Many countries are bringing in data protection laws to make it difficult to transfer data to countries without robust laws. If recent industry surveys are to be believed, many organisations are still not clear on how to comply with GDPR (General Data Protection Regulation) and how it will impact their costs and operations.
VFS Global became one of just 15% of global companies to achieve compliance with GDPR ahead of its introduction.
Here are five insights for businesses trying to tackle GDPR six months after implementation:
This is the golden fleece of Data Protection; customers and clients leave substantial data trails of their personal lives online - particularly when making purchases; submitting enquiries; and consenting to online cookie policies. This data will be processed and handled by multiple teams, and systems, in companies large and small. So, identifying where and what personal data you hold within the structures of your organisation is imperative. It will not only demonstrate your organisation's compliance with the minimum baseline for this area but make sourcing data, in the event, of a subject request, a simpler task for you or your team.
It is also important to remember that unstructured web data falls within the scope of the legislation - this includes social media posts, profile images of customers, IP addresses of their devices, their geographic locations etc.- so do be sure to add these to your appraisal. Ultimately, though, improved collaboration between teams for the delivery of GDPR compliance will be key.
A significant consequence of the GDPR for businesses operating in the European sphere is that they are now compelled to demonstrate a lawful basis for processing a set of personal data. The most commonly aired basis is that of consent. However, consent can be withdrawn or not given. Therefore, careful consideration should be given to your business model when deciding on the lawful basis that you will use.
A simple method to determine if consent is a suitable lawful basis is to apply the NEED - WANT - DROP filter to the personal data that supports your business activity. If you "NEED" the data for the business activity and can't run the activity without this, then avoid consent and look to another lawful basis such as "fulfilment of contract". If you "WANT" the data, typically for marketing, then consent is a suitable lawful basis. If, however, you have or want the personal data, but you cannot perform legal processing on it, then you must "DROP" this data.
The new legislation enhances an individual's right regarding their personal data. One of these rights is the right of erasure (right to be forgotten) - i.e., to request that a company erases the data it holds on them. And, since this needs to happen within a reasonably short timeframe, on receipt of a request, it is important that you know where data is stored in your processes, and you have a procedure in place to delete that data so that you can respond quickly and efficiently.
A lot of commonly used business software does not support the selective deletion of data, so this will be a good time to have a discussion with your IT people to see if, and how the right of erasure can be supported. To avoid potential fines and reputational damage for non-compliance, you may also need to introduce automated workflows for triggering and confirming the erasure of data from multiple internal and external systems. There are several good products on the market that will support workflow management, and some will even create a webpage for your clients to exercise their rights.
GDPRntial reputational damage, and financial costs, associated with a business failing to comply with the GDPR mean it is crucial employers take steps now to embed compliance within their organisational culture. Developing a culture of transparency both externally towards the client with respect to how their data is processed and also internally with staff so that incidents with personal data are escalated and addressed. As part of this transparency is the obligation of businesses to demonstrate their compliance.
This is achieved through clear, documented records about how they store, secure, and process data through their systems, as well as the steps they have taken to improve data sourcing and handling among their staff. There are useful guides, which examine data storage and training opportunities for staff.
GDPR requires that consent is 'freely' given by data subjects. This, ostensibly, means where there is perceived to be an imbalance of power between the consenting party and the organisation, that consent will be deemed invalid - and, given the nature of employee-employer relationships, this would prove pointless in some cases.
In this area, then, it is thought that most organisations will use the lawful basis of "performance of contract"; in this case, the contract of employment. That said, there are some areas that will require your looking at. One is how you store and transport the personal information you hold on your existing and former employees, especially if you are using a third party for activities such as payrolling. Files containing the most sensitive data should be encrypted and it is important that all staff are informed of your procedures, and purpose, for holding their data.
If you have any feedback on this article or would like to reach out to our team to know more, please email us at
communications@vfsglobal.com