GDPR is already in force: by May 25, 2018, all organizations collecting or processing personal data will have to be compliant. This Regulation applies to any organization within the European Union or with registered offices outside the EU processing personal data of EU residents.
The analysis and documentation to comply with the Regulation can take a few hours to several days depending on the organization’s size, on the type and volume of the data processed, and on the risks associated with processing.
Some tasks are apparent and easy to identify, with the data controller and any advisors having in fact equal responsibility.
The protection process is continuous and requires periodic checks, each of which must be documented.
From this point of view, four key aspects are to be examined:
- Data security;
- Data portability.
For this purpose, the two figures of “Data Controller” and “Data Processor” are envisaged. The first is the one who requests the processing, the second is the one who is in charge of it and instructs staffs.
The data processor is responsible on an equal footing with the data controller, and his liability is not reduced by having received an explicit or implicit request contrary to the Regulation. The data processor must therefore offer the data controller all the necessary guarantees and demonstrate that he is capable of carrying out the task in compliance with the Regulation. It is therefore for the data controller to draw up the register of processing activities and the DPIA and respond to requests for access to personal data from any data subject and to make any changes.
The data processor is above all required to inform the data controller that any of the controller’s provisions may violate the Regulation and any data breaches. Of course, within the scope of his powers, the data processor is also responsible for identifying, if necessary, the person responsible for the protection of personal data (DPO, Data Protection Officer).
On the other hand, the data controller must be able to demonstrate that he has also followed the Regulation through the type of relationship he has with suppliers of any services that also include data processing. In this respect, the data controller must define:
- Any single service;
- Duration, nature and purpose of the processing for each service;
- Types of personal data processed;
- Categories of data subjects;
- Obligations and rights of the client;
- Obligations and rights of the supplier.
Therefore, delegation does not exempt from monitoring the data collected and available and their processing.
GDPR addresses personal data, i.e.
- Dates of birth;
- Tax codes;
- Banking data;
- Postal and e-mail addresses;
- Photographs and videos;
- IP addresses and cookies;
- Details relating to the location of the person concerned at any time.
Connection with translation
Different types of personal data can be collected in translation: from that relating to customers or project teams, including that of those who, for various reasons, are the subject of the translation, e.g. medical records, school reports, administrative and legal documents. For each type of data, it should be possible, in compliance with the Regulation, to demonstrate that its collection and subsequent processing are necessary to provide the service; it may be harder and challenging to demonstrate that storing it is also necessary, especially in archives that are only partially structured (such as translation memories).
To avoid being liable for damages caused by errors, omissions, or negligence in processing personal data, the controller must prove that everything possible has been done to avoid them. This means that every stage of processing must be documented.
In this respect, the first step consists in writing a Data Protection Impact Assessment (DPIA) document describing the operation preceding data collection to determine if the processing of personal data may pose a risk, for example when using certain technologies, especially with regard to staff assessment. The same applies when processing personal data that is expected to be used for purposes other than those for which it was originally collected, for example to send a newsletter.
The DPIA must allow for the identification of any risks that the proposed service or product may involve for data protection, and for determining if and why it might be impossible to avoid them, as wells as for describing the measures to mitigate them.
In fact, the DPIA must prove compliance with the Regulation and must therefore provide:
- The rationale for data collection;
- An assessment of the need for personal data;
- The type of personal data collected and processed;
- Any right to collection and processing;
- An assessment of the quality of service expected without the required data;
- The persons who can access or process this personal data;
- The runs and technologies with which these personal data will be processed;
- The storage period;
- Any consequences for the data subjects in case of violation;
- The measures to mitigate the risk of violation.
Once the DPIA has been approved, any processing task must be recorded in a special register.
The first step in complying with GDPR is therefore to record the data in one’s possession, where and how it is stored, who can access it, and how it is meant to be used by having a data catalog where this information is recorded, whether this data is or has been even partially shared with others and possibly why.
In summary, this data catalog must report:
- The purpose of data collection;
- The purpose of processing;
- The context in which the data is collected;
- The expectations of data holders;
- The data type;
- The impact of any further treatment;
- The expiration of data;
- The measures for the proper processing and security of data.
The consent to data processing is meant to guarantee the data subjects that their data has been, is and will be used for the purposes described by the data controller, and it is always mandatory.
For online registrations no statement is required. A contextual consent could be obtained, for example, by providing a rollover mechanism whereby, when the mouse pointer passes over a field in a form, a box is displayed explaining why the data in question is requested.
However, the mandatory nature of consent means that this must be requested again from all the data subjects whose data is stored, providing them with adequate information.
The request for consent to data processing must follow the presentation of adequate information to the data subjects. This information must be concise, clear and understandable and must provide:
- The identification details of the data controller and the data processor, as well as those of the DPO if one has been appointed;
- The purpose of processing;
- The processing methods;
- Any necessary requirements or the legal or contractual obligations for requesting the data;
- Any recipients of the collected data;
- Any transfer of data to a country outside the European Union, even at a later stage of processing;
- The consequences of processing, if any, for the data subjects;
- The possible existence of an automated decision-making process, e.g. profiling, with a description of the algorithm used and the potential consequences for the data subjects.
Cookies and their processing are perhaps the main objective of GDPR. For this reason, in addition to generally warning about the existence of cookies, possibly with a banner on the home page, the purpose of cookies, the issuing site, their duration, and the purposes that may be pursued by any third parties must be provided.
A cookie statement must also contain a section with the definition and function of the cookies applied, how to disable them or erase them and how to revoke any consent given in the past.
And even if this is not exactly part of cookie management, IP addresses must be anonymized before sending them to any traffic analysis applications.
The rights of data subjects must also be listed, especially with respect to:
- How to access personal data;
- How to have personal data edited or erased;
- How to contest the processing of personal data;
- How to revoke consent at any time;
- How to submit a complaint to the supervisory authority, with the necessary details to do so (e.g. the address to send the complaint to).
The measures for risks mitigation must consist of the agreements and guarantees provided by all parties cooperating in the processing of personal data, including the DPO and any third parties.
It is also mandatory to adopt a password management strategy for all people who can access the data stored, to provide different access levels and, possibly, keep track of activities.
A key aspect of GDPR is the requirement for training as an essential measure to understand the Regulation and the measures taken to mitigate the risks related to the processing of personal data.
The training must be prior to the access to data and must be carried out according to a plan, approved in writing, of all training chapters for all the people who can access the data.
The training must include a chapter on the Regulation and another one on the procedures.
The data subject must be allowed to transfer his personal data from one system to another without the data controller or the data processor being able to prevent it.
In this respect, it is good to remember that the greater the perceived simplicity, the greater the hidden complexity.
To recap, the tasks to be performed, in sequence, are:
- Assembling the data catalog;
- Writing the documentation;
- Laying out the forms;
- Writing the policy;
- Developing the training material;
- Training staff.