The EU General Data Protection Regulation is one of the most important pieces of privacy legislation to land in recent years. The challenge it addresses – setting a pan-European standard for handling personal data in a sensible, proportionate way – is immense. It’s also in the final stages of the long European legislative road: a general draft approach has been agreed between Member States, final talks are taking place with the European Parliament and Commission, and it’s expected to be in force by early next year.
While the Regulation has been getting plenty of media coverage and discussion, this has mainly focused on digitally transmitted and processed data. However, organisations handling any personal data in physical form also need to be aware of it.
Why it Matters
Fines and Codes of Practice
Your Action Plan
The General Data Protection Regulation – Why it Matters
Regulators and legislators may have been thinking mainly about Google, Facebook and other big online operators when framing the General Data Protection Regulation. However, the definitions they have set in Article 4 make it clear: this applies to anyone holding or handling personal data, at any scale, regardless of the format.
Data is Data
Personal data, as defined in the current draft, doesn’t need to be online to be covered by the General Data Protection Regulation. As article 4 (1) says:
“‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
This is unambiguous – if your organisation handles information, in any form, that can be used to identify an individual, your organisation is holding personal data. The vast majority of organisations, therefore, have responsibilities to handle that information in compliance with the Regulation.
Having is ‘Processing’
Many organisations don’t imagine that they ‘process’ personal data simply because they don’t have a team of people working with spreadsheets to mine information for insight. That’s not the EU’s view, at least according to article 4 (3) of the draft General Data Protection Regulation:
“‘Processing’ means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
In other words, if you’re doing anything with personal data, you’re processing it. Even the act of storing data is, in itself, processing according to the draft regulation. People may argue about the fairness of this. However, if your organisation is going to have personal data – even just in storage – it has a duty of care to protect the privacy of individuals.
Get More Advice
Sign up for free news and updates from Document & File Storage on information management. We will never sell your information to third parties.
The General Data Protection Regulation – Your Obligations
So, if most organisations are in factor processors of personal data, even by holding older information in documents, what obligations does the General Data Protection Regulation place on them? Happily, most of the demands from the General Data Protection Regulation are things organisations can live with – and really best practice already. Three principles are key: collect data in the right way, think about risks, and process it securely.
Collect data in the right way
If your organisation is going to collect or process personal data, the General Data Regulation rather reasonably states that one of the following conditions should apply:
- A person has given unambiguous consent to using their data for a specific purpose (for example, if a person gave their details to receive promotions by mail).
- Processing data is necessary to fulfil a contract where that the person is subject to (for example, if a person gave their delivery address to receive products).
- Processing data is necessary to comply with a legal obligation (for example, if you need to keep records of who has bought your products in the last year).
- Processing data is necessary to protect the vital interests of an individual.
- Processing data is necessary to perform a task in the public interest, or to exercise an official authority.
- Processing data is necessary for the legitimate interests of the controller, and these are not overridden by the freedoms of the data subject.
In other words, organisations need to have a good specified reason to process personal data – even if just to keep it. This has already been the case for some time in Ireland under Data Protection Commissioner guidelines. However, some added responsibilities in the General Data Protection Regulation will make organisations think about how they’re handling that information.
Think about the Risk
Indeed, under Article 33, organisations will be obliged to think about it. If there’s quite a high risk of a person’s data being compromised, a full-scale risk assessment (which involves consulting with regulators) may be necessary.
“Where a type of processing … is likely to result in a high risk for the rights and freedoms of individuals, such as discrimination, identity theft or fraud, financial loss, damage to the reputation, unauthorised reversal of pseudonymisation, loss of confidentiality of data protected by professional secrecy or any other significant economic or social disadvantage, the controller [must] carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
It’s fair to argue that storing information in a safe location is a low-risk activity. However, even if you take this line and are not conducting a full-scale risk data protection assessment, it will still be valuable to formally evaluate the risks associated with retention of data. That way, if you are unlucky enough to suffer a data breach, you can demonstrate that your organisations considered the risks involved, and based its subsequent actions on a reasonable evaluation of those risks.
Process Securely and Define Access
It goes without saying that organisations holding or processing data are expected to keep it secure. Article 23 (1) and (2) of the General Data Protection Regulation lays this out clearly.
“The controller shall implement technical and organisational measures appropriate to the processing activity being carried out and its objectives… in such a way that the processing will meet the requirements of this Regulation and protect the rights of data subjects.”
The controller shall implement appropriate measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed… those mechanisms shall ensure that by default personal data are not made accessible without human intervention to an indefinite number of individuals.”
The second half of Part 2 is worth emphasising. Under the current draft of the General Data Protection Regulation, organisations have a duty to ensure that personal data is not made available to an indefinite number of people – in other words, they need a system in place to actually define who has access to what personal data. This is easy to implement for digital information, of course. However, many organisations have an indefinite number of employees with access to sensitive stored data on hard-copy files – and thus would be in breach of the Regulation.
