What is GDPR and why is it so important?
From 2013, The European Union spent years working incredibly diligently on updating and modernising their data protection law to bring antiquated and irrelevant laws slap bang into the 21st century. What existed previously in the UK was the 1998 Data Protection Act, which was brought about as a measure to implement the European Union’s 1995 Data Protection Directive. The GDPR goes way further to provide more protection for individuals by putting stress on organisations to manage and safeguard private data, so “What is GDPR?”
The GDPR – A Digital Blueprint
Two reasons why the GDPR was brought into existence:
- Ensure that organisations are more aware that data needs protecting, especially concerning how data is managed. The inherent dangers which have come to light in recent years of hacking and cybercrime have, without a doubt, justified the aims of the GDPR.
- More control is the desire of the European Union to provide increased clarity and uniformity for organisations as to how they should be acting in the whole area of data control.
Are you GDPR Compliant?
The GDPR was brought in with overwhelming support in May 2016 and applicable to all member states of the EU as of 25 May 2018. As the GDPR is a regulation, it provides for an automatic legal obligation on the member states, so no new legislation is required to be drawn up. Despite the immense amount of hype and publicity surrounding the new regulation, it is apparent that many organisations are not compliant, despite the consequences for failing to comply with the GDPR. Many businesses do not know “What is GDPR?” or to whom does GDPR apply?
A survey by IDC has uncovered that 20% of small businesses in the UK and Germany were not even aware of the GDPR or what GDPR is, just months before the legislation date. Medium-sized businesses were noted as having more awareness, up to 90% across the EU, but only 41% had taken any steps to prepare for the GDPR. Outside the EU, the numbers are far lower, bearing in mind that there are no borders for the GDPR. It affects globally for companies processing European data, and with fines up to €20 Million or 4% of annual global turnover for non-compliance, this poses a significant issue for many organisations. Giants like Facebook and Google are facing fines due to non-compliance. Businesses need to understand what is GDPR and make sure their business is compliant. It is never too late to be compliant; it is essential to take the necessary actions.
How Does GDPR Affect Businesses?
Within any organisation, designated controllers and processors of data will need to adhere and abide by the GDPR.
- Data controllers will be required to understand what is GDPR entirely and to be able to provide information as to precisely what manner and reason data is being processed within and outside of their organisation.
- A data processor is concerned only with the actual processing.
- A “controller” refers to any organisation, be it a profit-making business to a non-profit charity or government organisation.
- A “processor” could be an outsourced or third party company such as an IT organisation marketing service provider who will be carrying out the data processing on behalf of the data controller.
It matters not where controllers or processors are based, whether the EU or elsewhere worldwide, the GDPR will still be relevant provided the data they are handling belongs to EU individuals. The primary difference that GDPR brings regarding the relationship between controllers and processors. Controllers have ultimate control over the processing of data even if it is outsourced and the emphasis under the GDPR is that controllers are required to choose carefully and diligently the processors of the personal data held by the controller. Processors themselves are also under a strict duty to comply with the GDPR and are far more subject to strict liability than previously under the old Data Protection Act.
When may Businesses be Permitted to Process Data
Controllers must ensure that all data of a personal nature is processed according to the GDPR.
Principal duties to bear in mind and ensure that, as a business, you adhere to the GDPR are:
Further information regarding the right of individuals can be located in the informative ICO information texts, Lawful Basis for Processing Data and the Rights of Individuals.
What is the Significance of “Personal Data” under the GDPR?
There is no one definition of personal data when it comes to the GDPR, and in fact, there is such a wide range that it will mainly depend on individual organisations to look closely at what type of data is collected to provide a clear and applicable definition. Apart from the usual personal data such as names, addresses, email addresses, age, and date of birth, for example, data can also be
- IP address
- Health information
Pseudonymised and cryptonised data, depending on how this data is easily reversed to enable personal data to be identified, also accountable under the GDPR.
Can an Individual Access their Data?
An individual has the right to request, from an organisation, information that is held about them. This right is currently in force under the Data Protection Act, but Article 15 of the GDPR provides for an amended right for more information.
The extra is the right to know
- What is the purpose of the data processing of personal information?
- The categories of data affected.
- To whom the data is being transferred to or disclosed to.
- The likely retention periods.
- Rights that exist appertaining to that data including rights to have inaccurate data corrected or deleted.
