Top ten tips for GDPR implementation
With less than two months until the GDPR deadline, here are Paysafe’s ‘top 10 tips’ to help with implementation.
With less than two months until the GDPR deadline, here are Paysafe’s ‘top 10 tips’ to help with implementation.
For further information about what we as a company are doing, see last week’s blog from Elliott Wiseman, Paysafe’s General Counsel & Chief Compliance Officer.
- Controller or Processor? Make sure you understand whether you are a Controller and/or a Processor in all your business relationships, as the rules are different for each, although even Processors are now covered by many aspects of GDPR. If you are a Controller, check that you can meet individuals’ rights, particularly the new rules around ‘data portability’, the ‘right to be forgotten’, ‘profiling’ and the additional information requirements, which you’ll need to include in your privacy notice.
- Listen to your Data Protection Authority. Understand who your lead Data Protection Authority will be and look out for and follow their GDPR Guidance communications. Log onto their website and add yourself to their mailing list.
- Do you need to rely on consent? Take a look at how you are collecting consent and don’t use pre-ticked boxes. If you need ‘consent’ as your legal basis for processing, the rules have tightened. Consider whether ‘performance of a contract’ or ‘legitimate interests’ is a better legal condition for processing data. But, under separate laws, consent is the required legal basis for most electronic marketing in Europe (email, SMS, telemarketing, automated voice calls, fax) and the use of cookies and similar tracking technology; and a new ePrivacy Regulation is due this year, which is rumoured to tighten further the rules for e-marketing and cookie use.
- Do you need a Representative? Organisations outside the EU should check whether they are GDPR-impacted, as even tracking and profiling EU citizens within the EU, through the use of cookies and similar technology will likely bring you within its jurisdiction. And many Regulators have cross-border co-operation agreements in place, for organisations outside their direct jurisdiction. If you are based outside the EU, but offering ‘goods and services’ to EU citizens, you will need to appoint a ‘Representative’ who is based within an EU member state.
- Do you really know what personal data you hold? You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit. Ensure you know all of your business processes involved in processing personal data and have documented these.
- Are you prepared for a data breach? You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Manage your privacy risks. Take a ‘privacy by design’ approach, which basically means you need to ensure you have considered the data risk at the beginning of new projects, products and within your normal business as usual activities; and are designing your products and processes with customer privacy uppermost. Don’t use more data than is necessary for any particular purpose. Undertake ‘privacy impact assessments’ and, where privacy risks are identified, you need to then apply the relevant technical and organisational measures to ensure that privacy and security risks are appropriately mitigated.
- Trusting your suppliers and Data Processors. Have you reviewed all suppliers who may be processing personal data on your behalf as a Processor? You need to ensure a compliant Processor contract is in place. You must also undertake due diligence, to confirm they have adequate data security measures and can demonstrate compliance against their GDPR requirements as Data Processors.
- Do you need a Data Protection Officer (DPO)? Whilst not mandatory for all organisations, in any event, without someone taking responsibility in this area, it will be difficult to properly ensure GDPR compliance and oversight. And do ensure the individual is experienced and fully trained in data protection law and privacy, has adequate resources and has senior responsibility within your organisation. In the effect of a breach or regulatory enquiry, can you demonstrate the person has effective resources, knowledge, expertise, independence and seniority?
- Accountability, can you demonstrate compliance? You need to be able to implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This will include privacy notices, internal data protection policies, staff training, internal audits of processing activities and reviews of internal HR policies. Further, you will need to demonstrate compliance with the principles, i.e. lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.
These are just a selection of GDPR requirements. If you don’t understand any of the terms or requirements, seek further advice. If you’re not sure about your own GDPR compliance here is a guide from law firm, Baker McKenzie or access the guide from the Information Commissioner’s Office here.
Also see our whitepaper which explores the trifecta of legislation that will fundamentally change the face of digital commerce and payments in 2018.