What is GDPR and why is it so important?
From 2013, The EU spent years working diligently on updating and modernising their data protection law to bring antiquated and irrelevant laws slap bang into the 21st century. What existed previously was 1998 Data Protection Act in the UK, which was brought as a measure to implement the EU’s 1995 Data Protection Directive. The GDPR goes way further to provide more protection for individuals by putting stress on organisations to manage and safeguard private data, so “What is GDPR?”
The GDPR – A Digital Blueprint
Two reasons why the GDPR was brought into existence:
- Ensure that organisations are more aware that data needs protecting, especially concerning how data is managed. The inherent dangers which have come to light in recent years of hacking and cybercrime have, without a doubt, justified the aims of the GDPR.
- More control is what European Union desires, to facilitate organisations with increased clarity and uniformity and how they should be acting in the whole area of data control.
Are you GDPR Compliant?
The GDPR was brought in with overwhelming support in May 2016 and applicable to all member states of the EU as of 25 May 2018. As the GDPR is a regulation, it provides for an automatic legal obligation on the member states, so no new legislation is required to be drawn up. Regardless of the immense hype and publicity surrounding the new regulation, many organisations are yet not compliant, despite the consequences for failing to comply with the GDPR. Many businesses do not know “What is GDPR?” or to whom does GDPR apply?
A survey by IDC has unleased that 20% of small businesses in the UK and Germany didn’t know what GDPR is, just months before the legislation date. Medium-sized businesses were recorded for not having much awareness, up to 90% across the EU, but only 41% had taken any steps to prepare for the GDPR. Outside the EU, the numbers are quite lower. An important thing to bear in mind that there are no borders for the GDPR. It affects globally for companies processing European data, and with fines up to €20 Million or 4% of annual global turnover for non-compliance, this poses a significant issue for many organisations. Giants like Facebook and Google are facing fines due to non-compliance. Businesses need to understand what is GDPR and make sure their business is compliant. It is never too late to be compliant; it is essential to take the necessary actions.
How Does GDPR Affect Businesses?
Within any organisation, designated controllers and processors of data will need to adhere and abide by the GDPR.
- Data controllers will be required to understand what is GDPR entirely and to provide information in a precise manner, and reason data is being processed within and outside of their organisation.
- A data processor is concerned with the actual processing.
- A “controller” refers to any organisation. It can be a profit-making business to a non-profit charity or government organisation.
- A “processor” could be an outsourced or third party company such as an IT organisation marketing service provider who will be carrying out the data processing on behalf of the data controller.
It does not matter, where controllers or processors are based, whether the EU or elsewhere worldwide, the GDPR will still be relevant provided the data they are handling belongs to EU individuals. The main difference which GDPR brings regarding the relationship between controllers and processors. Controllers have ultimate processing control over data even if it is outsourced. The emphasis of GDPR is that controllers are required to choose carefully and diligently the processors of the personal data held by the controller. Processors themselves are also under a strict duty to comply with the GDPR and are far more subject to strict liability than previously under the old Data Protection Act.
When may Businesses be Permitted to Process Data
Controllers have to ensure that all data of a personal nature is processed under GDPR.
Principal duties to keep in mind and ensure that, as a business, you adhere to the GDPR are:
Further information regarding the right of individuals can be located in the informative ICO information texts, Lawful Basis for Processing Data and the Rights of Individuals.
What is the Significance of “Personal Data” under the GDPR?
There are many definitions of personal data under GDPR. There is a wide range that it will only depend on individual organisations to closely view at what type of data is collected to provide a clear and applicable definition. Besides the common type of personal data, GDPR has some special categories such as names, addresses, email addresses, age, and date of birth.
- IP address
- Health information
Pseudonymised and cryptonised data, depending on how this data is easily reversed to enable personal data to be identified, also accountable under the GDPR.
Can an Individual Access their Data?
An individual has the right to request, from an organisation, information that is held about them. This right is effective under the Data Protection Act, but Article 15 of the GDPR provides for an amended right for more information.
The extra is the right to know
- What is the purpose of the data processing of personal information?
- The categories of data affected.
- To whom the data is being transferred to or disclosed to.
- The likely retention periods.
- Rights that exist related to that data, including rights to have inaccurate data corrected or demolished.
Further information that can be requested is whether the individual’s data is being utilised for automated decision making and profiling. Organisations are now obliged to explain how this type of processing will impact the individual, especially about direct marketing where explicit consent should be obtained. Organisations can disclose requested information free of charge unless such requests are excessive or unfounded. For example, repeated requests for the same data may be seen as unreasonable. Data controllers are required, where possible, to provide a method to present in a secure way for those individuals to access and review what personal information an organisation holds about them. Timescales for responding to requests by data controllers are stipulated as “undue delay” under the GDPR or at the latest one month. To have a checklist in place would be a great move to ensure your organisation stays focused in the coming times with regards to this critical aspect of the GDPR as follows:
- Go through and update current policies and procedures and make required changes, necessary to ensure that they are applicable under the new regime.
