at first.
The regulation differentiates between the parties that are responsible for the data and the ones that are merely storing and/or processing it.
“A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.” – EU regulatory site
In our case, we’re our own data controller for our own employees and for sales and marketing data related to specific individuals in our CRM system. In relation to the data on our platform, we’re a data processor and our actions are governed by Data Processor Agreements that we have with customers.
With the scope clear, we needed to understand the work ahead of us. At Gluu we already have to comply with quality and development requirements so in that sense the GDPR is just another compliance area to add to our management system. However, this management system is within our own Gluu platform and it already states how we operate (process hierarchy, diagrams and work instructions and measure that we comply with automatic tasks and change recording).
To a normal management system (that may cover health and safety, quality and security) the GDPR adds the requirement that your organisation must:
In other words, you must have all necessary processes in place and be able to prove that you follow them.
Your situation | Your task ahead |
No documented processes and “process culture” at all | Start by making a process hierarchy where you focus on the processes that are likely to involve or impact personal data. |
An outdated quality management system with processes described in Word documents. | Migrate and validate your processes to a format where you can easily involve all the necessary colleagues in discussing each activity. |
A fully operational “process-driven” management system with broad ownership and a good “process culture”. | Go through all processes and mark any activities that may impact personal data. Revise your processes and activities in accordance with GDPR. Add any missing processes. |
At Gluu we’re genuine “process-nerds” and we, therefore, found ourselves in the last group. However, the task has still been significant.
From a conference with the Danish law form DAHL and the reading of white papers and checklists of international ones, I made this list of six main requirements facing us:
Each requirement is explained further below. I have also shared our own internal checklists that were made from recommendations found on the EU GDPR site and various law firms recommended there.
You may no longer be able to use a long “terms and conditions” document where each individual ticks a box to confirm that he or she has read it. The EU GDPR site states it like this:
“Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt-in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.”
“If your data treatment could impact the security of personal data – and this is collected systematically – then you need to document all data treatment activities.” I read this as the need to ensure proper documentation of many processes within Marketing, Product Management, HRM and IT Operations.
Sign up for a 30-day trial.
No credit card required.
This is the checklist that we created – split into our responsibilities as Data Controller and Data Manager:
The Data Controller must ensure that the right technical and organisational tools and processes are in place to ensure that personal data is handled in accordance with the regulation. This includes safeguarding and protecting personal data.
Importantly, the data responsible party must be able to provide proof that data is treated in accordance with the regulation.
For Gluu this means that when we act as Data Processors on behalf of our customers, then we must ensure that they can meet this requirement fully and with ease – for any data stored on the Gluu platform.
Specifically, this is important when it comes to information security. Article 33 covers the requirement that all security breaches that affect the security of personal data must be documented.
Report to the regulatory authority within 72 hours after the breach is known to the data responsible.
Sign up for a 30-day trial.
No credit card required.
Ongoing risk assessment is important to comply with GDPR.
It is of utmost importance that you complete a risk analysis when considering implementing new technologies that could impact the security of personal data. An example of risk assessment of new technology is screening and “what-if” questions.
Data controllers ensure that your systems and processes are designed with privacy in mind. Therefore, GDPR requirements are built into these.
Article 20 states that the registered individual has a right to receive the data that he/she has given to the data responsible. Give this information in a structured and common, machine-readable format, for easy data transfer to other organisations.
Now you have outlined all of your requirements and listed their checkpoints. The next step in our GDPR guide is to look at how and where you start.
With our above checklists as the starting points we identified the following main tasks:
Before we started, we analysed our maturity in relation to personal data and processes. This helped to clarify where to focus and gave us a starting point for the work. We used the Danish government tool “Privacy Compass” to do this gap analysis.
We identified and mapping the remaining data privacy-related processes. This mapping included the affected data flows and IT systems.
Fill in a data form per activity (in each process) that involves personal data. This step allowed us to identify gaps in our requirements and to close this.
We prepared a GDPR control system in Gluu for our user’s personal data. To do this, we set up recurring tasks to ensure that we follow-up correctly. In addition, we document the follow-ups for simple and easy reporting.
Finally, we ran some tests to ensure that we could report properly. For instance, if there was a data breach could we then show exactly which activities that involved personal data and were affected by this?
The ISO 29134 standard
The ISO 27001 standard
The penalties for non-compliance with GDPR can be quite severe. Businesses that violate its terms can face fines up to €20 million or 4% of the company’s global annual turnover, whichever is higher. The enforcement of these penalties is carried out by the data protection authorities within each EU country, who are diligent in ensuring that businesses are in compliance with the regulation. In fact, since the introduction of GDPR, there have been numerous high-profile cases of non-compliance leading to significant fines. Therefore, compliance should be taken seriously.
Even though GDPR originated as an EU regulation, it holds global significance. Any business that processes personal data of EU residents must comply with GDPR, regardless of its location. Any business located outside the European Union must adhere to GDPR if it collects, stores, or transacts with personal data that belongs to EU residents. If a business engages in large-scale data processing, it must also appoint a representative within the EU. This representation guarantees that data protection authorities and individuals can communicate their concerns or requests directly.
To enhance transparency with their customers in line with GDPR, businesses can adopt various practical measures. First, they can revise their privacy policies to make the language more understandable. Second, businesses should incorporate data protection considerations in all phases of their projects. Offering customers the ability to access, modify, or download their data is another important step. Also, customers should be promptly notified about any data breaches. Lastly, appointing a Data Protection Officer can help to provide a clear communication channel for customers who have queries or concerns about data processing activities.
Søren Pommer, CEO of Gluu, and Etienne Venter, CEO of Process2Product, discussed common mistakes and…
Introducing Gluu's 2H 2024 product roadmapGluu delivers Business Process Management for People. This means real…
In this webinar, we introduced the main new features and improvements released in Gluu during…
Estimated reading time: 9 minutes Embarking on a Dynamics 365 implementation requires a strategic shift…
Gluu tracks task and case progress that shows how work progresses (or where it stops).…
70% of all ERP projects fail. How can yours avoid the most common pitfalls?Join this…