GDPR for IT contractors: how to comply -- and cash-in
So you’ve adopted the appropriate technical and organisational measures as advised in Part One of this GDPR overview, and realise these are necessary on an ongoing basis.
Now let's explore the four other of the five fundamentals to ensure that both you and your clients are GDPR-compliant on May 25th 2018 and beyond, writes Charlotte Gerrish, founding partner at Gerrish Legal.
2. Consider getting certified (if you haven’t done so already)
The GDPR[1] states that as an IT contractor, you need to be able to provide sufficient guarantees in terms of expert knowledge, reliability and resources, to be able to implement technical and organisational measures which will meet the requirements of the GDPR, including for the security of any data processing.
The GDPR states that if you are a member of an organisation which is governed by an approved code of conduct, or if you have been certified by an approved certification mechanism, this could be relied upon by your clients. This certification would allow them to demonstrate that they are compliant with their GDPR obligations of (in the event that they are the ‘data controller’), which is a great selling point in setting you apart from other so-called GDPR ‘experts.’
3. Make sure you respect Privacy-By-Design (and assist your clients with ‘PBD’).
Privacy By Design (‘PBD’) is one of the new obligations featuring in the GDPR. The reason for this concept is to ensure that all new projects which are likely to involve personal data are compliant with the law, and that data protection compliance is considered at the outset of any new project.
When you are staffed on an IT project, you should make sure that privacy is a key concern at the outset of the implementation of any new IT systems for storing or accessing personal data. You should do this when implementing any policies or strategies that have privacy implications or when carrying out personal data-sharing activities or if you, or your client, decide to use personal data for new purposes. In the past, privacy and legal issues have often been overlooked by companies when new services or systems are implemented, meaning that any potential problems are addressed after the fact.
IT contractors, you can really add value to your services here and avoid anything which could result in delay to projects, which would mean extra cost and a potentially adverse impact on your clientele. You should therefore closely follow the advice set out in the GDPR regarding PBD which states that:
“When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.[2]”
4. Add further value to your IT services by carrying out Privacy Impact Assessments on your services (and/or help your clients with their PIAs).
A Privacy Impact Assessment (a ‘PIA or sometimes a ‘DPIA’) is a document which shows how you have considered different categories of data, the processing mechanisms, the aim or any processing and whether the processing has any adverse impact on an individual’s privacy rights.
The GDPR says that a PIA needs to be carried out where: “processing operations are likely to result in a high risk to the rights and freedoms of natural persons, in order to assess and evaluate the origin, nature, particularity and severity of that risk. The outcome of a PIA should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with the GDPR[3].”
The aim of the PIA is therefore to evidence that you (and your client) have considered all of the issues relating to privacy rights. It also allows you to evidence any steps or measure that you have taken to safeguard these privacy rights.
For some helpful tips, the GDPR provides guidance as to what a PIA should include[4]:
- a systematic description of the envisaged processing operations and the purposes of the processing.
- an assessment of the necessity and proportionality of the processing operations in relation to the purposes set out above.
- an assessment of the risks to the rights and freedoms of individuals.
- the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.
5. Be prepared for Personal Data Breach Notifications -- and makes sure you can promptly provide good tracking and notification solutions to your clients
A personal data breach can result in damage and harm being suffered by individuals, such as loss of control over their personal data which could result in discrimination, identity theft or fraud, financial loss, damage to reputation, loss of confidentiality of personal data protected by professional secrecy.
To combat this risk, the GDPR has therefore made controllers and processors responsible for monitoring and reporting on data breaches.
Therefore, as soon you or your client becomes aware that a personal data breach has occurred, it needs to be notified to the ICO (or appropriate national supervisory authority if in another EU country). And in some cases, you/your client will also be required to notify the individual who has been affected -- without delay and at least within 72 hours, unless the breach is unlikely to result in a risk to individual privacy rights[5].
IT contractors, you can therefore provide added value to your clients when working on IT security and system implementation methods. For example, you can design ways to mitigate potential adverse effects, and ensure that all appropriate technological protection and organisational measures have been implemented to establish immediately whether a personal data breach has taken place.
In addition, you can ensure that you are able to limit the likelihood of identity fraud or other forms of misuse so that you and/or your clients can respect the 72-hour deadline, and evidence compliance in accordance with the GDPR[6].
Your next steps -- between now and May
The GDPR is a unique piece of legislation as the framework is obviously ‘legal’ and is based on privacy, data protection and European law principles, but the rules also contain many elements that are related to IT security, machine profiling, and other technical measures. It really does reside at the crossroads of Technology and Law.
It is therefore prudent to seek legal advice on the relevant compliance documents, such as template PIAs or PBD templates, Breach Notification Forms and Procedures. Not only will this look most impressive on your CV, LinkedIn profile or company website to prospective clients (or an existing one if you’re looking to retain your data-related role beyond May 2018), it will also allay age-old concerns they have about their bottom line, which may increase once the very first penalties are issued for non-compliance with the GDPR. A legal specialist such as us can safeguard you too, by ensuring that the Data Protection and GDPR obligations contained in your written agreements as a contractor are both fair and reasonable.
Remember, GDPR doesn’t have to be onerous. For IT contractors who immediately employ ‘the fundamental five’ (see four of them above, and the fifth in Part One), it actually smacks of a potentially lucrative opportunity. So take the time to understand the various principles because you can ensure that compliance is built into your day-to-day practices, so it becomes automatic. And more than that, if you have genuine expertise in IT Security, Information Systems and IT Project Management, you can rapidly use the GDPR to your advantage, evidencing the quality of your services, and using what some will see as no more than strict guidelines as a platform for you to create new revenue streams.
_
Editor’s Note: This is the final instalment of a two-part GDPR guide by Gerrish Legal founding lawyer Charlotte Gerrish, who has more than 10 years of legal experience at international law firms and companies in London. This overview of GDPR is for guidance purposes only and does not constitute definitive legal advice.
[1] See Recital 81 of the GDPR.
[2] See Recital 78 of the GDPR.
[3] See Recital 84 of the GDPR.
[4] See Article 35 of the GDPR.
[5] See Recitals 85 and 86 of the GDPR.
[6] See Recitals 87 and 88 of the GDPR.