GDPR, What you need to know now.
Download your GDPR Awareness Webinar
DISCLAIMER: The Author accepts no responsibility for any damages or costs caused or incurred by using this document or following the information contained it in. This is NOT legal advice.
What does GDPR stand for?
General Data Protection Regulation
Why GDPR?
The European Commission set out plans for data protection reform in January 2012.
Its mission to make Europe ‘fit for the digital age’. It took almost four years for agreement to be reached on what was involved and how it would be enforced.
As the biggest component of its new data protection reforms is the General Data Protection Regulation (GDPR) came into effect on 25th May 2018. A European union wide framework applies to organisations in every member-state and impacts not only businesses and individuals across Europe, but globally. Because, if a company touches personal data of someone residing within the EU, then GDPR applies. Even if that company is based outside of Europe.
In December 2015, when the reforms were agreed, Andrus Ansip, vice-president for the Digital Single Market said “The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information”.
What is GDPR?
GDPR is designed to give EU citizens more control over their personal data. It claims to simplify regulations so citizens and businesses in the EU can get maximum benefit from the ‘digital economy’.
Many of the laws and obligations surrounding personal data, privacy and consent were outdated. The latest reforms are designed for the internet-connected world we live in today where nearly every aspect of our lives revolves around the collection and analysis of our personal data. Today’s world is one where governments, banks, social media networks, and mobile apps record; what we buy, what we read, where we go, and what we eat, and this ‘data’ and more is willingly pushed into the public domain by almost 3 billion people worldwide (Source: https://www.internetworldstats.com) and 85.7% of Europeans (Source: https://www.internetworldstats.com/stats9.htm#eu) who are connected to the internet.
Source: https://www.internetworldstats.com
Graph https://www.internetworldstats.com/images/world2017Q4pie.png
Who does GDPR apply to?
GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU. Yes, It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
That means almost every major business in the world needs to pay attention to GDPR.
Article 4 of the General Data Protection Regulation identifies two different types of data-handler that the legislation applies to. Data ‘processors’ and Data ‘controllers’.
What is a Data Controller?
A Data Controller is a “person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing of personal data”.
What is a Data Processor?
A Data Processor is a “person, public authority, agency or other body which processes personal data on behalf of the data controller”.
The UK’s Information Commissioner’s Office, or ICO, is the authority responsible for; registering data controllers, taking action on data protection issues and handling concerns regarding mishandling of data in the UK, states that “You now have significantly more legal liability if you are responsible for a breach. These obligations for data processors are a new requirement under the GDPR”.
GDPR makes a data processor responsible for maintaining and processing personal data records, with a much higher level of legal liability in the event of any breaches.
Data Controllers also need to ensure that all contracts with data processors are also compliant with GDPR.
What is GDPR compliance?
It is widely accepted and frighteningly commonplace for data breaches to happen. There are many ways our personal data can be made available to people with who have malicious intent and were never supposed to have access to this data.
Under GDPR, organisations now have to ensure that personal data is gathered under strict legal conditions and those who collect and manage it are be obliged to protect it or face serious penalties and hefty fines.
What does GDPR mean for you?
GDPR expanded the previous definition of personal data to not only include name, address, and photographs, but also things like an IP address, biometric and genetic data. In fact any piece of data that could, on its own or in combination with other data, be used to uniquely identify an individual.
What does GDPR mean for businesses?
GDPR is a single set of rules that apply to all companies doing business within EU member states, meaning that the legislation extends outside the borders of Europe itself. Many International organisations based outside of Europe, conducting activities on ‘European soil’ still need to comply.
The European commission hopes to save €2.3 billion annually across Europe, by making it simpler and cheaper for businesses to operate. They also claim GDPR will encourage innovation by persuading companies to build data protection safeguards like data ‘pseudonymization’ into in new products and technologies at the initial development stage, by fostering a ‘data protection by design’ culture.
What does GDPR mean for consumers?
