Wednesday, May 9, 2018

GDPR Self-Assessment Checklist for Controllers

This article is intended for most of my US/international clients that are small e-commerce businesses that do not want to shut off their EU clients completely b/c of GDPR, massive intimidating e-privacy regulations about to come in effect in EU. Clients that only collect limited amount of non-sensitive info (no health, children, criminal info, life and death situations, etc.) from EU residents. Clients that have read about scary exorbitant fines and hundreds of pages that are basically synonyms of “be adequate,” “be reasonable,” “risk mitigation must be proportionate to the level of [undefined] threat” but without much concrete guidance.

Here is some guidance. Do not be scared. Be informed as to where you stand in the GDPR compliance. Then, make an informed decision as to whether GDPR compliance is worth the extra legal costs/efforts, or you're better off investing in software that automatically blocks EU users altogether. For many such small businesses that are still not sure, I have abridged the Information Commissioner Office’s basic requirements below.

Specifically, I have boiled down the basic issues you have to address. That does not mean that you have to write volumes of convoluted policies about every little aspect of the points below. The exact opposite is true. GDPR requires you to be concise, even though the EU regulators have themselves written hundreds of pages about the synonyms of the words like “concise,” “reasonable,” and “adequate” without offering much of concrete guidance. GDPR is untested but it does require you to think about, and have answers to, the following issues. The answers do not have to be as voluminous and convoluted as what the regulators have written themselves but, if you want any EU customers/subscribers, you do have to have the “concise, easy to understand” answers to the following questions.

The ICO’s compliance self-assessment questionnaire is broken down into four parts: 1) Lawful/Fair Basis; 2) Users’ Rights; 3) Accountability; and 4) Data Security & International Transfers. Take a look at the basic summary of those four parts.

Part 1: Lawful/Fair Basis for Collecting Personal Info

Have you mapped out data flows? Anybody with good understanding of your business should be able to answer where do you get the EU data from, where is it going to, for what purposes and on what legal grounds.  Mapping out your EU data flow will enable you to predict any legal/security risks.

Document your findings. If you have less than 250 employees, you only need to keep these records for processing activities that: * are not occasional; * could result in a risk to the rights and freedoms of individuals; or * involve the processing of special categories of data or criminal conviction and offence data.

Can you show documented lawful bases for processing EU personal data? There are six lawful bases: (a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. (b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. (c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). (d) Vital interests: the processing is necessary to protect someone’s life. (e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. (f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

For most of my clients (my primary focus in this article), point (b) will give you a lawful basis for processing. E.g, you run a SaaS platform, or you sell to customers some of whom are in the EU, and you need their names and payment details in order to fulfill their subscriptions/orders. Processing their names and payment details for the purposes of fulfillment of their orders gives you lawful basis under GDPR. So, you can move on to reading the next sections.

How do you handle consent, if you need one?  EU standard for consent is much higher than that in the US but the good news is that you do not need EU consent if you have lawful basis described in the paragraph above. If you do not have lawful bases described above, then you will need EU users’ (reaffirmed) unambiguous consent to the exact specific usages of their private info. Not pre-ticked opt-in boxes, not some provisions buried in your Privacy Policy along the lines of “your visits to our Platform constitute your agreement to using your personal info for marketing purposes, advertising and sharing it with our affiliates.” No. Under GDPR, if you use EU residents’ personal info for such, and similar, extended purposes, then the privacy notice has to be in their faces with things like an un-ticked box, not any pre-selected options to opt-in. Keep records of what an individual has consented to.

Do you have systems to record and manage ongoing consent? Most of my US clients don’t need consent but, in case you do, keep in mind that your obligations don’t end when you first get consent. You should continue to review consent as part of your ongoing relationship with individuals. Renew consent if anything changes. If your consent does not meet the high GDPR standards, then you’ll need to renew it. That’s why you’ve been receiving numerous notices from various of your online subscriptions reaffirming their “commitment” to your privacy.

Part 2: Users’ GDPR Rights

You have to provide GDPR-specific privacy information to individuals in the EU. I have covered a way to do it in the previous post about GDRP-compliant Privacy Policy.

Part 3: Accountability

Do you have an “appropriate” data protection policy? “Appropriate” means it is commensurate to the risks involved. For most of my clients, who do not deal with large volumes of high-risk EU information, that means they do not have to have large volumes of data protection policies. However, monitor your compliance with data protection principles, security protocols and policies. That’s common sense in the US and the EU.

Are your processor contracts adequate? If you use third party (e.g. PayPal) to process EU users’ personal info, you are still liable for what happens to that info. To protect yourself, you need to have a contract that provides “sufficient guarantees” to protect EU users’ privacy right. Processors must only act on your documented instructions.

Does your management/staff understand the GDPR risks involved? At least have them read this article.

Have you conducted a Data Protection Impact Assessment (DPIA), if required? This should be a whole separate blog post but the basics of the DPIA are that you have to do it if you conduct any type of processing which is “likely to result in a high risk”. E.g., use systematic and extensive profiling with significant effects; process special category or criminal offence data on a large scale; systematically monitor publicly accessible places on a large scale; use new technologies; use profiling or special category data to decide on access to services; profile individuals on a large scale; process biometric/genetic data; match data or combine datasets from different sources; collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’); track individuals’ location or behavior; profile children or target marketing or online services at them; or process data that might endanger the individual’s physical health or safety in the event of a security breach.

Have you appointed a Data Protection Officer (DPO)? You must appoint a DPO if you:
- are a public authority (except for courts acting in the judicial capacity);
- carry out large scale regular and systematic monitoring of individuals (e.g. online behavior tracking);
- or carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
Even if you are not required to appoint a DPO, it ay be a good idea to do so. It will make you look more professional and ,besides, even if you don’t appoint an official DPO, there still has to be somebody ready to respond to regulator’s privacy-related questions anyway. The DPO should be “independent” and report to the highest management level.

Do the decision makers and key people in your business “demonstrate support for data protection legislation and promote a positive culture of data protection compliance across the business”? At the minimum, have them read this article. GDPR requires your key personnel to be aware of the requirements under the GDPR.

Part 4: Data Security & International Transfers

Do you have “appropriate security measures” in place? “Appropriate” means adequate for the level of risk and sensitivity of the information you hold. ICO states that “[t]he measures you put in place should fit your business’s needs. They don’t necessarily have to be expensive or onerous. They may even be free or already available within the IT systems you currently have. A good starting point is to establish and implement a robust Information Security policy which details your approach to information security, the technical and organisational measures that you will be implementing and the roles and responsibilities staff have in relation to keeping information secure.”

Are you aware of your obligation to inform users of personal data breaches?  You must report a notifiable breach to the ICO without undue delay, but not later than 72 hours after becoming aware of it.

International transfers. This also deserves a separate blog post but the GDPR basic requirement is that you have to ensures an adequate level of protection for any personal data processed by others on your behalf that is transferred outside the European Economic Area. You may only transfer personal data outside of the EU if you comply with the conditions for transfer set out in Chapter 5 of the GDPR.