Building on previous data protection rules the General Data Protection Regulation (GDPR) improves the security and controls required for protecting personal information and gives individuals strong and clear rights. It is a European Union regulation that impacts any organisation that comes into contact with personal information from any living member of the European Union member states – that is, any organisation that deals with the EU.
With less than a year to go all businesses should be in the final stages of proving compliance to the GDPR.
Fines are already on the increase and from the 25th May 2018 a personal data breach can attract fines up to €20 million or 4% of your total worldwide turnover for the previous financial year. The reputational damage to a brand following a breach of data protection can also hit your bottom line.
If your organisation simply provides data processing services for other businesses you are still bound by the GDPR.
There are real opportunities here. As well as avoiding regulatory fines, organisations that do comply with the GDPR will have a competitive edge by demonstrating to its customers that it values and respects their privacy and dignity. If you’re not compliant with the GDPR you can bet your competitors will be.
Brexit will not change the need for your compliance to GDPR. Britain has already signed up to the GDPR so even if Britain does exit the EU you will still need to be compliant if you want to work with businesses or people from inside the EU.
Informing the Data Subject
Before data can be collected, the Data Subject must be specifically informed about what data is being collected, what will be done with it and who will have access to it. Especially if the data will, at any time, leave the EU.
The way that people authorize the use of their data has changed. Businesses can no longer pre-tick boxes or offer an opt-out option, Data Subjects must actively opt-in before their personal data can be used. The wording used to describe what data, how and why it will be used, who it will be shared with and where it will go needs to be in clear and plain language and not hidden within the T&Cs. Consent must be freely given; it must be specific, informed and unambiguous.
Data breaches must be reported to the Supervisory Authority (SA) without undue delay and within 72 hours. If notification of the breach is given later than 72 hours then the Data Controller will need to justify the reasons for this.
Right to Access
Data Subjects can request access to any personal information that a Data Controller holds on them.
Right to erasure (right to be forgotten)
Unless there are any legal, public interest or similar reasons, the Data Subject has the right to force the Data Controller to delete all personal information held about them.
On request, personal information data must be supplied to the Data User in a structured, commonly used and machine-readable format.
Data Protection by Design and by Default
Appropriate technical and organisational measures need to be considered to ensure that the business can meet the requirements of the regulation and protect the rights of the Data Subjects. The mantra needs to be the minimum possible data held or processed for the minimum possible time.
Data Protection Officers
Under GDPR your organisation may be required to appoint a Data Protection Officer, (DPO), by law. For those organisations that are not required to appoint a Data Protection Office by law, it is recommended that they review their specific circumstances and decide whether it would be an advantage to voluntarily appoint one.
Automatic decision making and profiling
The Data Subject has a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or other similar effects concerning him or her.
Requests from the Data Subject
The Data Subject may request access to their personal data, rectification of any incorrect data or, request restrictions or object to the processing of their personal information. Requests to restrict or cease processing personal data must be granted unless the Data Controller can demonstrate a compelling legitimate reason for the processing.
When processing personal information for Children under 16 parental or guardian consent is now mandatory. Certain EU member states may have slightly different ages concerning children, which will be detailed in a derogation.
If you do not yet have a clear plan to achieve GDPR compliance then you need to move quickly. The below points are worth considering and will help you to shape your GDPR journey.
- Make sure that your organisation is aware of GDPR and how it could impact your business.
- Understand how data flows through your business and any 3rd parties that you use. e.g. Local systems and storage, remote datacenters and back-up facilities and laptops that may travel outside of the EU.
- Minimize the data – minimize the risk. Do you need all of the personal data that your business currently holds? Have you got the right and lawful justifications to process it?
- Understand how the geography of your organisation, and that of your 3rd party suppliers, impacts your ability to comply with GDPR. Consider the controls that you need to put in place to comply.
- Having a DPO involved in the early stages will help you to identify personal data risks, advise you on GDPR compliance and liaise with the SA on any GDPR matters.
- Consider whether you need a Data Protection Officer (DPO). Is it mandated or recommended for your type of business? Do your business needs justify a full-time DPO or would it better suit business to work with a DPO service provider?
This blog was kindly written by John Burridge. If you would like to know more about how GDPR will impact your organisation, you can get in touch with John or contact us to find out how we can help you.