For businesses, being able to collect and analyse customers’ personal information is generally a good thing. But with this valuable information comes the responsibility to comply with specific laws and regulations.
The General Data Protection Regulation (GDPR) was enacted to ensure that all organisations that collect and store personal data do so in a way to protect it from loss, theft and misuse. Failure to comply can have costly consequences.
Without the right tools or knowledge, complying with such restrictive and punitive regulations can be downright scary. So we wanted to share some of the key aspects of GDPR legislation and how Borealis software can help you ensure GDPR compliance.
In this article (15-minute read):
- What is GDPR?
- How exactly does GDPR protect data?
- What organisations need to comply with GDPR?
- What personal information are organisations allowed to collect?
- How should requests from individuals be dealt with?
- How long can organisations keep data and do they need to update it?
- What must organisations do if a data breach occurs?
- Do all organisations need a GDPR compliance strategy?
- How can organisations demonstrate that they are GDPR compliant?
What is GDPR?
The General Data Protection Regulation is a legal framework that outlines the rules for collecting and processing personal information from EU citizens. Essentially, GDPR aims to achieve two basic objectives:
- Give EU citizens a greater degree of control over their own personal data.
- Simplify the regulatory environment so that businesses and consumers alike can benefit from the digital economy.
How exactly does GDPR protect data?
GDPR achieves data protection in a few different ways.
First, it requires companies to build data protection safeguards into their products and services from their earliest stage of development – an approach referred to as ‘data protection by design’. This also applies to any service that involves the processing of personal data – including stakeholder data.
Organisations are also encouraged to adopt techniques to further enhance data privacy. One common technique is ‘pseudonymisation’, which essentially strips identifying information from personal data and replaces it with artificial identifiers or pseudonyms so that an individual cannot be identified should the information fall into the wrong hands.
How Borealis software can help you comply with the GDPR data protection by design principle:
- Unlike Excel files (which are probably the least secure way to manage sensitive information – see why you need to stop using spreadsheets to manage stakeholders), the features in Borealis software allow for strict user access rights and data segregation to ensure data security, integrity and confidentiality.
- The Outlook add-in feature in Borealis uses advanced data encryption methods to keep emailed data safe.
- During onboarding, the Borealis team will help you determine the minimum level of access and add additional security levels as needed.
- Once your Borealis platform is up and running, the system constantly monitors usage to detect any unusual activity, such as multiple failed login attempts, large amounts of information being exported from the system, etc. Depending on the situation, the system will either automatically block access to the user in question or notify our monitoring team. They will then immediately reach out to the client’s designated contact person so that the appropriate steps can be taken.
See the other ways in which Borealis software ensures data security – for your own business information and the personal data of your stakeholders.
What type of organisations need to comply with GDPR?
GDPR applies to any organisation operating within the EU, as well as to those outside the EU which offer goods or services to customers or businesses based in the EU.
In simpler terms, any business that collects personal information from EU customers is required to be GDPR compliant – regardless of its size, industry sector or area of activity.
Put even simpler, any business that sells products or services online is potentially subject to GDPR rules and regulations, since any given customer may potentially be from the EU. These rules and regulations apply equally to one-person operations as to Fortune 500 companies.
What personal information are organisations allowed to collect?
Under the GDPR ‘purpose limitation’ principle, companies must have a valid reason for processing an individual’s personal data. Only the information required to serve that reason may be collected.
Example
If you are required to resettle a community as part of an IFC-financed project, you must comply with certain performance standards, such as identifying vulnerable households to ensure livelihood restoration. Since vulnerability depends on factors such as age, gender, disabilities, etc., it is reasonable to ask affected stakeholders for this type of personal information during household surveys. However, for the purposes of compliance, it would not be reasonable to ask them about their religious or political beliefs, sexual orientation, etc.
GDPR outlines a number of rules that must be followed. For example, companies must:
- Process personal data in a lawful, transparent and fair manner.
- Have a valid purpose for processing the data and clearly explain this purpose to individuals whenever it collects their personal data.
- Collect and process only the personal data needed to achieve that purpose (‘data minimisation’).
- Ensure it keeps collected personal data accurate and up-to-date so that it can continue to fulfil its intended purpose.
- Only use the personal data for the stated original purpose.
- Store personal data for only as long as it is needed to fulfil its intended purpose.
- Put the necessary technical and organisational measures in place to protect the personal data from unauthorised use, loss, damage or destruction.
Respecting these rules and other GDPR principles generally requires the use of proper software tools.
How Borealis software can help you comply with the GDPR purpose limitation principle:
Although virtually any information can be stored in Borealis software, our team can help you configure the system so that only the necessary data are captured. While the decision of what data to retain is yours, we can help you modify this configuration as you wish as these criteria and your organisation’s needs change over time.What information do organisations need to provide individuals whose data they collect?
At the moment an organisation collects an individual’s personal data, it must provide the individual with the following information:
- The company’s name and contact information, along with that of its Data Protection Officer (DPO), if it has one.
- Why it is collecting this personal data.
- The categories of personal data being collected.
- Its legal justification for processing this data.
- How long it will keep this data.
- Who else might have access to this data.
- Whether this data will be transferred outside the EU.
The organisation must also inform the individual at this time that he or she has a right to:
- Request a copy of the data (right to access personal data), along with information on other basic rights.
- Lodge a complaint with a Data Protection Authority (DPA).
- Withdraw consent at any time.
See the complete list of information organisations are required to provide when collecting personal data.
How should requests from individuals be dealt with?
Under the GDPR, individuals have the right to request access to the personal information a company has collected about them. They also have the right to request that this information be corrected, erased or restricted. Individuals can also object to this information being collected in the first place, or to not be subject to automated decision-making regarding how their personal information is processed.
