This article describes in a few simple steps how VI Company will become compliant with GDPR. Originally set up as an internal document, now an article that might be interesting for other service providers and as well clients, relations and anyone that deals with privacy sensitive data.
In short: all companies in the EU or outside of the EU working with EU privacy related data. That’s a large scope isn’t it? – That’s right. It affects us all.
General Data Protection Regulation, in short: GDPR is the successor of the “old” EU Data Protection Directive that dates from 1995. The time that internet was barely invented. New technologies make privacy sensitive data much more liquid, available, and usable. And thus, this requires a new data protection regulation. Which will be in force by May 25, 2018.
Processor vs controller
GDPR makes the explicit distinction between a processor role and a controller role. This distinction is very important because the role defines which set of directives, liabilities and… fines are applicable. GDPR makes the following distinction (source: article 4, GDPR):
- Controller: “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”
- Processor: “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”
So, VI Company is a processor, right? Well, yes and no. For most projects we develop and maintain on behalf of our clients, we are the processor. However, in some cases we are the controller as well: We hold privacy sensitive data such as names and addresses of colleagues for example. And since well we like to send a birthday cards to clients, we also hold birthdates in combination with names and addresses. This is all data that can lead to an individual. Yep: All this data (and so much more) is covered by GDPR and marked as personal data. GDPR also covers certain data that is marked as sensitive personal data. When sensitive personal data is applicable the level of restrictions and security are increased significantly. For VI Company this is not applicable.
Let’s dive a bit deeper in the obligations of VI Company as a processor. In this case, it is good to know that:
- We have to make clear how we act in the relation to our clients and their data. Eg: In our case as a service provider, we need to clearly describe that we act as the processor and not the controller. This should be formalized
- As a processor, in some cases we can be held liable as well in case damage occurs by not complying with obligations. This is a major change compared to the 1995 directive. Another reason to take GDPR seriously;
- The controller is responsible for defining how and why personal data is processed. The processer acts on the controller’s behalf. This should be formalized.
We should make it demonstrable how we secure personal data during both the developments phases as well as the maintenance phase. To meet our obligations, we are taking the following steps towards May 28, 2018:
- Formalize per project and per client that we act as the data processor;
- Together with our clients, specify the types of personal data we collect and process;
- Help our clients define the gap between the current situation and the supposed situation;
- Help our clients to define the procedures around data protection;
- Formalize GDPR specific arrangements with our clients. For example, by adding an addendum to existing contracts;
- Assess our need to assign a DPO (Data Protection Officer);
- Further introduce privacy by design to our development proces.
Will it be easy to comply?
Some requirements of GDPR for the processor, are mainly common -privacy- sense. However, it does involve additional formalities such as setting up extra agreements and make processes clearer. To a certain point that is a great thing because taking care of privacy shouldn’t be thought of lightly. Easy to comply? Not sure yet. It requires attention, that much is sure. We rather spent our time on developing awesome stuff. Then again, we acknowledge that developing awesome stuff these days should involve more privacy by design.
Thanks Nick for helping me on this topic!