HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Upgrading Software to comply with GDPR

The General Data Protection Regulation (GDPR) comes into force on the 25th of May 2018 and any business that aspires to be GDPR compliant needs to be fully aware of the software upgrades that its IT systems will need to ensure that compliance. It may be the case that your business requires an upgrade of the software that it currently uses, or an alternative software solution might be required.

What is the impact of GDPR on your business?

To begin with, we should take a look at what the General Data Protection Regulation actually is. The intention of the GDPR is to provide some uniformity in the manner in which personal data is processed in European Union member states. However, the GDPR does not only affect Europe. It also introduces new and extended rights for all data subjects who are citizens of EU countries. That is to say that any organisation which processes the personal data of a European citizen must comply with the GDPR, no matter which continent it is based in.

If you are not overly familiar with the terms of the GDPR, it might be helpful to consult the guidance of the Article 29 working party, or to study the information that has been offered by the Data Protection Authority (DPA).

A large percentage of the businesses which need to be GDPR compliant have indicated some concerns with respect to its implementation. Many are worried that present processes and software solutions will no longer be adequate for the implementation of new policies. They have reason to be concerned; businesses which are non-compliant will face fines of up to a maximum of either 4% of annual turnover or $20 million – whichever is greater.

Identifying high risk personal data

When deciding upon software upgrades to ensure GDPR compliance, businesses should pay particular attention to risky processing activities. Such activities may include the processing of the following forms of personal data:

  • Details concerning ethnicity.
  • Religious or political affiliation or beliefs.
  • Details relating to healthcare.
  • Sexual identity or orientation.
  • Information relating to DNA/Genetics.

Any business or organisation that is involved in the processing of any of these types of personal data on a large scale, in order to mitigate against any identified risks, needs to make sure that it is allowed to do so legally and that the necessary software and processes are present.

Which types of Software Company does the GDPR impact?

Just like any other business, Europe’s software companies are themselves impacted by the advent of the GDPR. They must make sure that the software they create, together with the methods they use, are GDPR compliant. This is equally true for software companies which are based outside of the European Union, but engage in the processing the personal data of the citizens of EU member states. Obviously, businesses located outside the EU only have to comply with the GDPR when dealing with the personal data of EU residents.

Nonetheless, it is probably impractical to geographically divide customers into two different work systems in order to deal with their personal data in separate manners. It is much more simple to apply the software, processes and procedures that the business has put in place to ensure GDPR compliance to all of the personal data that it deals with.

In what way is software impacted – why does GDPR compliance require software upgrades?

As discussed above, it is clear that software companies are impacted by the GDPR. How, though, is the software that those companies produce affected?

One of the most significant requirements of GDPR-friendly software is that it must provide a method for explicit consent to be obtained from the data subject. There are a small number of exceptions to the legal requirement that consent be provided prior to the processing of personal data, however if consent is in fact the reason relied upon for the processing, the following criteria must be satisfied:

  • It must have been given freely and have been fully understood.
  • It must have been given independently of other agreements.
  • It must have been given via a ‘positive action’; businesses can no longer use pre-checked tick boxes in order to obtain valid consent.

Effectively this means that, under the terms of the GDPR, a general use of software license agreement is insufficient consent for an individual’s personal data to be processed. Consent must be obtained in an alternative manner to this form of agreement. It is advisable to incorporate an entirely separate section to deal with consent. Remember that you must make sure that this is done in the case of all users, existing and new ones. You should take care as to how this consent is obtained. Emailing current users directly will be considered to be direct marketing, something (when done without prior consent) which is illegal under the conditions of the GDPR. You might wish to consider including information concerning consent on your business’ website and provide a link to any relevant software.

Store consent with the personal data it concerns

It is sensible to use software and systems that enable you to store consent in a manner in which it can be related to the personal data concerned. Being compliant with the GDPR is not enough; you must have the documentation that proves your business is compliant at hand. Maintain a record of the dates and times at which subjects provided their consent, together with details of the manner in which they were provided, plus copies of the consents themselves. By doing this, you are assuring yourself that you possess all of the required proof should you be asked to furnish it.

Remember that when requesting consent from subjects it must be made easy for them to later withdraw their consent; e.g. when someone gives their authorisation for your business to send them a regular newsletter, it should be simple for them to modify their records thereby withdrawing consent for the newsletter to be sent at any time.

What information are customers entitled to access?

A fundamental principle of the GDPR is that data subjects should retain more control over the manner in which their personal data is maintained and used. This highlights just one of the many reasons why software upgrades to ensure GDPR compliance are crucial. You must guarantee that your business’ software allows customers the access to their data that they are entitled to.

This means that customers must have the ability to:

  • View or consult any of their personal data that is undergoing processing.
  • Access a complete record of the data held within a maximum of 40 days of the request. This is referred to as a “system access request” (SAR).
  • Amend data that is erroneous, or make a request that it be modified.
  • Make a request for their information to be forgotten. Customers may demand that all of their personal data that is held be permanently deleted. There might, however, be a small number of lawful reasons that mean a company does not have to – or is in fact unable to – comply with a request of this nature.
  • Be furnished with their data in a portable and machine readable format. This new aspect of data protection has been introduced by the GDPR. Data subjects should henceforth be capable of transferring data between software solutions with relative ease. They now have the right to transfer their data to one of your business’ rivals.

The above freedoms are all guaranteed by the GDPR. It is for this reason that you need to make sure that your business has the correct software in place in order to ensure GDPR compliance.

72 hours limit on the reporting of data breaches

A requirement of the GDPR is that all data breaches must be reported to the relevant authorities within a maximum of 72 hours. The clock on the 72 hours starts “ticking”, so to speak, at the point when the business could reasonably be expected to have noticed that a breach had taken place. Your business needs to ensure that it is using the correct software and systems to guarantee that it can rapidly and effectively verify if a data breach has occurred. As long as a business is capable of doing this, it should be compliant with this part of the GDPR.

Clearly, GDPR compliance software upgrades are of the utmost importance. You must make sure that your company has all of the correct software in place, in order to ensure that all of its processes comply with the GDPR. This should include the ability to analyse data so as to ensure that your company processes nothing but data that is accurate, relevant to its purposes and still entitled to process.

Remember that it is not just as simple as updating your software either. Your business must also make sure that its staff have been fully informed of the impact of the GDPR. Almost all employees have a role to play in ensuring that the business remains GDPR compliant. Making sure that this happens, together with updating or replacing software will help assist your company to comply with the the GDPR. Ultimately, this should help to protect your business from the significant fines and sanctions that failure to respect the GDPR may attract.