What is GDPR and why is it so important?
From 2013, the EU spent years working diligently on updating and modernizing their data protection law to bring antiquated and irrelevant laws slap bang into the 21st century. What existed previously was the 1998 Data Protection Act in the UK, which was brought as a measure to implement the EU’s 1995 Data Protection Directive. The General Data Protection Regulation (GDPR) goes a lot further by providing far greater protection for individuals’ personal data and placing pressure on organisations to correctly manage and safeguard personal data.
The GDPR – a digital blueprint
Two reasons why the GDPR was brought into existence:
- Ensure that organisations are more aware. The inherent dangers that have come to light in recent years related to hacking and cybercrime have, without a doubt, justified the aims of the GDPR.
- More control is what European Union desires, to facilitate organisations with increased clarity and uniformity and how they should act in relation to personal data management and control.
Are you GDPR compliant?
The General Data Protection Regulation (GDPR) was brought in with overwhelming support in May 2016 and is applicable to all member states of the EU as of 25 May 2018. As the GDPR is a regulation, it provides for an automatic legal obligation on the member states, so no new legislation requires to draw up. Regardless of the immense hype and publicity surrounding the new regulation, many organisations are yet not compliant, despite the consequences for failing to comply with the GDPR being so grave and the risk of hefty fines. Many businesses still do not know about the GDPR and how to comply with it.
A survey by IDC identified that 20% of small businesses in the UK and Germany didn’t know about GDPR, just months before the enforcement date. Outside the EU, the numbers are quite low. An important thing to bear in mind is that there are no borders for the GDPR. It affects companies globally that process data of EU citizens.
Fines for non-compliance can reach up to €20 Million or 4% of annual global turnover (whichever is higher), this poses a significant issue for many organisations. Giants like Facebook and Google are facing fines due to non-compliance. Businesses need to understand the impact of GDPR and ensure that they take the necessary steps to become compliant. As a starting point, businesses should conduct a GDPR audit to identify current gaps and risks and take the recommended actions to close these gaps and mitigate these risks.
How does GDPR affect businesses?
Within any organisation, designated controllers and processors of data will need to adhere and abide by the GDPR.
- Data controllers will understand what is GDPR entirely and to provide information in a precise manner, and the reason personal data is process within and outside of their organisation.
- A data processor is concerned with the actual processing.
- A “controller” refers to any organisation. It can be a profit-making business, a non-profit charity or a government organisation.
- A “processor” could be an outsourced or third party company such as an IT organisation or a marketing service provider who will be carrying out the data processing on behalf of the data controller.
The main difference which GDPR brings relates to the relationship between controllers and processors. Controllers have ultimate processing control over data even if it is outsourcing.
When are businesses be permitted to process personal data?
Controllers have to ensure that all data of a personal nature processes under the General Data Protection Regulation (GDPR).
Principal duties to keep in mind and ensure that, as a business, you adhere to the GDPR are:
- Lawful – only process personal data that is lawful.
- Transparent – ensure that you follow a transparent process when processing personal data.
- Specific – only process personal data that is intended for a specific purpose?
- Deletion – delete personal data that is no longer required or is not lawful to store longer than necessary.
What is the significance of “personal data” under the GDPR?
There are many definitions of personal data under the General Data Protection Regulation (GDPR). There is a wide range so it will only depend on individual organisations to closely view at what type of data is collecting. Besides the common type of personal data such as: names, addresses, email addresses, age and date of birth. GDPR has some special categories of personal data such as:
- IP address
- Health information
Can an individual access their personal data?
An individual has the right to request, from an organisation, information that is about them. This right is effective under the Data Protection Act, but Article 15 of the General Data Protection Regulation (GDPR) provides for an amended right for more information. The expanded right covers:
- What is the purpose of the data processing of personal information?
- The categories of data affected.
- The likely retention periods.
- Rights that exist related to that data, including rights to have inaccurate data corrected or demolished.
For example, repeated requests for the same data may see as unreasonable. Data controllers required, where possible, to provide a method to present in a secure way for those individuals to access and review what personal information an organisation holds about them. Timescales for responding to requests by data controllers stipulate as “undue delay” under the GDPR. To have a checklist in place would be a great move to ensure your organisation stays focused in the coming times with regards to this critical aspect of the GDPR as follows:
- Go through and update current policies and procedures and make required changes, necessary to ensure that they are applicable under the new regime.
- If necessary, train appropriate personnel on GDPR to deal with the requests correctly
- Consider having more information available to data subjects securely by way of, for example, a secure online portal.
- Stay abreast and on top of future guidance and publications by the GDPR with regards to subject access requests.
What constitutes the “right to be forgotten”?
The “right to access” and the “right to be forgotten” are the latest advancements in the privacy regulations laid down by the General Data Protection Regulation (GDPR). The “right to be forgotten” (the right to erasure) provides an individual in the EU the right to request an organisation that they delete personal information about that individual. This area of the GDPR stipulates under Article 17. Specifically the first two paragraphs which provide details on what grounds this right takes effect. Including search engine results and logs entered onto social networking media websites. Then this organisation has a further obligation also to delete the links to the data information.
The right to move data
A further interesting aspect of the General Data Protection Regulation (GDPR) is the right to ask for personal data.
Under the GDPR, some of the basic human rights and liberties must safeguard. These include:
- The right to privacy
- Right to be informed
- The right to access
- Right to erasure
- The right to object
These liberties may be absent in the anarchical digital world. And are an extension of the right to privacy, freedom of expression. And the right to information under the basic human rights.
Data breaches and what to expect
General Data Protection Regulation (GDPR) defines that the data controller is responsible for informing the relevant data protection authorities. This has to carry out within the first 72 hours. The moment an organisation becomes aware of the breach or potential breach. In the UK, the authority to contact is the Information Commissioner’s Office (ICO). Organisations are urge to put together a procedure list.. It is to distribute all personnel on how to act if a breach is suspect as follows:
- Firstly, exact time, date and place of the breach
- Secondly, a detailed description of every aspect of data involved in the breach
- Thirdly, list of systems affected
- The department/branch/office and personnel involved in discovering or causing the breach
- Lastly, a note of any corrective action immediately occurring to remedy or lessen the impact of the suspected or actual breach.
In conclusion, the General Data Protection Regulation (GDPR) refers to the European legislative framework that guides privacy protection and data security law. All companies must abide by this. The failure to comply with the GDPR can result in hefty fines of up to 20 million Euros or 4% of annual turnover by ICO. In order to ensure compliance with the GDPR, companies must undertake regular GDPR audits to ensure that they identify and mitigate any risks. So, train their staff on the obligations of the GDPR. Implement GDPR compliant policies and procedures. Implement a GDPR compliant cookie consent solution on their company website. Moreover, conduct a data protection impact assessment (DPIA) for all high-impact projects. Or business areas and obtain the advice of a data protection officer (DPO) for major issues.