In order to ensure EU citizens can take appropriate measures to prevent any leaked personal data being abused, consumers are given the right to know when their data has been hacked, within 72 hours of the organisation first becoming aware of it. Especially when it is likely to result in a risk to the rights and freedoms of individuals or lead to financial loss, loss of confidentiality, discrimination, economic or social disadvantage, or reputational damage.
Just to highlight how frequent data leaks occur data privacy website itgovernance.co.uk report 20,836,531 records leaked in March 2018 in the run up to the launch of GDPR.
Consumers now have more control over how their personal data is processed, with companies and government bodies now being required to explain, in a clear and understandable way, how they intend to use customer information and requiring them to actively opt-in to receive specific emails and texts. Furthermore, consumers should be provided with an easy way of opting out, if they change their minds about their details being on a mailing list.
When is a Data Protection Officer required?
An organisation must appoint a Data Protection Officer or DPO, if it is a public authority, or if it carries out large-scale processing of special categories of data, or large scale monitoring of individuals such as behaviour tracking.
But all organisations need to ensure they have the skills and staff necessary to be compliant with GDPR.
There’s no set criteria on who should be a DPO or what qualifications they should have, but according to the Information Commissioner’s Office, they should have professional experience and data protection law proportionate to what the organisation carries out.
What are the GDPR fines and penalties?
Fines of 10 million euros or up to four percent of the company’s annual global turnover could be imposed for failure to comply with GDPR, depend on the severity of the breach.
Ignoring subject access requests, unauthorised international transfer of personal data, or failure to put procedures in place that result in the infringements of the rights of data subjects could mean a fine of 20 million euros or four percent of worldwide annual turnover (whichever is greater).
And companies can now be fined half that for mishandling data in other ways. Which means fines of 10 million euros or two percent of worldwide turnover for, failure to report a data breach, failure to build in privacy by design, or not appointing a data protection officer, if required to.
Brexit and GDPR?
Despite the UK being poised to depart from the EU at the end of March 2019, ten months after GDPR becomes law across the EU, it doesn’t mean data subjects in the UK will be treated any differently. The UK government said that Brexit won’t affect its implementation of GDPR so it has been implemented hand in hand with the UK’s own new data protection laws.
Part II: Check your GDPR compliance – are you doing these 12 things!
Awareness
Have you communicated with people in your business about GDPR and what they need to do to be compliant?
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR. It would be useful to start by looking at your organisation’s risk register, if you have one. Implementing the GDPR could have significant resource implications, especially for larger and more complex organisations. You may find compliance difficult if you leave your preparations until the last minute.
Information your business holds
Did you document what personal data you hold, where it came from, and who you share it with.
If necessary did you do an Information Audit?
The GDPR requires you to maintain records of your processing activities.
It updates rights for a networked world. For example, if you have inaccurate personal data and have shared this with another organisation, you will have to tell the other organisation about the inaccuracy so it can correct its own records. You won’t be able to do this unless you know what personal data you hold, where it came from and who you share it with. You should document this. Doing this will also help you to comply with the GDPR’s accountability principle, which requires organisations to be able to show how they comply with the data protection principles, for example by having effective policies and procedures in place.
Communicating privacy information
Have you updated your privacy notices to clearly state what data you collect, and what you do with it?
When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain to the ICO if they think there is a problem with the way you are handling their data. The GDPR requires the Information to be provided in concise, easy to understand and clear language. The ICO’s Privacy notices code of practice reflects the new requirements of the GDPR.
Covering all Individuals’ rights?
Do your procedures adequately cover all the rights (listed below) that individuals have, including how you can delete personal data or provide data electronically and in a commonly used format.
The GDPR provides the following rights for individuals:
On the whole, the rights individuals will enjoy under the GDPR are the same as those under the DPA but with some significant enhancements. If you are geared up to give individuals their rights now, then the transition to the GDPR should be relatively easy. This is a good time to check your procedures and to work out how you would react if someone asks to have their personal data deleted, for example. Would your systems help you to locate and delete the data? Who will make the decisions about deletion?
