The following article was written by Alexandra Cooke, Commercial, IP and Technology Associate, Hamlins LLP for Travel Law Today, 5th Edition which can be read here.
The EU General Data Protection Regulation (GDPR), which comes into force in May 2018, requires organisations to significantly change how personal data is handled. The changes in data protection legislation are a response to concerns regarding the impact of rapid technological development on the rights of data subjects. However, as well as being suggested by some as the problem, technology is also seen as a solution. However, can it provide all the answers?
Technological innovation at the heart of the GDPR
One of the key changes under the GDPR is the requirement for data protection to be designed into the fabric of business operations. Compliance will need to be the default modus operandi, especially for organisations dealing with large amounts of personal data, such as those in the travel sector. Adopting a “privacy by design” approach to data protection, and the use of “appropriate technical and organisational measures” to achieve compliance, are two catch phrases, which the travel sector will need to embrace for this new era of compliance.
The GDPR, and guidance from the Information Commissioner (ICO), envisages technology will, largely provide the answers to achieving some of the key data protection principles.
Consent is one ground that many organisations in the travel sector seek to rely on for processing personal data, particularly special category data, which the GDPR says, is more sensitive, and so needs more protection. Under the GDPR, consent can only be relied upon if it is given explicitly and unambiguously (for example organisations can no longer rely on pre-ticked boxes or silence). Data subjects must be able to withdraw their consent at any time, and fresh consent must be obtained from the data subject each time personal data is being used for a new purpose. The ICO recommends the best way for organisations to address these new requirements is to allow data subjects to manage their own consent preferences via an online portal. This is particularly relevant in the travel sector where customers will often have a user account and can easily opt-in (and, if they change their mind, opt out) to specified uses of their personal data, such as marketing and sharing with third parties (both of which require a separate consent).
Minimising personal data
Organisations will have to clearly identify how long they will keep each category of personal data (they must be able to justify this), and must delete all personal data exceeding this time limit. All personal data must also be accurate, up to date and necessary for the purpose for which it is being processed. Many organisations have vast quantities of personal data, which they no longer use, is likely out of date, and is now a huge liability. Database cleansing software can significantly speed up this spring-cleaning process. In addition, software can be used to ensure personal data is automatically deleted after a certain period, which is a step towards data protection by design and default.
Security and breach notification
The GDPR requires organisations to adopt “appropriate technical and organisational measure” to protect personal data such as the use of encryption, recording pseudonyms for a data record and other security technologies. When engaging third party data processors, organisations will also be required to ensure these third parties are contractually obliged to have certain security measures in place already. The ICO recommends organisations obtain a Cyber Essentials certificate, provided by the National Cyber Security Centre and a useful starting point for demonstrating a minimum level of security. Technology can also help organisations detect data breaches, identify impacted users and notify all relevant parties.
Data subject rights
Post May 2018, data subjects have greater rights to require organisations to disclose what personal information is held about them, and organisations will only have one month to deal with such requests (rather than the current 40 days). Technology, such as electronic filing systems and search functions on computers and handheld devices, can help organisations cope with a potential increase in such requests and to meet the tight turnaround time.
Technology can assist with creating and maintaining accurate and instantly accessible records that will enable organisations to demonstrate, both to the ICO and to customers, they are complying with the enhanced data protection requirements.
Is technology the solution?
There is no doubt technology can be an invaluable tool to assist with GDPR compliance, however it will not provide all of the answers.
The first, and arguably most important, step towards compliance is to carry out a data protection audit to understand your organisation’s current approach to data protection. For example:
- What categories of personal data does your organisation hold?
- What grounds do you seek to rely on for processing this personal data?
- How is personal data obtained?
- Where is it stored?
- How is it protected?
- What data protection policies and procedures do you have in place?
Technology will only help provide the answers to GDPR compliance if it is used to support a comprehensive and effective data protection strategy that is rooted in business reality and is based on co-operation and engagement across the whole organisation. Without people and policies, technology is only part of the solution.
Some things for organisations to think about prior to looking at technological solutions:
- Nominating a representative (ideally someone senior with oversight of the organisation) to take on the role of data protection officer.
- Engaging senior management and key stakeholders when devising your GDPR strategy. It is important the whole organisation is on board.
- Briefing all staff about the upcoming changes, their importance, and how the organisation is planning to tackle the changes (including a timeline).
- What training will you provide and to whom?
- Do you have clear and effective procedures for reporting data breaches and responding to subject access requests?
- Do you have a clear policy for engaging third party service providers? Do all agreements have the required data protection obligations?
- How will you regularly review and monitor the effectiveness of your GDPR strategy?