What is GDPR and why is it so important?
From 2013, the EU spent years working diligently on updating and modernising their data protection law to bring antiquated and irrelevant laws slap bang into the 21st century. What existed previously was the 1998 Data Protection Act in the UK, which was brought as a measure to implement the EU’s 1995 Data Protection Directive. The General Data Protection Regulation (GDPR) goes a lot further by providing far greater protection for individuals’ personal data and placing pressure on organisations to correctly manage and safeguard personal data.
The GDPR – a digital blueprint
Two reasons why the GDPR was brought into existence:
- Ensure that organisations are more aware that personal data needs to be protected, especially how this data is managed. The inherent dangers that have come to light in recent years related to hacking and cybercrime have, without a doubt, justified the aims of the GDPR.
- More control is what European Union desires, to facilitate organisations with increased clarity and uniformity and how they should act in relation to personal data management and control.
Are you GDPR compliant?
The General Data Protection Regulation (GDPR) was brought in with overwhelming support in May 2016 and is applicable to all member states of the EU as of 25 May 2018. As the GDPR is a regulation, it provides for an automatic legal obligation on the member states, so no new legislation is required to be drawn up. Regardless of the immense hype and publicity surrounding the new regulation, many organisations are yet not compliant, despite the consequences for failing to comply with the GDPR being so grave and the risk of hefty fines. Many businesses still do not know about the GDPR and how to comply with it.
A survey by IDC identified that 20% of small businesses in the UK and Germany didn’t know about GDPR, just months before the enforcement date. Medium-sized businesses were recorded for not having much awareness, up to 90% across the EU, but only 41% had taken any steps to prepare for the GDPR. Outside the EU, the numbers are quite low. An important thing to bear in mind is that there are no borders for the GDPR. It affects companies globally that process data of EU citizens. Fines for non-compliance can reach up to €20 Million or 4% of annual global turnover (whichever is higher), this poses a significant issue for many organisations. Giants like Facebook and Google are facing fines due to non-compliance. Businesses need to understand the impact of GDPR and ensure that they take the necessary steps to become compliant. As a starting point, businesses should conduct a GDPR audit to identify current gaps and risks and take the recommended actions to close these gaps and mitigate these risks.
How does GDPR affect businesses?
Within any organisation, designated controllers and processors of data will need to adhere and abide by the GDPR.
- Data controllers will be required to understand what is GDPR entirely and to provide information in a precise manner, and the reason personal data is being processed within and outside of their organisation.
- A data processor is concerned with the actual processing.
- A “controller” refers to any organisation. It can be a profit-making business, a non-profit charity or a government organisation.
- A “processor” could be an outsourced or third party company such as an IT organisation or a marketing service provider who will be carrying out the data processing on behalf of the data controller.
It does not matter, where controllers or processors are based, whether the EU or elsewhere worldwide, the GDPR will still be relevant provided the data they are handling belongs to EU individuals. The main difference which GDPR brings relates to the relationship between controllers and processors. Controllers have ultimate processing control over data even if it is outsourced. The emphasis of GDPR is that controllers are required to choose carefully and diligently the processors of the personal data held by the controller. Processors themselves are also under a strict duty to comply with the GDPR and are subject to a strict liability than previously under the old Data Protection Act.
When are businesses be permitted to process personal data?
Controllers have to ensure that all data of a personal nature is processed under the General Data Protection Regulation (GDPR).
Principal duties to keep in mind and ensure that, as a business, you adhere to the GDPR are:
- Lawful – only process personal data that is lawful.
- Transparent – ensure that you follow a transparent process when processing personal data.
- Specific – only process personal data that is intended for a specific purpose?
- Deletion – delete personal data that is no longer required or is not lawful to store longer than necessary.
What is the significance of “personal data” under the GDPR?
There are many definitions of personal data under the General Data Protection Regulation (GDPR). There is a wide range so it will only depend on individual organisations to closely view at what type of data is collected to provide a clear and applicable definition. Besides the common type of personal data such as: names, addresses, email addresses, age and date of birth. GDPR has some special categories of personal data such as:
- IP address
- Health information
Pseudonymised and cryptonised data, depending on how this data is easily reversed to enable personal data to be identified, is also accountable under the GDPR.
Can an individual access their personal data?
An individual has the right to request, from an organisation, information that is held about them. This right is effective under the Data Protection Act, but Article 15 of the General Data Protection Regulation (GDPR) provides for an amended right for more information. The expanded right covers:
- What is the purpose of the data processing of personal information?
- The categories of data affected.
- To whom the data is being transferred to or disclosed to.
- The likely retention periods.
- Rights that exist related to that data, including rights to have inaccurate data corrected or demolished.
Further information that can be requested is whether the individual’s personal data is being utilised for automated decision making and profiling. Organisations are now obliged to explain how this type of processing will impact the individual, especially in relation to direct marketing where explicit consent should be obtained. Organisations can disclose requested information free of charge unless such requests are excessive or unfounded. For example, repeated requests for the same data may be seen as unreasonable. Data controllers are required, where possible, to provide a method to present in a secure way for those individuals to access and review what personal information an organisation holds about them. Timescales for responding to requests by data controllers are stipulated as “undue delay” under the GDPR or at the latest one month. To have a checklist in place would be a great move to ensure your organisation stays focused in the coming times with regards to this critical aspect of the GDPR as follows:
- Go through and update current policies and procedures and make required changes, necessary to ensure that they are applicable under the new regime.