- If necessary, train appropriate personnel for GDPR to deal with the requests correctly.
- Consider having more information available to data subjects securely by way of, for example, a secure online portal.
- Stay abreast and on top of future guidance and publications by the GDPR with regards to access requests.
What Constitutes the “Right to be Forgotten”?
The Right to Access and the Right to be Forgotten are the latest advancements in the privacy regulations laid down by the GDPR. The Right to be Forgotten (the right to erasure) provides that an individual in the EU can request an organisation that they delete personal information about that individual. This area of the GDPR is stipulated under Article 17, specifically the first two paragraphs which provide details on what grounds this right takes effect. Any data that is accessed publicly may be deleted upon request, including search engine results and logs entered onto social networking media websites. If an organisation is requested to remove personal information by the relevant individual, then this organisation has a further obligation also to delete the links to the data information.
The interesting thing is the GDPR’s stance on when there is no right to be forgotten, and there are some exceptions as to when personal data will not be deleted:
- Where the processing of such data is required for legitimate, legal or compliance obligations in the realm of public interest or official situations where the controller has a vested obligation where there exists a legal claim.
Certain institutions may require the retention of data and this type of situation also exists. This will depend on the nature and purpose of types of personal data and reasons for retention. For example, banking institutions may need to keep certain types of data longer than necessary if it is required to facilitate an end to a particular financial process. Such processes will need to be communicated to the GDPR officials as well as the data subject, and be validated against the GDPR Regulations and the legalities about circumventing the right to erasure. Within any organisation that holds personal data, exemption rules will need to be clarified and identified at every request to prevent any unnecessary delay or deletion of important, indispensable data. When the right to erasure does apply, then all interested parties must be informed, and the process of deleting data must be carried out using a strict policy with a detailed step by step process.
The Right to Move Data
A further interesting aspect of the GDPR is the right to ask for personal data that is stored by organisations to be made available in an easy to transport state.
In the future, it will be useful for those individuals, who want to download data handled in banking sectors, utility companies, and mobile phone providers, to share data, obtain and open new accounts at competitive rates using money comparison websites.
Microsoft gdpr self-assessment is a handy tool by Microsoft corporation.
Data Breaches and what to Expect
GDPR defines that the data controller is responsible for informing the relevant data protection authorities as well as the individuals whose data has been compromised in the event of a security breach. This has to be carried out within the first 72 hours, the moment and organisation became aware of the breach or potential breach. In the UK, the authority to contact is the ICO (the Information Commissioner’s Office). Organisations are urged to put together a procedure list to be distributed to all personnel on how to act if a breach is suspected as follows:
- Exact time, date and place of the breach
- A detailed description of every aspect of data involved in the breach
- If known, the precise cause of the breach and details as to how it was discovered
- List of systems affected
- The department/branch/office and personnel involved in discovering or causing the breach
- A note of any corrective action immediately occurring to remedy or lessen the impact of the suspected or actual breach.
Having an existing proactive breach response action plan and a guidance policy within your organisation. These two tools are imperative in case of a suspected or actual breach and for GDPR compliance. This allows your business to minimise and repair quickly any security breaches, but also show your customers and the ICO that you are a responsible organisation and dedicated to security. It is important because the GDPR fines are significantly higher than those under the Data Protection Act. Although the GDPR does stipulate that any fines will be proportionate to the infringement, demonstrating that you are committed to preventing any breaches and showing that you work hard to ensure your business is compliant and understands “What is GDPR”, will work in your favor should ever the unthinkable should happen.
GDPR and Brexit
When the UK eventually exits the EU will become a non-EU country, also referred to as a “third country” for the GDPR. It will effectually be under alert for data transfers across the border and subject to transfer mechanisms approved by the European Commission regarded as adequacy decisions. In any event, be it 29th March 2019 or the deferred date of 31st December 2020, the UK is very likely to adopt the mirror image of the EU data protection regulations. Currently, lacking any precedent (Brexit being a wholly unprecedented development!) will be interesting to follow how the UK proceeds as a non-EU country. In any event, businesses processing the personal data of individuals inside the UK or the UK companies processing personal information of individuals outside the UK must make sure they follow laws that come into place following Brexit. Businesses must be understanding “What is GDPR?” or take the advice and support of GDPR experts on the Seers platform.
GDPR is now an important question for taking exam of the Organisation that whether they are compliant with GDPR or not?. In some point, we can say that Authorities are playing the role of GDPR Project Manager. Because they manage the GDPR from back.