Ensuring compliance with the European Data Protection Regulation is a challenging task. This is especially true for IT professionals, as they need to take a pro-active approach during the development of their technology solutions. In addition to this IT professionals currently deal with personal information being stored in various file formats such as spreadsheets, PDFs and Word documents, which creates additional challenges. Also how information is backed up and handled. Some organisations make use of cloud backup services which need to fulfill certain criterias. In this article we set out the key challenges for IT professionals and technology companies and the steps you can take to solve overcome them.
The first step is to take a look at the current position of your organisation. In other words; where are you now in terms of compliance? Accountability is a key theme in the Regulation and this means all employees involved should be aware of how the company handles data, what types of data are stored and how data is processed, transferred and backed up. Awareness of the current position will help determine how prepared the company is for the Regulation and will enable you to put together a plan of action to address the identified issues. Many guides on Data Protection mention the importance of accountability, but it is important to understand what accountability actually means. As the term suggest it creates the obligation to explain, thus ‘give account of’ how you have cleared yourself from specific responsibilities or why you have taken certain steps. In addition it implies the existence of two parties where one party answers to the other. When we translate this to the realities of the regulation it means that you as a data controller, must take the appropriate organisational and technical measures to make sure your organisation is compliant with the Regulation and that you must be able to demonstrate compliance upon request.
Closely related to the concept of accountability is the importance of transparency in your data processing operations. What is the legal basis of the processing of the personal data? The Regulation requires explicit consent from your customers to process their data and it is vital that you obtain this as soon as possible, if you haven’t done so already. It also means that you must inform your customer of how their personal information is processed in clear language. To name a few, you need to inform your customer of:
the purpose for which their personal information is collected;
the period for which the data will be stored;
whether the data will be transferred internationally;
the various rights available to your customer i.e. the right to have the information corrected, the right to revoke the consent, etc.;
the right to file a complaint with the data protection authorities.
The terms and conditions of your product or service must take into account the characteristic of your target audience; they must be easy to access and written in plain and clear language. It means we are moving away from extensive legal documents consisting of hard-to-read legal jargon. In order to comply with the transparency principle you need to be in a position to adequately inform your customer. Therefore it is crucial to take transparency into consideration when you are developing new processes and technology solutions which means you need to document exactly how the data is being processed, who is involved, who has access to it and where it is located at any given time.
Documentation and Monitoring
In the previous paragraph we briefly touched upon the importance of informing your customers of all aspects of the processing of their personal information. This brings us to the role documentation has in the Regulation. Most organisations make use of various different technologies and platforms and customers are offered these services on different devices such as PC, mobile, tablets and cloud access. The multiple technology solutions need to work together while remaining compliant with the Regulation. This means you need to think very carefully about the design of the data flows during the development process. This is included in the Privacy by Design principle and is by far the most important aspect of the Regulation for developers.
Privacy by design means that each new service or business process that makes use of personal information must take the protection of this data into consideration. As a business you need to be able to demonstrate that you have adequate organisational and technological security measures in place and that compliance is monitored. In practice this means that an IT department must take privacy into account during the whole life-cycle of the system/process development. It is recommended to document your decisions during the development of your service so you can explain why you made certain decisions for the purpose of ensuring the protection of the personal data within the system. Furthermore, you need to make sure you know where the data resides at all times. This can be achieved by creating data flow diagrams that display all data flows and all parties involved when your service is used. Being pro-active will eliminate a lot of work in the future as it makes it easy for your business to comply with the accountability principle as the demonstration of your compliance will be relatively simple.
Lastly we are going mention the challenge of compliance in the context of electronic documents (eDocuments). Compliance with data protection law is required for any documents containing personal data, thus information contained in eDocuments cannot be overlooked. The role of eDocuments needs to be taken into account during the development proves of the IT infrastructure. It is common nowadays for personal data to be incorporated into various types of documents such as spreadsheets, presentations, PDF files and Word documents. Using eDocuments simplifies many processes but the use of them makes developing Data Protection Law compliant solutions even more challenging. Under the Regulation personal data stored in such formats must also be adequately protected during every step of the data processing activities. When adopting new technologies using eDocuments you must take adequate measures to ensure the security of the personal information during the transmission, storage, as well as the accessing of the data. It is advisable to implement electronic document transmission technologies that incorporate logging, reporting and tracking of digital documents as they are transferred. This will enable you to maintain an audit trail of your data. You should make sure that documents containing sensitive personal information are only accessed by authorised personnel and that you take measures to ensure the highest level of security is applied to these electronic documents.
The various topics discussed in this article demonstrate that compliance must be a consideration during the entire process of developing technology and during the business processes in which the technology is utilised. It is recommended that you take care to document the steps you take to ensure the protection of personal data so you can easily demonstrate compliance. Being proactive about compliance is important and it will become increasingly more important as Data Protection Law become more stringent in the future. Even though the Regulation has been delayed, you should start taking steps towards ensuring compliance now so you and your business are ready when the Regulation comes into force.