In Part 1, I gave you a basic overview of some of the core requirements needed to get yourself up and running as a GDPR compliant eCommerce business.
In Part 2, I want to go dig in a bit deeper about what those organisational and technical requirements are, the legal basis for processing personal data and how you should act in the case of a breach.
Organisational requirements
Controller:
The GDPR requires the appointment of a controller. This is the single most important figure in the whole Regulation. The controller will not only bear the responsibility for any personal data breach or violation of the clauses of the GDPR, but is the person (or organism) that has to carry out all the tasks established in the GDPR, notably show compliance with the GDPR.
The controller, unlike the processor , decides what data shall be processed, how, and with which purpose. The processor acts only on behalf of the controller and executes the tasks that the latter has entrusted to it.
In practice, the controller is not attached to any particular position within the
company, but it is a must that he/she/it has a high degree of decision-making
power within the structure, since very important decisions will have to be made. The
best idea is to vest the managing director or, even better, the management board
with this power, the reason being that by doing that you provide data subjects (so
users) with a more stable and reliable reference entity for the exercise of their rights (the managing director may change, but there will always be a managing board).
A quick note on the controller’s responsibility. The controller makes all the decisions concerning data processing, but the technical organisation can be delegated to someone else.
Processor:
The processor is the person/entity that carries out the decisions of the controller, and whether it is involved or not it’s up to the controller. The only requirement is that it has to be a separate legal entity or individual from the controller. Several processors can be appointed.
Data Protection Officer:
Art. 37 GDPR establishes that a Data Protection Officer (DPO) will have to be
appointed when the core activities (so activities decisive for realising the company’s business strategy) require regular and systematic monitoring of data subjects on a large scale . You have to decide if your activity falls within this category.
If you finally decide that under that criteria you need a DPO, there are two options.You can either appoint one of the employees as DPO, or you can externalise the service.
The DPO shall be designated on the basis of professional qualities and, in particular,expert knowledge of data protection law and the ability to fulfill the tasks with whichthe DPO is entrusted.
Those three figures are at the core of the data protection, the main characters of the film, so to speak, and their actions will determine the possible or even actual liability of the company.
Technical requirements
From the very moment that you collect the data (usually via web form or the data
provided by the user’s browser) it must be kept safe and processed safely.
My recommendation, and what the GDPR actually suggests, is that as soon as you
receive any kind of personal data (remember: you must keep it to a proportionate
minium), you undertake a process of pseudonymisation to avoid further problems.
Pseudonymisation means essentially, encryption. You need to decide which method
is best to achieve this, but bear in mind that no one should be able to identify a
person using the encrypted data without the use of additional information (which is in the power of the controller, and very restricted access for everyone else).
You need to put in place an additional mechanism that will allow you to monitor the
data flow in order to be able to ensure (and if the time comes, prove) that the data
flow works according to what the user was told (remember: transparency), and most
importantly, it will allow you to detect personal data breaches in time, remediate
them and hopefully avoid fines, or higher fines.
This mechanism should be able to work its way through all the steps of the data
flow, and check security compliance in each of them.
Retention policy:
The controller should determine which data will be retained (held) and for how
long. Users need to be informed of this, as well as of their right to ask the controller to erase at any time the personal data which concerns them, except when data has to be processed for compliance with the law, the public interest, or the exercise or defence of legal claims.
Legal basis for the processing of personal data
As a principle, personal data has to be processed lawfully, fairly and in a transparent manner in relation to the data subject (principle of transparency).
This means that data processing can only take place if the data subject understands what is happening with the data provided , and has granted it’s permission for such processing.
This requires that:
● The data subject is informed about the identity of the controller
● The individual is informed appropriately about what type of processing is
going to happen to the data
● The data subject is aware of the right of obtaining confirmation and
communication of the processing activities performed on its the personal data
● The individuals are made aware of the risk, rules and safeguards related to
the processing of their data
And in any case, the specific purposes for which the processing occurs should be
explicit by the time that the data subject provides the data.
Data minimisation obligation:
Data collection should not be completely minimalistic, but proportionate and
adequate regarding the purposes for which it is intended. There are two key
concepts here.
