It may only be four words, but the EU’s General Data Protection Regulations (GDPR) are already striking fear into the hearts of millions of businesses around the world.
The GDPR sees existing data protection laws strengthened, with increased protection for individuals and increased fines for businesses. The reasons are clear; the GDPR is designed to:
- Update data protection for the internet age
- Harmonize European data protection rules
- Strengthen business accountability and governance of data
- Offer individuals more transparency and control over their personal data
So, by the May 25, 2018 deadline, individuals will enjoy greater control over their personal data, while businesses must comply with the directive or face a massive €20 million, or 4 percent of global turnover. And it doesn’t matter where you’re based – despite being an EU initiative, the rules will apply to all businesses that process the data of EU citizens (and British subjects, too, even after Brexit).
If you haven’t already, there’s plenty of tasks to start on to get your training organization GDPR-compliant well before the deadline.
Respect the New Rights
The GDPR introduces eight core rights for individuals:
- The right to be informed: If you store any data on individuals, you must let them know your basis for collecting and processing that data.
- The right of access: Individuals have the right to see all the data you have on them.
- The right to rectification: Individuals can appeal to have inaccurate data rectified.
- The right to erasure: You might know this right as “the right to be forgotten.” Individuals can now request that you delete your personal data.
- The right to restrict processing: Like the right to erasure, this right allows individuals to request that you stop processing their data, although you can still store it.
- The right to data portability: Individuals now have the right to securely move, copy or transfer their data across companies. These services must be provided for free and in a common, machine-readable format, such as CSV.
- The right to object: Individuals can now object to any data processing that does not conform to best practice (i.e., that is not secure).
- Rights in relation to automated decision-making and profiling: This right is unlikely to affect most training organizations, but if you use automation to form decisions, individuals can request a human decision-maker instead.
Failure to comply with these rights can lead to hefty fines, so it’s a good idea to accord them now.
Audit Your Data Processing Procedures
The GDPR is chiefly concerned with how you process your data. To really get ahead of the game on this one, you’ll want to audit your data processes sooner rather than later. Questions you need to be asking are:
- Are your processes as secure as they can be?
- Do employees only have access to the data they need?
- How are data stored and used?
- Where can improvements be made?
The best way to ensure your data processing is compliant is to use data protection impact assessments, which can help you identify the best way to comply with regulations and meet individuals’ privacy expectations. These assessments should establish:
- Current processing methods
- Why you’re processing that data
- What risks, if any, you might expose individuals to
- How you’ve minimized potential risks
- A clear demonstration of GDPR compliance
Another reason why this assessment is so important is that if you suffer a data breach, you’ll need to show the relevant authorities what processes you undertook and that you were complying with the GDPR. Failure to do so could lead to a massive fine for your business. Likewise, any new data-based systems, like a training management system, that you introduce must be built with “privacy by design”; essentially, they need to conform to lawful data security best practices from the start.
These audits and assessments are an ideal way to begin GDPR compliance before the deadline since, as of May, if your organization employs 250 people or more, you’re legally obliged to maintain internal records. If you employ fewer than 250 but process high-risk data, you may also be required to hold such records.
Train Your Employees on the GDPR
The GDPR represents a major shift in the responsibilities of both data controllers (your training organization) and data processors (your training administrators). Previously, the company was entirely responsible. Now, all parties will be responsible for their actions.
So, for instance, processors will be personally liable for any data breaches that occur on their watch, while the controllers will be responsible for, and required to demonstrate, compliance. Similarly, if your training business uses third-party data processors, it’s up to you to make sure that they understand and uphold the GDPR, as you will all be responsible if data goes astray.
Therefore, you’ll want to roll out internal training for anyone who will be handling personal data – and that includes setting expectations with third-party processors. Everyone from the top down needs to understand what the GDPR is, why it’s being introduced, how their rights and responsibilities will change, and best practices to ensure compliance.