Under the GDPR, if a stakeholder contacts you requesting information about how your organisation processes their personal information, the request must be treated as follows:
- You must reply to the request without undue delay, and no later than one month of receiving the request.
- You may also ask the stakeholder for additional information for the sole purpose of confirm his or her identity.
In some instances, you are allowed to reject the request. If you have legitimate grounds to reject a stakeholder’s request, you must explain your reasons for rejection and inform the stakeholder of his or her right to file a complaint with the DPA and to seek legal remedy.
How Borealis software makes it easy to deal with requests from individuals
As Borealis software centralises all stakeholder data, each individual stakeholder record in the system contains the complete set of data you have on that particular individual. If a stakeholder contacts you asking for a copy of all their collected personal information, you won’t need to gather bits and pieces of information from various locations. It is all stored in a single location in Borealis. In just one click, anyone with access rights can export a PDF of the stakeholder’s complete data in readable format.
If a stakeholder asks that his or her personal information be corrected, restricted (hidden) or deleted, doing so is just as easy. With Borealis, this task need only be done in once to make it organisation-wide. You can also link all consent information that was presented to the stakeholder’s file. This way, it will be immediately accessible in the event of an audit.
Thanks to Borealis software’s global community of practice, our team can advise you on these and other best practices.
How long can organisations keep data and do they need to update it?
To be GDPR compliant, data must be stored for the shortest time possible. This time frame will depend on why the data is being processed as well as other legal obligations your company may be subject to, such specific national labour, tax or anti-fraud laws governing how personal data is used to effectively manage things like employees, product warranties, etc.).
When personal data is being archived for purposes that serve the public interest or scientific or historical research, it is reasonable to store data for a longer period of time.
Regardless of whether data is stored for 15 minutes or 150 years, companies are required to put the appropriate technical and organisational measures in place, such as pseudonymisation, encryption, etc.).
Companies should establish a clear schedule for reviewing, updating or erasing stored data.
How Borealis software can help you comply with GDPR:
Borealis software can notify you if a stakeholder has been inactive for too long (say, for 2 years) and needs to be removed from your records. This duration can be set by the client. Other similar notifications or tasks can be configured with the client during onboarding.
What must organisations do if a data breach occurs?
A data breach is any security incident that could potentially compromise the confidentiality, availability or integrity of data.
Under the terms of the GDPR, organisations are responsible for implementing the appropriate technical and organisational measures to avoid the likelihood of a data breach.
If a data breach occurs that could put an individual’s rights and freedoms at risk, the organisation must notify the appropriate authorities without delay and no later than 72 hours of becoming aware of the breach.
If the breach puts an individual’s rights and freedoms at high risk, the organisation must take the necessary steps to inform the individual, unless subsequent measures have already been taken to ensure the risk is no longer likely to materialise.
How Borealis software can help you prevent data breaches:
Data breaches are logistical nightmares with potentially devastating consequences for a company’s finances and reputation. Borealis minimises the risk of hackers and data breaches with 24/7 monitoring tools, data encryption, penetration testing and other types of vulnerability testing.
In the event of a data breach or other security issue, we have a protocol in place to act quickly. As part of this protocol, our team will notify the organisation’s key contact who in turn can communicate with the right stakeholders using Borealis’ Smart Communications.
Learn more about how Borealis ensures data security >Do all organisations need a GDPR compliance strategy?
All organisations that collect data from European citizens need to have a GDPR strategy. But even those outside of the EU can benefit from having one. To create an appropriate strategy, however, it’s important to first understand whether GDPR views your organisation as a data ‘processor’ or as a data ‘controller’:
- A controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data.”
- A processor is a “person, public authority, agency or other body which processes personal data on behalf of the controller”.
Example
The bulk of the responsibility for safeguarding personal data falls on the shoulders of controllers, who are legally obligated to maintain records of personal data and how it is processed. Controllers must also ensure that all contracts with processors are in compliance with GDPR. In the event of a data breach, controllers face a high level of legal liability.
Keep in mind that the fine will be issued to the controller, not to the processor. This underscores the importance of choosing the right provider when looking for a stakeholder information management system. With 20 years, Borealis has been helping organisations worldwide meet compliance requirements – whether it’s GDPR, IFC, ICMM, IPIECA, or ISO 26000. We ensure our system is up to date with data privacy laws – something a new provider may not be able to do.
How can organisations demonstrate that they are GDPR compliant?
GDPR regulations require organisations to not only comply with its data protection principles, but also to demonstrate this compliance. The GDPR provides a set of tools to help in this regard, some of which are mandatory.
In some cases, organisations must have Data Protection Officer or conduct data protection impact assessments (DPIA).
Organisations can also use other tools such as recognised codes of conduct and certification mechanisms to demonstrate compliance. While optional, these tools may be of help should your organisation be investigated for a GDPR breach.
How Borealis software can help you demonstrate GDPR compliance:
Traceability & Audit
The audit trails recorded within Borealis enable clients to demonstrate which user accessed which records.
Simplify GDPR compliance with Borealis
As complex as GDPR might seem, it’s basically a consolidation of existing data security principles.
For organisations that already have good governance measures, compliance will be relatively straightforward and in keeping with their goals of achieving best practices. For others, it will likely mean implementing additional policies, procedures and tools to adequately protect data.
In either case, having a purpose-built information management system for managing stakeholder data will go beyond simply streamlining GDPR compliance. It will also improve the overall efficiency of your day-to-day stakeholder management efforts.
If you’re curious about how Borealis software can help your business, talk to our team.
Source: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations_en