Privacy by Design and Privacy by Default:
-
Privacy by Design provides that data systems have to be designed to keep data
protection to a maximum. -
Privacy by Default states that data systems should be designed in a way that no unnecessary data is requested from the data subject (so the company avoids holding too much data that may cause trouble in the future).
Lawful basis for processing personal data:
They are enshrined in Art. 6 GDPR. In essence, you can only process user data based
on at least one of the following:
-
The data subject has given explicit consent to the processing of the personal
data for one or more specific purposes. -
Processing of personal data is necessary for the performance of the contract
of which the data subject is either part, or about to become a part of. -
Processing is necessary for compliance with a legal obligation to which the
controller is subject. -
Processing is necessary for protecting the vital interest of the data subject
-
Processing is necessary for the performance of a task carried out in the public
interest. -
Processing is necessary for the legitimate interests of the controller pursued
by the controller.
In practice, you need at least one of them, so for the purposes of the service that
your company provides, the first two will be enough.
The data subject has to explicitly give consent to the collection and processing of the data for the purposes mentioned in the contract (Terms of Use) and you collect the data in order to fulfill your obligation with respect to the contract that you have with your user.
Personal data breach notification procedure
What is a personal data breach?
A personal data breach is any kind of security breach that involves destruction, loss,alteration, unauthorised disclosure (or access to) of the data, regardless whether it was accidental or unlawful.
It’s an objective circumstance, so it does not require an element of negligence in order to fall under the scope of the GDPR.
What should you do if you notice that there has been a personal data breach?
The GDPR (Art. 33) says that you must notify the supervisory authority, but there
are some requirements with regard to the notification itself and the moment in time
in which you ( the controller ) must do so. In addition, if some criteria are met, you must also notify the data subject.
Notification to the supervisory authority:
The notification must contain the following, including as many details as possible, or if it’s not possible to provide the supervisory authority with all the information, you can send it in phases as well.
● Description of the nature of the personal data breach, including the categories
(types of data: name, phone number, e-mail, ...) and number of data subjects
concerned and an approximate number of personal data records concerned.
● Description of the foreseeable consequences of the data breach
● Description of the measures taken or proposed by the controller
● Name and contact details of the data protection officer
It’s very important that when a personal data breach occurs you document all the
facts, effects, and steps that you take to remediate it since you will be asked for them by the supervisory authority.
Time requirements:
The GDPR establishes that the controller must notify the supervisory authority without undue delay , and where possible, 72 hours after having become aware of it .
How does this translate into the real world?
When you detect a personal data breach, you have to gather all the facts the best and the fastest you can and send them to the supervisory authority, and if later on you manage to retrieve more information, you can send it as well, but do not wait too long, and in any case, this has to be done under the 72-hour deadline.
Supervisory Authority:
The supervisory authority is decided by each Member State. In our case, since
we are based in Cyprus, we shall address the notification to contact the
Data Protection Commissioner Office:
1 Iasonos str., 1082 Nicosia
P.O.Box 23378, 1682 Nicosia
Tel: +357 22818456
Fax: +357 22304565
Email: commissioner@dataprotection.gov.cy
Notification to the data subject:
The GDPR determines that the data subject, so the people whose data have been
compromised, must be notified if the personal data breach is likely to result in high risk to the rights and freedoms of natural persons .
If upon a personal data breach you manage to render the personal data unintelligible
to third parties (encryption), or you ensure that that high risk does not exist anymore then you no longer have the obligation to notify the data subject.
How will you know if those conditions are met?
When it is clear that the breach does not pose a risk to the rights of the people of the data that you hold/process and you have taken appropriate measures, then you don’t need to fulfill this obligation.
Otherwise, do notify.
The notification does not need to meet any special requirements. You just need to
explain what happened and what did you do about it.
Things to keep in mind:
The GDPR establishes the beginning of the period to notify when the controller
becomes aware of the personal data breach, but despite being formulated in a very
“passive” way, the truth is that to avoid any complications and possible fines you
should implement a system that actively monitors possible data breaches in order to
reduce the likelihood of becoming aware too late: the consequences are severe.
Join the conversation.