What is GDPR?
The General Data Protection Regulation comes into force on 25 May 2018. It is designed to create a single law on data protection across the EU. In the UK, GDPR will replace the 20-year-old Data Protection Legislation and introduces legislation with significantly more powers to punish non-compliance.
Who does it impact?
All EU businesses/organisations which hold/store personal data. It will also impact any business/organisation (wherever situated) which may hold data on European citizens.
What information does it apply to?
Personal Data; meaning any information relating to an identifiable person i.e.customers, business partners or employees, who can be directly or indirectly identified. The rights to the individual that GDPR introduces are as follows:
- You must have consent to hold data on a person, be able to explain why you hold that data and for how long
- A person can ask you for information you hold on them and you are obliged to provide it. Information includes written and digital records
- A person has a right to demand that you remove their details from your records
- If you transfer data outside Country borders it must be anonymised and of course protected.
This makes sense but will require some investment of time and/or money by all organisations to comply.
Who is the regulator?
The Information Commissioner’s Office (ICO) is the regulator and will have powers to impose significant fines for non-compliance of up to 4% of annual worldwide turnover. Non-Commercial organisations will face fines, reputational damage and compensation claims from those impacted.
Where do I start?
With only a couple of months to go until GDPR becomes enforceable, businesses & organisations should start by carrying out a comprehensive audit of current data privacy and cybersecurity practices to ensure they comply with GDPR. The ICO have a set of guidelines for you to follow but here are a few of the areas you can start to review:
Data: Mapping your data to understand; where your data is, what data is deemed sensitive and understand where your data comes from/to. This will help you work out who are your data controllers and processors.
- Data Controllers – A controller determines the purposes and means of processing personal data.
- Data Processors – A processor is responsible for processing personal data on behalf of a controller.
This is vital to understand because both roles are legally responsible and in turn will be joint and severally liable under the new regulations in the event of a breach.
Privacy: Understand the new privacy rights of individuals including their rights to have the following:
- Data deletion (when data is no longer valid or consent is withdrawn)
- Object to processing; including in relation to direct marketing
- Data transfer (transferring data to another controller where processing is based on consent or on contract performance).
Consent: GDPR requires you to provide detailed privacy information to individuals. In order to be compliant, consent must be unambiguous and specific. However, separate consent is required for each use of data.
Businesses/organisations will need systems to provide proof and verbal acknowledgment is not compliant.
Contracts: Under GDPR you will need to review and amend contracts to include clauses ensuring your suppliers are required to give you:
- Notification of any data breaches
- Assistance with any subject access request
If you supply a service or product, you may find your customers and business partners asking you to do the same thing.
What do I do in the event of a breach?
Businesses/organisations should implement appropriate technical and operational measures against unauthorised or unlawful processing of personal data and loss/destruction of or damage to personal data.
Under GDPR, personal data breaches must be reported to the data protection authority (ICO) within 72 hours. If the breach is likely to result a high risk to affected individuals they too must be notified within the required timescales.
Where can I go for help?
The ICO website is excellent, here is the link: Information Commissioner’s Office
Don’t panic! Use the links below to download the GDPR checklist and guide to make a start today!
Please note: These recommendations are our interpretation of GDPR from information on the ICO website and seminars we have attended. You may need to seek legal advice for contracts, policies and IT advice for encryption/security of systems and hardware.