Monday, 10 July 2017

An Introduction to GDPR: Give Data Proper Respect!

The General Data Protection Regulation (GDPR) is getting a lot of column space, yet many businesses still have their head in the sand when it comes to its implications. We bust some myths and tell you

The General Data Protection Regulation (GDPR) is getting a lot of column space, yet many businesses still have their head in the sand when it comes to its implications. We bust some myths and tell you what you need to know.

What is GDPR?

GDPR is a new set of regulations the European Parliament adopted in April 2016. It has been designed to improve data protection for individuals within the European Union (EU).

When does GDPR come into force?

GDPR is applicable from 25th May 2018.

If GDPR is an EU standard, does that mean it won’t apply to UK businesses after Brexit?

The GDPR does not only apply to EU domestic business. Every company in the world that holds data on European citizens will be affected and will have to comply with GDPR.

When GDPR comes into effect in May 2018, the UK will still be in the EU – so GDPR will come into UK law and all organisations in the UK will have to comply.

Even after the UK leaves the EU – and the UK is currently scheduled to leave on Friday, 29 March 2019 – UK organisations will need to comply with GDPR if they intend to continue to trade in other EU countries or hold, control or process data concerning EU citizens.

What does it mean for individuals?

GDPR is designed to give individual EU citizens’ additional rights and control over the data that organisations hold about them.

What additional rights will individuals have under GDPR?

• Right to be forgotten: individuals can request that personally identifiable data be erased.

• Right of access: individuals can review the data that an organisation holds about them.

• Right to object: individuals can refuse permission to use or process their personal data.

• Right to rectification: individuals can expect inaccurate personal information to be corrected.

• Right of portability individuals can access the personal data held on them and has the right to transfer it.

Not only that, but an individual must understand – and give consent to – the uses that their data will be put to.

If the data is used for other purposes than those the individual has expressly given consent for, you will need to confirm their consent.

What does it mean for businesses?

• Businesses may not store or use any person’s personally identifiable information without express consent from that person.

• If a data breach is detected, businesses have a responsibility to notify everyone affected by the breach and the supervising authority within 72 hours.

• Businesses that monitor data subjects on a large scale or conduct data processing must appoint a data protection officer.

• Business need to be able to demonstrate that they are complying with these requirements.

So, if GDPR relates to data, it’s an IT problem?

Don’t mistake GDPR as an IT issue: it requires a cultural change in that way we think about personal data and organisations need to think about how personal data is obtained, from where, how it is used, where it resides, who it is shared with, how it is further processed, shared or used, and how it is secured – as well as how to demonstrate all of those considerations in the face of an individual request or a data breach.

To what kind of personal data does it relate?

The GDPR’s definition of personal data is more detailed and more expansive than the existing UK Data Protection Act (DPA). It makes it clear that even an online identifier such as an IP address can be personal data.

Does it apply to all businesses?

Big consumer-facing organisations will be most affected by GDPR.

However, any organisation that provides support to these organisations and touches their data – such as software providers, cloud providers, or outsourcing companies – will need to ensure that they also comply with GDPR.

GDPR does make the distinction between data controllers and data processors and outlines specific legal obligations for each. Processors of data will be required to maintain records of personal data, consent, and processing activities. Processors will have more legal liability in the event of a data breach. However, even as a controller you must be able to demonstrate you are complying with GDPR.

What are the penalties if you don’t comply with GDPR?

Companies face strict fines for not complying with GDPR standards – these can amount to up to 4% of annual global turnover or €20 million euros.

What should organisations be doing now to prepare for GDPR?

The first step is to get specialist legal advice from a specialist in EU GDPR to ensure that your efforts to meet the GDPR’s requirements are well directed.

In addition to the points we’ve mentioned above, you will also need to conduct Data Protection Impact Assessments (DPIA) and have integrated measures to ensure data protection. You will need to establish a DPIA framework which integrates with existing risk management and data processing activities.

It is also important to be talking to your IT, cloud, and marketing suppliers about their compliance with GDPR. You will need to add clauses into your contracts with them, and your terms and conditions for customers, about how you and they are handling and managing personal data.

How are the major Cloud providers responding to GDPR?

Most cloud service providers are taking steps to protect the data they hold before GDPR comes into effect.

For example, Microsoft – one of the biggest global cloud providers – has committed to meeting the requirements of the GDPR.

Brendon Lynch, Microsoft's chief privacy officer, described GDPR as “the most significant change to European Union (EU) privacy law in two decades… Complying with the GDPR will not be easy. To simplify your path to compliance, Microsoft is committing to be GDPR-compliant across our cloud services when enforcement begins on May 25, 2018.”

What does GDPR-compliant mean?

Many analysts have argued that there is no such thing as GDPR compliance – you aren’t going to get a certificate on the wall and no one is going to audit your organisation for compliance.

However, you do need to be able to comply – and prove that you comply – in the event of a data breach or an individual request.

Who will be enforcing the GDPR?

In the UK, the supervising authority is the Information Commissioner’s Office (ICO).

It has published a toolkit to help SMEs prepare for GDPR as well as outlining the current obligations under DPA.

Where can I get more information about my obligations under GDPR?

The ICO offers a great deal of advice online.

It has published a document detailing 12 steps to take now to prepare for the GDPR, which you can download here .

Grant McGregor consultants are already working with organisations to guide them through this process. If you would like advice, guidance, or practical help, please get in touch on 0808 164 4142.

 

Photo credit: thedescrier via Foter.com / CC BY