The GDPR deadline for Compliance was May 25, 2018. Many organizations both in the United States and the European Union are not fully prepared or compliant. A big hurdle for US companies is knowing that the GDPR is a requirement that applies to them. If the company or organization reaches EU customers or keeps information on EU citizens, the regulation is relevant and steps for compliance need to be taken. There are two big parts to the GDPR, the technical side and the documentation/legal side. Once you know the GDPR applies to your organization, make sure you focus on understanding Article 30 and the documentation side of the compliance.
Documentation Requirements of the GDPR are Stringent
Most of the GDPR is concerned with outlining the when, where, what, why and whose, of personal data collection, storage, and use. Article 30 of the GDPR is short in comparison to the rest of the document but can have a heavy downstream impact if not taken care of in conjunction with the technical requirements. Any organization that collects, borrows, stores, or sends, an EU citizen’s data is required to comply. (Learn more about Stronger’s full GDPR documentation solution here…)
“The records referred to in paragraphs 1 and 2 shall be in writing, including in electronic form.”
Article 30 is about documentation. The first sentence of Article 30 (1) states “Each controller and, where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility”.
The governing organization wants you to have a written and documented plan explaining where the information is gathered and stored etc.
It’s a short article covering a hug amount of work. Think of it as keeping records in anticipation of an IRS audit. You keep track of every transaction. Where it came from, where it’s going, what it’s being used for, when you got it, etc. You may not need the information this year, but if you want to pass an audit you better be prepared to show the documentation when the auditor comes calling or pay the price. The price for non-compliance can be hefty.
It’s the same for the GDPR. Documentation is important for compliance. Doubly important for keeping fines and discomfort to a minimum. Having documentation structure in place is the key.
If the organization is over 250 people the requirements are different. Lighter documentation is requirement for small businesses with under 250 employees, in Article 30 (5) however, they are not exempted, only given requirements more in line with a smaller organization’s ability to produce documentation.
Any organization that collects, borrows, stores, or sends, an EU citizen’s data is required to comply.
Universities have a unique role in our society of educating and they often engage with people from other countries. Universities also have different departments that access and use data for specific reasons.
Some of the things needing documentation:
- 72 hour incident response plan
- Who is responsible for the data and who is next in responsibility?
- Is the data encrypted?
- Who has access and what do they do with it?
- Is the information you are asking for necessary for what you are doing?
- Where will that data be going?
- Categories of data collected
In the case of certain kinds of information you need to get specific consent. There are precise requirements for how that consent is obtained and what kinds of information requires specific consent. This area of GDPR compliance requires legal advice and or legal counsel to be accurate.
This often comes into play when there is research being conducted at Universities, medical research organizations, and social services organizations.
In Article 9 (1) it outlines what information requires specific consent.
- “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”
It further states in Article 9(2)(a) that the consent must be “explicit”.
Consent is required, among other things, to be written in clear, plain language, intelligible, capable of being withdrawn at any time, requiring parental authorization for anyone under 13, and unambiguous.
Written documentation that consent forms comply with the above requirements is essential if any information being used includes information of EU citizens.
There are also specific requirements in regard to criminal background checks. Something to keep in mind if you hire foreign nationals from the EU. A routine HR procedure, if not outlined in a written document, can be a breach of GDPR compliance.
As you go through the steps of GDPR compliance be sure that you are prepared and have a plan for written documentation and maintenance of those written records. Just once isn’t enough. You need to be able to produce written documentation on demand.
Documenting the kinds of information required by the GDPR can be helpful for an organization, to streamline the data of an organization. Documenting who is responsible for what information, where that information is, and how it is being used, can help when turn over occurs in an organization and result in less “lost” information.
It can also be useful in putting together employee training programs (what is the employee’s role and responsibilities when there is a cyber incident. The written documentation already exists and is being maintained.
Documentation is often a headache when first implementing it into a routine but often has unexpected benefits in the long run. Streamlining documentation to include GDPR guidelines for all gathered personal information may save you time down the road as more countries draft similar guidelines.
Whatever you do – be aware. Consider whether you have any information on EU citizens that you may be storing or gathering, and take steps to be sure you document along the way. Legal and professional services can help set up a system and documentation that then can be followed and used. Stronger has a full solution for all GDPR Documentation, low-cost and high-quality GDPR documentation on-demand. Find out more here…