Call me back

The EU GDPR (General Data Protection Regulation) replaced the Data Protection Directive 95/46/EC. Its purpose is to harmonise data privacy laws across Europe, to protect and empower citizens, and to ensure organisations across the Union manage personal data better.

GDPR gives individuals more protection and control over how their data is held by organisations. This is going to have a huge impact on how businesses, government agencies and other organisations work. The deadline for compliance with the new law is May 25th 2018; after this time, organisations that are found to be non-compliant can face very significant fines.

What constitutes personal data?

Any information related to a natural person or data subject, that can be used to directly or indirectly identify the person. It can be anything including a name, photo, email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.

What will change on 25th May 2018?

It will no longer be enough to simply be compliant with the law; organisations will need to be capable of demonstrating their compliance with documented procedures and policies. Many of the concepts and principles of GDPR are much the same as those in the current Data Protection Acts 1988 and 2003. Companies that are already compliant with these Acts will already have the right approach for many aspects of data protection.

The main differences with existing data protection law are as follows:

Increased territorial scope

Organisations will need to ensure compliance even if they themselves aren’t based in the EU. So, for instance, if your data subjects reside in the EU but the data is processed elsewhere, you will still need to prove compliance. This applies to the supply of goods or services, whether paid for or not. Where a company is based outside of the EU, but processes the data of EU citizens, it will need to appoint a representative in the Union.

Penalties

An organisation in breach of GDPR can be fined up to 4% of its annual global turnover, or €20 million (whichever is the greater). This applies to both controllers and processors.

Consent

The conditions for consent have been strengthened – a request for consent must be legible and obvious. This means, for instance, that it can no longer be buried in a Terms and Conditions document, and the purpose for data processing must be attached to that consent. Consent must be clear and distinguishable from other matters, and provided in an easily accessible form, using plain language. It must be as easy to withdraw consent as it is to give it. Consent must be “freely given, specific, informed and unambiguous”.

Breach Notification

When there is a breach of personal data, organisations must notify the Data Protection Commissioner within 72 hours of becoming aware, if the breach is likely to “result in a risk for the rights and freedoms of individuals”. Data processors will also be required to notify their customers and the controllers without undue delay after first becoming aware of a data breach.

Right to Access

Data subjects have more rights under the GDPR, and will be able to seek confirmation as to whether or not personal data concerning them is being processed, where, and for what purpose, from a data controller. When requested, a controller must provide a copy of this personal data, free of charge and in an electronic format, to the data subject.

Right to be Forgotten

The right to be forgotten (also known as Data Erasure) entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. This may happen because the data is no longer relevant to the original purposes for processing, or because a data subject withdraws their consent. When considering such requests, the controller is required to compare the subject’s rights to any “public interest” in the availability of the data.

Data Portability

The concept of data portability means that individuals can obtain and reuse their personal data for their own purposes across different services. This means they can transmit that data to another controller, from one IT environment to another in a safe and secure way, without hindrance to usability.

Privacy by Design

Privacy by design is a concept whereby privacy is built into a product or service from inception. Systems must be developed with appropriate technical and organisation features that will allow them to meet the requirements of the GDPR, and controllers must ensure that only data that is absolutely necessary is held and processed. Limits should also be placed on who can access the data for the purposes of processing.

Data Protection Officers

The current requirement to notify data processing activities with local DPAs will be replaced by a requirement to maintain internal records. For those controllers and processors whose core activities consist of processing operations which require regular/systematic monitoring of data subjects on a large scale, or of special categories of data, it will be necessary to appoint a Data Privacy Officer (DPO). The requirements for a DPO are as follows:

  • They must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices
  • They can be an existing member of staff or an external service provider
  • Their contact details must be provided to the relevant DPA
  • They must have appropriate resources to carry out their tasks and maintain their expert knowledge
  • They must report directly to the highest level of management
  • They mustn’t carry out any other tasks that could results in a conflict of interest

What will the changes mean for your company?

It’s very important to be ready for the deadline, and there is now less than a year to prepare. Companies should start by assessing their existing level of compliance, and take steps to address any issues.

Some initial steps are recommended:

  • Ensure that key departments are aware that the law is changing, so they can anticipate the impact of GDPR.
  • Put in place an ongoing awareness campaign for staff, with training for those who are directly concerned.
  • Document what personal data is held, why it is held, where it comes from, and who it is shared with.
  • Review existing privacy notices and policies, and make any necessary changes.
  • Review procedures to address the new rights that individuals will have.
  • Plan how to handle requests within the new timeframes, and provide the required information.
  • Identify and document the legal basis for each type of data processing activity.
  • Update any relevant contracts with third parties.
  • Review how consent is sought, obtained and recorded.
  • Make sure procedures are in place to detect, report and investigate data breaches.
  • Appoint a Data Protection Officer to take responsibility for data protection compliance.

It’s important to remember that companies don’t just have to make sure they are compliant; they will be expected to prove they are compliant. All organisations that manage personal data, no matter how small or large, will be expected to have the processes and policies in place to manage data correctly. Amended procedures should cover the enhanced rights that individuals will have, and lay out clearly how any data held can be provided in a commonly used format, or deleted if so required.

Access requests must be handled within the new timescale of 30 days, and in most cases you will not be able to charge a fee for handling such requests. It may be necessary to redact records before they are sent to the data subject, so for companies that handle significant numbers of requests, this shorter response time could prove significant.

As you can see, GDPR is going to affect every aspect of business, so it’s time to start getting familiar with the regulation and ready for compliance. Many organisations will need to seek independent legal advice to develop new procedures and policies, or to review specific issues.

The implications for personal data that is stored in the cloud cannot be underestimated. Have a read of our blog about how having seamlessly integrated cloud  applications can be a great advantage for GDPR compliance here.