The General Data Protection Regulation (GDPR) comes into effect on 25 May 2018.
Set out as Regulation (EU) 2016/679, it is intended to strengthen and unify data protection for all individuals within the European Union (EU). However, is it seen as a major struggle for companies who are affected by it. Many companies, large and small, are reaching out to third-party companies for advice; often without considering their expertise and responsibilities.
Unlike Directives, EU Regulations do not have to be enshrined in local law; meaning that despite Article 50 and Brexit, the GDPR will most likely be going ahead. It is unlikely to be revoked under the Great Repeal Bill (European Union (Withdrawal) Bill), and in any case, this would still impact on companies with customers and data on clients in the European Union.
The rules very clear that whoever is responsible for the breach, the cause – including employees or criminals – is irrelevant; it will be the organisation that foots the bill and reputation damage. Ensuring all your data collection and procedures are GDPR-compliant are essential to avoid the €20m or 4pc of global annual turnover fines.
GDPR is not solely a technological problem to solve – auditing current data protection measures, documenting existing information, and ensuring GDPR-compliance are also part of the regulations. Companies should already be abiding by Data Protection Act legislation, and where already following ISO 27001 or PCI-DSS will help catching-up with new regulations much easier.
Some key facts;
- It affects companies with more than 250 employees, as well as smaller companies who process personal data.
This means that almost all companies will be affected – with exception to a very small number of B2B-only organisations. - Much like the Data Protection Act, the regulation applies to personal data of EU citizens.
Almost any data is included; not just names and addresses, but also genetic, mental, cultural, economic or social information too. - It affects both organisations collecting the data directly, as well as all companies involved in processing the data in the chain
- Do you have permission to collect the data?
Just having the data collected is not enough; you must have used simple language when asking users to consent to collecting their personal information. The phrase ‘affirmative consent’ is used – meaning that users must choose to opt-in.
Parental consent must also be given for subjects under the age of 16, whether their age or date of birth is collected or not. The regulation does not mention that this is impossible - Companies may have or wish to appoint a data protection officer (DPO)
The GDPR requires that mandatory privacy impact assessments (PIAs) are conducted where privacy breach risks are high.
Ongoing assessment, as well as incidence and response plans will be required. - Organisations must notify the local data protection authority of a data breach within 72 hours of discovering it. Organisations must be able to identify, detect and respond to data breaches.
- Organisations must not hold data for any longer than absolutely necessary, and not change the use of the data from the purpose for which it was originally collected
- There is a “Right to be Forgotten” – users will have a right to request that their data is removed
- Have a “reasonable” level of data protection and privacy to EU citizens. What the GDPR means by “reasonable” is not well defined
- Sending data outside of the EEA/EU can only be done where the country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
This means that in many cases, storing data on cloud services outside of the EU will not be acceptable under the regulations.
Organisations should be preparing themselves for the changes in May 2018. Companies may wish to hire an DPO or even a third-party company to advise on their procedures. Since the organisation will have final responsibility, do ensure that these are suitable for following the regulations.
Companies should be at least preparing a data protection plan and risk assessment, as well as ensuring their existing data is secured; whether this is provided in-house or a third party. Although popular, it is unlikely that many of the regions offered in Amazon storage will not be permitted under the guidance.
We’re able to help with securing data, following the technical guidance of the GDPR, advise on any of the topics above; and work with your existing DPO. Please do get in contact if we can help.
More information can be found on the official ICO website, and on the EU GDPR website.
The article is intended for information purposes only and shall not be deemed to be, or constitute legal advice. We cannot accept responsibility for any loss as a result of acts or omissions taken in respect of this article.