Further information that can be requested is whether the individual’s data is being utilised for automated decision making and profiling. Organisations are now obliged to explain how this type of processing will impact the individual, especially about direct marketing where explicit consent should be obtained. Organisations are also at liberty to disclose requested information free of charge unless such requests are excessive or unfounded, for example, repeated requests for the same data may be seen as unreasonable. Data controllers are required, wherever possible, to provide a method to present in a secure way for those individuals to access and review what personal information an organisation holds about them. Timescales for responding to requests by data controllers are stipulated as “undue delay” under the GDPR or at the latest one month. A good idea would be to have a checklist in place to ensure your organisation stays focused in the future with regards this critical aspect of the GDPR as follows:
- Review and update current policies and procedures and amend as necessary to ensure that they are applicable under the new regime.
- If necessary, provide GDPR training to appropriate personnel so that any requests are dealt with correctly.
- Consider having more information available to data subjects securely by way of, for example, a secure online portal.
- Stay abreast and on top of future guidance and publications by the GDPR with regards to access requests.
What Constitutes the “Right to be Forgotten”?
The Right to Access and the Right to be Forgotten are the most prominent advancements in the privacy regulations laid down by the GDPR. The Right to be Forgotten (commonly referred to as the right to erasure) provides that any EU individual can request an organisation that they delete personal information about that individual. This area of the GDPR is stipulated under Article 17, specifically the first two paragraphs which provide details on what grounds this right takes effect. Any data that is accessed publicly may be deleted upon request, including search engine results and logs entered onto social networking media websites. If an organisation is obliged to erase personal information upon request by the relevant individual, then this organisation has a further obligation to ensure any links to the data information is also deleted.
What is most interesting, is what is GDPR stance on when there is no right to be forgotten, and there are some exceptions as for to when personal data will not be deleted:
- Where the processing of such data is required for legitimate, legal or compliance obligations in the realm of public interest or official situations where the controller has a vested obligation where there exists a legal claim.
Other situations may exist where certain institutions require the retention of data, and this will depend on the nature and purpose of types of personal data and reasons for retention. For example, banking institutions may need to keep certain types of data longer than necessary if it is required to facilitate an end to a particular financial process. Such processes will need to be communicated to the GDPR officials as well as the data subject, and be validated against the GDPR Regulations and the legalities about circumventing the right to erasure. Within any organisation that holds personal data, exemption rules will need to be clarified and identified at every request to prevent any unnecessary delay or deletion of important, indispensable data. When the right to erasure does apply, then all interested parties must be informed, and the process of deleting data must be carried out using a strict policy with a detailed step by step process.
The Right to Move Data
A further interesting aspect of the GDPR is the right to ask for personal data that is stored by organisations to be made available in an easy to transport state.
This will prove useful for individuals in future who wish to download data held by banking organisations, utility companies, and mobile phone providers, to share data and obtain and open new accounts at competitive rates using money comparison websites.
Data Breaches and what to Expect
GDPR defines that it is the responsibility of the data controller to inform the relevant data protection authorities as well as the individuals whose data has been compromised in the event of a security breach. This should be carried out within the first 72 hours from when the organisation became aware of the breach or potential breach. In the UK, the authority to contact is the ICO (the Information Commissioner’s Office). Organisations are urged to put together a procedure list to be distributed to all personnel on how to act if a breach is suspected as follows:
- Exact time, date and place of the breach
- A detailed description of all aspects of the type of data involved in the breach
- If known, the precise cause of the breach and details as to how it was discovered
- List of systems affected
- The department/branch/office and personnel involved in discovering or causing the breach
- A note of any corrective action immediately occurring to remedy or lessen the impact of the suspected or actual breach.
Having in place a proactive breach response action plan and a guidance policy within your organisation as to what to do in case of a suspected or actual breach is a vital tool for GDPR compliance. This allows your business to minimise and repair quickly any security breaches, but also show your customers and the ICO that you are a responsible organisation and dedicated to security. This is especially important as the GDPR fines are significantly higher than those under the Data Protection Act. Although the GDPR does stipulate that any fines will be proportionate to the infringement, demonstrating that you are committed to preventing any breaches and showing that you work hard to ensure your business is compliant and understands “What is GDPR”, will work in your favour should ever the unthinkable should happen.
GDPR and Brexit
When the UK eventually exits the EU it will become a non-EU country, also referred to as a “third country” for the GDPR and will effectually be under alert for across the border data transfers and subject to transfer mechanisms approved by the European Commission known as adequacy decisions. In any event, be it 29th March 2019 or the deferred date of 31st December 2020, the UK is very likely to adopt the mirror image of the EU data protection regulations. At present, lacking any precedent (Brexit being a wholly unprecedented development!) it will be interesting to follow how the UK proceeds as a non-EU country. In any event, businesses that process the personal data of individuals within the UK or UK companies processing personal data of individuals outside the UK will need to keep a close eye on the laws that come into place following Brexit. Businesses should always have a current understanding of “What is GDPR” or seek the advice and support of GDPR experts on Seers platform.