The right to data portability was new in the GDPR legislation. You need to make sure you have procedures in place to accommodate this.
The right to data portability only applies:
∙ to personal data an individual has provided to a controller;
∙ where the processing is based on the individual’s consent or for the performance of a contract;
∙ when processing is carried out by automated means.
You will need to provide the personal data in a structured commonly used and machine readable form and provide the information free of charge.
Dealing with subject access requests
Do you have procedures in place to handle requests from data subjects to access their data.
In essence you need to:
-
- Provide this service for free
-
- Complete Requests within one month
- If the requests are excessive or unfounded, you can refuse, but you have to say why.
If your organisation handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly. You could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online.
Lawful basis for processing personal data
You need to identify the lawful basis for processing data, document it and update your privacy notice to explain it. (to comply with GDPR accountability requirements)
Many organisations will not have thought about their lawful basis for processing personal data. Under the current law this does not have many practical implications. However, this will be different under the GDPR because some individuals’ rights will be modified depending on your lawful basis for processing their personal data. The most obvious example is that people will have a stronger right to have their data deleted where you use consent as your lawful basis for processing.
Consent
You should now be obtaining, recording and managing consent in accordance with GDPR. All prospects in your database should have agreed to have their data processed by you by positively Opting-in specifically to each type of communication you send. If not they should have been removed from your list.
You should read the detailed guidance the ICO has published on consent under the GDPR, and use your consent checklist to review your practices. Consent must be freely given, specific, informed and unambiguous. There must be a positive opt-in – consent cannot be inferred from silence, pre ticked boxes or inactivity. It must also be separate from other terms and conditions, and you will need to have simple ways for people to withdraw consent. Public Authorities and employers will need to take particular care. Consent has to be verifiable and individuals generally have more rights where you rely on consent to process their data.
Children
If you offer services or handle data that belongs to children, if any children are under 16 years of age, you should have parental consent recorded, to process the data.
For the first time, the GDPR will bring in special protection for children’s personal data, particularly in the context of commercial internet services such as social networking. If your organisation offers online services (‘information society services’) to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.
Data Breaches
Do you have the right procedures in place to detect, report and investigate a personal data breach?
The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. You only have to notify the ICO of a breach where it is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
Data Protection Officer
Do you have a Data Protection Officer, in one is needed? Did you check if you were formally required to have one?
You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer (DPO).
You must designate a DPO if you are:
∙ a public authority (except for courts acting in their judicial capacity);
∙ an organisation that carries out the regular and systematic monitoring of individuals on a large scale; or
∙ an organisation that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions. The Article 29 Working Party has produced guidance for organisations on the designation, position and tasks of DPOs.
Data Protection by Design and Impact Assessment
The GDPR made privacy by design a legal requirement, called ‘data protection by design and by default’. It also makes ‘Data Protection Impact Assessments’ mandatory in certain circumstances you need to make sure any new projects you start are compliant.
A DPIA is required in situations where data processing is likely to result in high risk to individuals, for example:
∙ where a new technology is being deployed;
∙ where a profiling operation is likely to significantly affect individuals; or
∙ where there is processing on a large scale of the special categories of data.
Cross-border Processing
If you operate in several EU member states you should have selected a lead data protection supervisory authority and have it documented. The Article 29 Working party produced guidance on identifying a controller or processor’s lead supervisory authority.
The lead authority is the supervisory authority in the state where your main establishment is. Your main establishment is the location where your central administration in the EU is or else the location where decisions about the purposes and means of processing are taken and implemented..
Conclusion
There is no escaping the fact that wherever physically located, now that GDPR is fully established, ‘all organisations’ dealing with EU citizens (and UK citizens post-Brexit), now need to ensure they’ve carried out all the necessary impact assessments and are compliant.