- If necessary, train appropriate personnel on GDPR to deal with the requests correctly.
- Consider having more information available to data subjects securely by way of, for example, a secure online portal.
- Stay abreast and on top of future guidance and publications by the GDPR with regards to subject access requests.
What constitutes the “right to be forgotten”?
The “right to access” and the “right to be forgotten” are the latest advancements in the privacy regulations laid down by the General Data Protection Regulation (GDPR). The “right to be forgotten” (the right to erasure) provides an individual in the EU the right to request an organisation that they delete personal information about that individual. This area of the GDPR is stipulated under Article 17, specifically the first two paragraphs which provide details on what grounds this right takes effect. Any data that is accessed publicly may be deleted upon request, including search engine results and logs entered onto social networking media websites. If an organisation is requested to remove personal information by the relevant individual, then this organisation has a further obligation also to delete the links to the data information.
The interesting thing is the GDPR’s stance on when there is no right to be forgotten, and there are some exceptions as to when personal data will not be deleted:
- Where the processing of such data is required for legitimate, legal or compliance obligations in the realm of public interest or official situations where the controller has a vested obligation where there exists a legal claim.
Certain institutions may require the retention of data and this type of situation also exists. This will depend on the nature and purpose of types of personal data and reasons for retention. For example, banking institutions may need to keep certain types of data longer than necessary if it is required to facilitate an end to a particular financial process. Such processes will need to be communicated to the GDPR officials as well as the data subject, and be validated against the GDPR regulations and the legalities about circumventing the right to erasure. Within any organisation that holds personal data, exemption rules will need to be clarified and identified at every request to prevent any unnecessary delay or deletion of important, indispensable data. When the right to erasure does apply, then all interested parties must be informed, and the process of deleting data must be carried out using a strict policy with a detailed step by step process.
The right to move data
A further interesting aspect of the General Data Protection Regulation (GDPR) is the right to ask for personal data that is stored by organisations to be made available in an easy to transport state.
In the future, it will be useful for those individuals, who want to download data handled in banking sectors, utility companies, and mobile phone providers, to share data, obtain and open new accounts at competitive rates using money comparison websites.
Under the GDPR, some of the basic human rights and liberties must be safeguarded. These include:
- The right to privacy
- Right to be informed
- The right to access
- Right to erasure
- The right to object
These liberties may be absent in the anarchical digital world and are an extension of the right to privacy, freedom of expression and the right to information under the basic human rights.
Data breaches and what to expect
General Data Protection Regulation (GDPR) defines that the data controller is responsible for informing the relevant data protection authorities as well as the individuals whose data has been compromised in the event of a security breach. This has to be carried out within the first 72 hours, the moment an organisation becomes aware of the breach or potential breach. In the UK, the authority to contact is the Information Commissioner’s Office (ICO). Organisations are urged to put together a procedure list to be distributed to all personnel on how to act if a breach is suspected as follows:
- Exact time, date and place of the breach
- A detailed description of every aspect of data involved in the breach
- If known, the precise cause of the breach and details as to how it was discovered
- List of systems affected
- The department/branch/office and personnel involved in discovering or causing the breach
- A note of any corrective action immediately occurring to remedy or lessen the impact of the suspected or actual breach.
Having an existing proactive breach response action plan and a guidance policy within your organisation. These two tools are imperative in case of a suspected or actual breach and for GDPR compliance. This allows your business to minimise and repair quickly any security breaches, but also show your customers and the ICO that you are a responsible organisation and dedicated to security. It is important because the GDPR fines are significantly higher than those under the Data Protection Act. Although the GDPR does stipulate that any fines will be proportionate to the infringement, demonstrating that you are committed to preventing any breaches and showing that you work hard to ensure your business is compliant with and understands the impact of GDPR.
GDPR and Brexit
When the UK eventually exits the EU in December 2020, it will become a non-EU country, also referred to as a “third country” for the General Data Protection Regulation (GDPR). It will effectually be under alert for data transfers across the border and subject to transfer mechanisms approved by the European Commission regarded as adequacy decisions. In any event, be it 29th March 2019 or the deferred date of 31st December 2020, the UK is very likely to adopt the mirror image of the EU data protection regulations. Currently, lacking any precedent (Brexit being a wholly unprecedented development!)it will be interesting to follow how the UK proceeds as a non-EU country. In any event, businesses processing the personal data of individuals inside the UK or the UK companies processing personal information of individuals outside the UK must make sure they follow laws that come into place following Brexit. Businesses must also determine whether they need an EU Representative once the UK leaves the EU.
The General Data Protection Regulation (GDPR) refers to the European legislative framework that guides privacy protection and data security law. All companies must abide by this. The failure to comply with the GDPR can result in hefty fines of up to 20 million Euros or 4% of annual turnover (whichever is higher) by the ICO. In order to ensure compliance with the GDPR, companies must undertake regular GDPR audits to ensure that they identify and mitigate any risks, train their staff on the obligations of the GDPR, implement GDPR compliant policies and procedures, implement a GDPR compliant cookie consent solution on their company website, conduct a data protection impact assessment (DPIA) for all high-impact projects or business areas and obtain the advice of a data protection officer (DPO) for major issues.