Establishing an in-house system that defines access to personal data in physical documents can involve quite a bit of investment. For smaller companies, sending less frequently used but sensitive files into storage is a cost-effective solution. It also helps significantly with your next big obligation: keeping a detailed record of your processing.
The General Data Protection Regulation sets quite a high standard for record keeping when you’re processing personal information. According to article 28, an organisation controlling personal data (or its representative):
“Shall maintain a record of all categories of personal data processing activities under its responsibility.”
This record, under the current draft, should include the following:
- The name and contact details of the processor.
- The purpose of the processing.
- A description of the categories of data subjects, and of the type of personal data related to them that the organisation holds.
- The type of recipients that the organisation have or will disclose the data to – particularly those based in third countries.
- When the organisation intends to erase the data (where possible).
- A description of the security measures taken to keep the data.
If your organisation holds documents that contain personal information, you will soon need to keep quite a detailed track of how the information is handled, and when it will be destroyed. Getting a robust system in place may entail quite a bit of ongoing investment. Of course, with an off-site storage provider, this is considerably easier.
Make Data Available
This kind of robust record-keeping isn’t just for fun: it’s important to protect the rights of individuals to access their own information. And these rights are extensive, as Article 15 reveals:
“The data subject shall have the right to obtain from the controller at reasonable intervals and free of charge confirmation as to whether or not personal data concerning him or her are being processed and where such personal data are being processed provide access to the data…”
Organisations in this situation are also expected to inform people:
- Why the data is being processed.
- Any organisations (or type of organisations) that the data has been disclosed to, or may be disclosed to.
- How long the data will be stored.
- Their right to seek amendment of the data, or complain to the appropriate authority.
This all seems quite reasonable: most of us would expect the same kind of information from an organisation holding our personal data. However, organisations sitting on a sprawling mass of personal information without proper record-keeping or control leave themselves at risk of being unable to fulfil their obligations to data subjects. An awkward data access request, from a person prepared to get the Data Protection Commissioner involved, could create major problems.
Of course, it’s relatively easy to get digital data in some semblance of order. But if your organisation is handling significant volumes of personal information in physical documents, you will need to adopt robust systems for keeping track of how it is managed.
The General Data Protection Regulation – Fines and Codes of Practice
The administrative fines for flouting the General Data Protection Regulation are potentially heavy – up to a million euro or 2% of global turnover for the worst offenders. Quite a bit of latitude is given to individual regulators to set these fines, and these are meant to be applied where an organisation has breached the Regulation “deliberately or negligently”. So, while completely ignoring the law and getting caught could result in a crippling fine, having sensible practices and security measures will work in your favour if a problem occurs. The General Data Protection Regulation isn’t a stick to beat companies who suffer setbacks or breaches despite their best efforts – it’s designed to make every company respect personal privacy and data security.
In fact, the authors of the General Data Protection Regulation want to make things that bit easier for businesses by developing pan-European codes of conduct for data protection. Abiding by these, the Regulation says, will demonstrate compliance. However, these are still just theoretical ideas: while standards authorities are responding to the regulations, agreeing codes of conduct and getting them circulated, the smart organisations will already be preparing.
The General Data Protection Regulation – Your Action Plan
The General Data Protection Regulation is set to come into force in December or January. Two years later, every organisation will be expected to comply. Many organisations will need a lot of work to bring their data handling practices into line, so there’s no point delaying. Here are five important steps to take today.
Review how you collect data. Make sure that your organisation isn’t collecting data through illicit means, or processing it without a clear justification. Take a top level view to see how data is coming into your organisation, confirm that you’re getting the kind of permissions needed to process it legally, and establish why this data is actually needed.
Manage the risks of processing and holding data. Make sure that your colleagues understand and respect the risks of holding or processing data. Evaluate whether doing so creates risks for individuals and, if so, start taking steps to minimise those risks. With personal data in digital form, anonymising or encrypting data is sensible. In physical documents, keeping sensitive data in a secure environment (and disposing of it securely when the time comes) is an essential first step.
Control access to personal data. Personal data should not be easily accessible to anyone passing by a filing cabinet: someone getting access to this information should have a reason for doing so, and his or her access to it should be recorded. Establishing an in-house system to track access to personal data will take work, but it’s important. Farming out older but still useful documents out to off-site storage will effectively control access to personal data in an efficient way.
Get records: Know what personal data your organisation has, how it processes it, who has access and (where possible) when you will destroy it. If your organisation been disorganised in managing data, getting records up to scratch may be a mammoth task. Still, unless your and your colleagues take steps to get information secured, you’re at real risk of non-compliance and hefty fines. Again, the process of moving files to off-site storage will help get your organisation’s information organised efficiently.
The General Data Protection Regulation – Your Questions
The General Data Protection Regulation is quite vast, and there’s a lot for organisations to understand if they want to be in compliance. Whether or not you are a Document & File Storage client, we’d be happy to discuss your own organisation’s approach to these new rules. Feel free to contact us for an initial, no-obligation discussion.