As previously covered in Global Mobility Insider the European Union’s (EU) General Data Protection Regulation (GDPR) coming into force on 25th May 2018 will significantly strengthen current data protection laws worldwide. Although substantial financial penalties will now become available for all types of personal data infractions, particular attention will be given to the handling of what European Commission is currently calling special, or sensitive, private data.
GDPR defines special personal data as that which may reveal the racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership of a person; genetic data, biometric data for the purpose of uniquely identifying a natural person; data concerning health or data concerning a natural person’s sex life or sexual orientation. This data could be that which explicitly states one of the items on this list, or even just information that implies it.
Some organisations are pushing back against these definitions though and are arguing that the same standards of care should be applied to all data held by businesses instead of using extra safeguards for certain types of information. These groups suggest that although email addresses are not sensitive themselves, when coupled with passwords they become extremely sensitive, as they potentially allow access to a wide variety of personal data especially as many people still use one password all of their online accounts. As such, the particular rules around such data may change in the future, but are definitely here to stay for the meantime, and should be studied carefully.
Although many will find it to be much more difficult than this, the first move should be to step away from all special data unless it is critical to business tasks. Many companies will find that they hold some of this information in their archives, but do not actually need it to carry out their customer services.
For this reason, it is a good idea for all businesses, whether small, medium, or large to carry out a full data audit throughout the company, carefully cataloguing the types of data kept. This exercise will also be able to accurately identify how the data is processed and shared throughout your organisation and beyond, another critical point for becoming GDPR compliant. Once the audit is complete, compare the data held against that which is required for business activities, and delete whatever is surplus to requirement according to GDPR guidelines.
For those that need some categories special data to efficiently operate, extra safeguards should be put in place to guard against both accidental and deliberate breaches. For internal security, this could include restricting the number of employees which have access to the data or introducing additional data tracking techniques within your business to monitor the flow of the information. To protect against external leaks, ensure that data is stored with strong encryption, and even pseudonymised where possible to protect your clients if the worst was to happen.
Another essential step is to ensure that you have expressed permission from the individual to process and share their data in all of the ways required by your business. The GDPR legislation specifies that the person in question must have given consent which is freely given, specific, informed and unambiguous. If these four points are not explicitly met, then the consent is invalid, and you could be facing a significant financial penalty in the event of a problem.
If only a small amount of special personal data is required for critical tasks such as the completion of immigration visas, it could certainly be beneficial to consider deleting the information from your system once the task has been completed. This reduces the risk of leaks, and therefore fines in the case of unforeseen issues.
A large part of protecting against problems with special personal data needs to be carried out by educating staff as to the importance of excellent data protection and the penalties for failures. Although, there are now a variety of software tools available for those in the relocations industry which are specially built not only to handle the pressures of the global mobility sector but are also created with GDPR in mind. Choosing a technology provider who can give you peace of mind when it comes to personal data security should become a top priority as we move into a new period of data protection with GDPR.