The General Data Protection Regulation (GDPR) comes into effect on the 25th May 2018. You will likely have had it on your radar for the last two years, since it was passed through the European Council and have hopefully put in place some processes to ensure compliance.
However, given that this is new legislation with no legal precedents to work from other than related, but different, privacy laws you may still have some concerns and areas to focus on.
We have taken steps at Gatekeeper to ensure compliance for ourselves but our solution also can provide a crucial link to make sure that you’re keeping accurate records of your commitments and your supplier's compliance efforts.
First, some quick background on GDPR
According to the GDPR website, GDPR “is an essential step to strengthen citizens' fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market..”
It builds on the previous data privacy legislation (Data Protection Directive 95/46/C) that has been in existence since 1995 and makes it more relevant to the modern day, with all its new technological conditions.
Key changes include:
- Increased territorial scope, meaning that any company processing data regarding EU subjects must comply with the legislation, even if they have no physical presence in the EU.
- Accountability for demonstrating compliance with GDPR throughout the data lifecycle
- Consent for data processing is more clearly defined and, when obtained, must be done so in an open and transparent way
- Penalties for non-compliance are considerably more severe than under the previous legislation.
- Rights to access, to be forgotten and to data portability are also laid out more clearly and mean that companies need to have processes in place to provide users with details of how their data is being used, to provide their data to them in a usable format if asked and to erase the data if the user requests it.
The first thing to consider is your company’s role in relation to the data in question. The company that owns the data and “decides the purpose and manner that the personal data is used” is considered to be a “Controller”, while any suppliers or contracted parties which handle the data on behalf of the “Controller” are referred to as “Processors”. These might include agency partners, the company that provides your web servers or firms supplying software such as email providers.
Ultimately, the controller is responsible for the data that they collect and own. However, they are also reliant on the capabilities of the processors they work with to maintain data integrity and security. Tight contracts and high levels of trust are crucial to ensuring there are no issues.
Depending on the size of your business and the sensitivity of your data (eg criminal records), you may also be required to appoint a Data Protection Officer to oversee all your data management. This doesn’t have to be a person within your organisation necessarily - it could be an external agency or partner - but they must report directly to the highest level of management within your business.
As listed above, you’ll also need to be able to respond to requests for data access and deletion from subjects in a timely manner.
The other crucial facet is having details of all your data-related activities and details fully documented. This is where having a robust supplier and contract management system in place can pay dividends.
The consequences of non-compliance
Violations of GDPR are serious and treated as so. The EU has been known to deliver hefty fines to businesses that have failed to comply with the new legislation:
- Amazon was fined €746 million by Luxembourg's regulatory body for breaching the regulations, as the advertising system isn't based on free consent.
- In 2021, an unnamed data controller and its third-party data controller were fined €225000 combined for failing to implement adequate security measures
- Clothing retailer H&M were fined over €35 million due to monitoring several hundred employees.
- French data regulators fined Google €50 million for a "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation."
Not only can fines damage the profitability of your business, but non-compliance can also damage your reputation - resulting in customers no longer trusting you.
How Gatekeeper can help
A company such as Gatekeeper has a responsibility as a processor for the customer data that we handle but we can also go further and assist businesses looking to document their processes and record the compliance of their suppliers.
For instance, you can make it a mandatory part of any relevant contract that suppliers demonstrate their GDPR compliance. Specifically, this could include items such as data processing agreements. Use custom data fields to designate certain suppliers as ‘Data Processors” and then use that status to determine how they should be treated.
With Gatekeeper, you can make this part of your secure workflows, which will make sure that contracts can’t progress to being signed off until GDPR compliance is recorded.
Workflows can also be used to manage the ongoing GDPR requirements throughout the lifecycle, by scheduling periodic check-ins. In both these cases, the Gatekeeper workflows can underpin your data policies.
Gatekeeper can also provide you with an easily accessible record of all existing suppliers to work through to capture their compliance retrospectively.
We’re also pleased to say that Gatekeeper's Information Security Management System (ISMS) is certified to the ISO 27001:2013 standard. This means you can rely on us and our systems to store your information securely and compliantly.
This helps protect you as the controller by ensuring you’re working with capable suppliers and also with having a central record of all your suppliers and their compliant status, should you be required to produce it.
Finally, we’re also a global partner of Amazon Web Services, with five global hosting instances (including Dublin, Ireland). This means you can choose your region to support your data sovereignty requirements. This is particularly relevant when considering the International Transfers requirements of the GDPR.
Between now and May we expect to see a lot more information being shared and written about GDPR as companies get themselves and suppliers into compliant positions. We also expect information security to take an even more prominent position in discussions with prospective new customers. We believe that we’re well placed to answer those questions and help customers manage their responsibilities effectively.
For more information on how Gatekeeper can support your business with GDPR compliance, get in contact today.
Disclaimer: This article should in no way be taken as legal advice. If you have questions regarding GDPR and how your business can comply then please seek professional legal advice.