Readiness Plan for GDPR Compliance
The General Data Protection Regulation (GDPR) is a comprehensive new data protection law that aims to strengthen and harmonize the security and protection of personal data throughout the European Union (EU). The GDPR replaces the EU Data Protection Directive, also known as Directive 95/46/EC, and went into effect (and became enforceable) on May 25, 2018. The GDPR places data privacy (and security) obligations on two broad categories of individuals/organizations – “Data Controllers” and “Data Processors” who collect, process, and use personal data of data subjects who are in the EU. Generally speaking, Data Controllers determine the purposes and means of the processing of personal data, whereas the Data Processors perform a variety of “processing” activities on behalf of the Data Controller.
While many of the GDPR principles build on current EU data protection rules, the GDPR adds significant new requirements governing the processing of personal data, including new rights for data subjects, additional obligations for Data Controllers and Data Processors, and changes in enforcement mechanisms and fines.
This page provides a broad overview of the LawLogix/Edge GDPR readiness plan, which specifically covers three important areas: (1) LawLogix security and privacy controls as a Data Processor; (2) contractual requirements; and (3) initiatives to help our clients satisfy their own GDPR obligations.
At the onset, it is important to note that GDPR does not apply to every business or organization that interacts with EU data subjects. Specifically, the GDPR impacts the processing of personal data by businesses “established” within the EU as well as those outside the EU if their data processing activities relate to the offering of goods or services to individuals in the EU or to the monitoring of such individuals’ behavior. This so-called “territorial scope” is somewhat broad (and not clearly defined), and therefore organizations will ultimately have to determine whether and how the GDPR applies to them based on the facts at hand.
In the immigration practice context, GDPR’s applicability may depend upon a variety of factors including the location of the immigration practitioner, the context of the processing activities, and the location of the immigration beneficiary (to name just a few). In addition, depending upon the type of immigration case, an immigration practitioner may be a Data Controller or a Data Processor. In either of those situations, LawLogix will likely fall into the category of a Data Processor to the extent that we provide a cloud-based solution for the processing of immigration data.
LawLogix Readiness Plan
LawLogix has initiated a multi-step plan to address the new GDPR requirements in our processes and software, which includes the following initiatives:
- Updating and validation of data security practices (including the maintenance of our Privacy Shield self-certification to support international data transfers)
- Contractual terms and conditions (“GDPR Data Processing Agreement”)
- Assisting clients with their GDPR obligations (including new features and functionality in Edge)
In addition to the initiatives outlined above (and described below in more detail), LawLogix will continue to monitor available guidance concerning GDPR compliance from privacy-related regulatory bodies and make adjustments as needed.
As a Data Processor, LawLogix has direct responsibility to ensure the security of our data processing activities, and we have accordingly updated our privacy and information security programs. This included review and analysis of the following broad areas:
- Integrity and access protection
- Risk management
- Incident management
- Breach notification
- Change management
In addition, it’s important to note that as a division of Hyland Software, Inc., LawLogix has completed the EU-U.S. Privacy Shield Certification by the U.S. Department of Commerce. Participation in the Privacy Shield program facilitates the transfer of personal data from the EU to the U.S. In addition to the pre-existing requirements under the EU-U.S. Safe Harbor, the Privacy Shield requirements include:
- Accountability for onward transfers
- Monitoring and regulatory enforcement
- Dispute resolution
- Audit trail documentation and reporting
The Hyland Privacy Shield Policy (in which LawLogix is included) is available online at:https://www.onbase.com/en/legal/privacy-shield-policy.
The Hyland certification page can be viewed at: https://www.privacyshield.gov/participant?id=a2zt0000000Gnk1AAC.
Organizations using the Edge immigration case management system can benefit from a variety of out-of-the-box functionality and built-in security controls to help them achieve their GDPR objectives. For example, Edge supports GDPR compliance initiatives through the following:
- Security and data protection: The Edge application is highly secure by design – from development to postlaunch support – with a team that continuously enhances and improves security protocols. Our security practices ensure critical information like personal data and documents are protected at every state: while at rest, while in use and while in transit from your computer to our servers.
- Records Management: Organizations can use Edge to uphold individual privacy rights by securely storing, protecting and destroying immigration case related information. This supports GDPR privacy mandates, such as an individual’s right to have their data erased (‘right to be forgotten’).
- Data management and findability: Edge enables organizations to securely and efficiently manage individuals’ sensitive and personal data through detailed reports and searching – facilitating the quick retrieval of information to a fulfill the request of a data subject.
- Obtaining and Recording Consent through the Edge Portal: practitioners will be able to display a GDPR-specific consent notice (to be drafted by the practitioner) through the FN and HR portals and obtain the data subject’s specific and unambiguous consent to the processing of personal information (including “special category data” as defined by the GDPR) through an “Opt in” mechanism. Consent obtained in this fashion will be separate from any other terms and conditions presented in the Edge application, and may be requested from the data subject on a per-process basis. Consent responses will be captured and stored in the data subject’s OnDocs record, and Edge will send email notifications to Case Managers and Responsible Attorneys when consent is granted, denied, or withdrawn at a later date.
- Consent by Email: practitioners can utilize a GDPR-specific Sure Messaging template (to be drafted by the practitioner) to request consent from an existing foreign national by email. Initially, this feature will not include the ability to capture the consent through an opt-in mechanism (this will be added in a future enhancement), so practitioners will need to ask the individual to simply respond via email.
- Data Portability: data subjects can request a copy of all collected data obtained or submitted through the Edge interface. Initially, organizations will be instructed to utilize existing functionality in Edge to produce this data, but a future enhancement will introduce the ability to obtain a complete copy via a single automated zip file step.
Next Steps for your Organization
In order to utilize some of these new Edge enhancements and otherwise comply with GDPR requirements, immigration practitioners should develop their own GDPR readiness plan which includes (at a minimum) the following important decisions and tasks:
- GDPR Awareness and Evaluation: Practitioners should carefully review the GDPR text and available guidance to determine whether the requirements and obligations will be applicable to their particular practice. As mentioned above, GDPR may not affect all immigration practitioners in exactly the same way, and may not apply at all if the organization’s clients are not in the EU.
- Data Mapping: Practitioners should document the personal data that they collect, retain, and transmit to other organizations, including exactly where this data is stored and the security precautions which are taken. For example, organizations will want to note if personal data is stored on network drives, computers, and email servers as well as physical case files.
- Data Processing Practices: Practitioners should review current data processing procedures to ensure they cover all of the various rights of EU data subjects including:
- Right to be informed
- Right to access
- Right to rectification
- Right to erasure
- Right to restrict processing
- Right to data portability
- Right to object
- Right not to be subject to automated decision-making including profiling
- Consent: If practitioners plan to utilize consent as a lawful basis for data processing, practitioners should draft a clear, concise, and unambiguous consent statement which includes the name of1 the organization, names of any third parties involved (including LawLogix), data needed, specific purpose, intent for the data, and instructions regarding withdrawal of consent. This consent template may be used in Edge once the consent feature described above is released.
- Official GDPR website: https://www.eugdpr.org
- GDPR Regulation (neatly arranged):https://gdpr-info.eu
- Guide to GDPR (from UK Information Commissioner’s Office): https://ico.org.uk/for-organisations/guide-to-thegeneral- data-protection-regulation-gdpr