General Data Protection Regulation (GDPR) and your business
After working on the new General Data Protection Regulation (GDPR) for four years, the EU have set the date for the new data protection legislation to be put into place, and it's only around the corner.
25th May 2018.... Less than a year away.
This new legislation is a lot more detailed than the previous Data Protection Act (DPA) and covers previously unforeseen ways that data is now used. It also introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. The current DPA that we all live by was written before the internet and cloud technology created new ways of exploiting data, and the GDPR looks to fix that.
The EU hopes that the new GDPR will improve trust in the online and digital markets, and give businesses a simpler, clearer legal environment in which to operate by making data protection law identical throughout the EU.
So, what does this mean for us as a business in the EU?
Once the legislation comes into effect, the person responsible for data management within your business must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
Consent for the collection and sharing of personal data must be actively obtained under the new legislation. No passive acceptances like pre-ticked boxes or opt-outs, as these won't be acceptable. The consent must be an active, affirmative action by the individual, and your data controllers must keep a record of how and when that individual gave consent. After consent is given it can be withdrawn again at any point. The GDPR requires businesses to be clear about how they collect data, what they do with it, and how they process it, and must use plain language when explaining these things to people.
The EU has substantially expanded the definition of personal data under the GDPR. Anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR, but to this we can also add online identifiers such as IP addresses as these now qualify as personal data. Other data like economic, cultural or mental health information can be considered personally identifiable information. Pseudonymised personal data may also be subject to GDPR rules, depending on how easy or hard it is to identify whose data it is.
People can ask for access to their data at any point, and without any fee, and we, as businesses, must generally respond within one month. The fact that these requests are now no longer to involve any administrative charge we could see a large increase in these after the 25th May 2018. Individuals also have the right to know why that data is being processed, how long it's stored for, and who gets to see it. It is recommended that wherever possible, data managers should provide secure, direct access for people to review their information.
Individuals also have the 'right to be forgotten'. Under this rule, they can demand that their data is deleted if it's no longer necessary to the purpose for which it was collected, or if they've withdrawn their consent for their data to be collected, or object to the way it is being processed. You would then have to tell any other organisations (for instance, Google) to delete any links to copies of that data, as well as the copies themselves.
We should also now be storing people's information in commonly used formats (like CSV files), so that they can move a person's data to another organisation (free of charge) if the person requests it. Once a request is made then the information must be transferred within one month.
If you experience a data breach under the new legislation you would be expected to firstly contact the individuals effected by the breach, and outline the nature of the data that's affected, what the consequences could mean for them, and what measures you've already actioned, or plan to action, in response. It is also your responsibility to inform your data protection authority of the same details, and all within 72 hours of your business becoming aware of it. The UK authority is the Information Commissioner's Office. Those who fail to meet the 72-hour deadline could face a penalty of up to2% of their annual worldwide revenue, or €10 million, whichever is higher.
When we leave the EU will the GDPR still apply to us in the UK?
By effectively copying GDPR into the UK's own laws, the government makes it likely that the UK's data protection standards will be acceptable to the EU, and therefore the country should be 'whitelisted' as a safe place to transfer EU data.
Digital minister Matt Hancock said: "Bringing EU law into our domestic law will ensure that we help to prepare the UK for the future after we have left the EU. We are committed to ensuring that uninterrupted data flows continue between the UK and the EU and other countries around the world."
Whilst looking into the GDPR for this article I came across three things that I hadn't thought about before, and thought I would just list them here for you to help you get everything covered as much as possible.
• Beware of your forgotten data - many businesses and organisations are hoarding - often without realising - useless data. GDPR doesn't just apply to your beautifully laid out, well-structured and closely managed customer data base and employee files, it applies to all data. For example, a scanned employee passport, or a customer email that an employee accidently saved into their personal folder and forgot about. Consider how much more difficult it is to search and remove data like this. Now, a demand for the removal of data in these scenarios will have a significant cost in man-hours for an exhaustive search to find it all. In the worst case, if that data is revealed in a breach, you run the risk of significantly higher fines under GDPR.
• Check all sources of data in to your company - as a business, you need to fully understand the data you hold, or at least be able to quickly produce such data if requested. The invisible file, with a credit card number, passport or National Insurance number could potentially cost millions if not managed properly or removed on request - and evidenced. Cookies can also fall under the new laws, so if your website uses this method of tracking and collecting data this needs to be considered.
• Appoint a GDPR person – but not your head of IT – It is recommended that businesses and organisations designate a Data Protection Officer, or someone who can take responsibility for data protection compliance. Many businesses feel that they might just appoint their IT manager/director as the data protection officer, however, this could result in a conflict of interest – for example, if the IT director is responsible for the processing of personal data, they shouldn't also be responsible for signing off on GDPR compliance regarding the processing of it.
For the full details of the General Data Protection Regulation (GDPR) you can visit the Information Commissioner's Office here