The countdown is now well and truly on until the biggest shake up of data protection rules in over two decades!
The General Data Protection Regulation (GDPR) will completely overhaul how businesses process and handle data and will give individuals a greater control over who collects and processes their data, what it is used for, and how it is being protected.
Our essential guide will help explain what the changes will mean for you and what steps you need to take to ensure your business is compliant.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a regulation within EU law that will strengthen and unify data protection for individuals within the European Union. It will also address the export of personal data outside of the EU.
It replaces the 1995 EU Data Protection Directive for data privacy and security, to reflect the way in which data is stored and processed in our increasingly digital world.
The main objective of the GDPR is to give EU citizens more control over their personal data.
When will the GDPR come into force?
The GDPR was approved by the EU Parliament in April 2016 and after a two-year transition period, the GDPR will apply in all EU member states from the 25th May 2018.
Who does the GDPR apply to?
The GDPR will apply to any organisation operating within the EU and will also include organisations located outside of the EU that offer goods or services to customers or businesses residing within the EU.
The legislation will apply to two different types of data handers known as ‘Controllers’ and ‘Processors’. If your organisation determines the manner in which personal data is processed, then it’s considered to be a Data Controller. Data Controllers play a key role in GDPR compliance because of the customer and employee data that they retain and collect.
If a person, agency or other body acts on behalf of a Data Controller then they are considered to be a Data Processor.
What data will be affected by GDPR?
The EU defines ‘Personal Data’ as any information that can be used to directly or indirectly to identify an individual (data subject). This will include everything from a name, email address, IP address and images. It also includes sensitive personal data such as biometric data or genetic data which could be processed to identify an individual.
What does GDPR mean for businesses?
Businesses will need to carry out specific actions to safeguard and manage data in accordance with the new rules. To ensure data is protected and secure, there must be efficient and effective procedures in place to deal with certain requests, such as the amendment or deletion of records.
The GDPR also brings a range of opportunities for businesses:
– It enables organisations to streamline their marketing and sales databases to ensure they are filled with individuals that are actively interested in their products or services
– Identify new areas for marketing and sales growth
– Build greater levels of trust with their customers
What does GDPR mean for Individuals?
The GDPR provides the following rights for individuals:
• The right to be informed – Individuals have the right to be informed about the collection and use of their personal data.
• The right of access – Individuals have the right to access their personal data and any supplementary information. They can request a copy of all information held on them and it should be provided free of charge and within one month of the request being lodged.
• The right to rectification – Individuals can request that any inaccurate personal data is rectified.
• The right to erasure – Individuals can request to have their personal data erased. The right to erasure is also known as the right to be forgotten.
• The right to restrict processing – In certain circumstances, individuals can request that further processing of their data is restricted. When the processing is restricted, you have permission to store their personal data but not use it.
• The right to data portability – Individuals are able to obtain and reuse their personal data for their own purposes across other services.
• The right to object – Unless there are legitimate reasons for processing an individual’s personal data, they retain the right to object to processing.
• Rights in relation to automated decision making and profiling – The GDPR has provisions on automated individual decision making. This reduces the risk of any adverse decisions being made without human intervention.
What are the GDPR fines and penalties for non-compliance?
The GDPR has a tiered penalty structure in place that will affect those companies that are non-compliant. Organisations in breach of the GDPR can be fined up to 4% of annual global turnover or 20 Million Euros (whichever is greater). Fines will depend on the severity of the breach and if organisations have taken steps to show they are compliant.
What is a GDPR Breach Notification?
A personal data breach involves the compromise of information to an unauthorised party. In many cases these are cyber breaches, electronic data breaches via hackers, malware, phishing and other devious means.
Sometimes breaches occur by way of external sources, but most are a result of insider threats such as employees or personnel with access to a company’s data processing environment.
Once it’s known that a privacy breach is in process, the immediate concern is to stop the breach from continuing.
The GDPR requires that organisations disclose any personal data breaches to the relevant supervisory authority within 72 hours of detection.
If the breach results in a high risk of affecting an individual’s rights and freedoms, then the individual must be notified with immediate effect.
Do I need to appoint a Data Protection Officer?
Although not mandatory in all cases under GDPR, most organisations will designate a Data Protection Officer (DPO). The DPO should be an expert in GDPR and privacy practices, as they are responsible for the monitoring and reporting of GDPR compliance.
DPO’s are expected to help guide Data Controllers and Data Processors by auditing internal compliance and suggesting suitable corrective recommendations where necessary. DPO’s are also expected to act in independent manner within the organisation.
Will the GDPR still apply after Brexit?
Yes, the GDPR will still apply after Brexit. The GDPR is designed to regulate how organisations process and control the personal data of EU citizens, regardless of where they are located. The UK will not leave the European Union until April 2019 so European law will continue to apply within the UK.
What Can I do to make sure my business is GDPR compliant?
To ensure your business is on the right track to GDPR compliance, you can follow the below steps:
- Become Aware – Identify areas that could cause compliance problems under the GDPR.
- Become Accountable – Make an inventory of all personal data you hold.
- Communicate with Staff & Service Users – Review current data privacy notices alerting individuals to the collection of their data. Identify any gaps between the level of data collection and processing your business engages in.
- Personal Privacy Rights – Review your procedures to ensure they cover all the rights of individuals including how to delete personal data or provide data electronically, and in a frequently used format.
- How will Access Requests Change? – Review and update your procedures and plan how you will handle requests within the new timescales. All requests must be made within one month.
- What we mean when we talk about a ‘Legal Basis’ – Look at the different types of data processing you carry out and identify your legal basis for carrying it out and document this. This is particularly important when consent is relied upon as the sole legal basis for processing data.
- Using Customer Consent as grounds to process data – If you use customer consent when recording personal data, you need to review how you seek, obtain and record that consent, and whether you need to make any changes.
- Processing Children’s Data – The GDPR introduces a range of special protections to safeguard Children’s data in the context of social media and the internet. If your organisation processes data of underage subjects, you need to make sure you have the adequate systems in place to verify individual ages and gain consent from guardians.
- Reporting Data Breaches – Ensure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default – A DPIA is the process of considering the potential impact that a project or initiative might have on the privacy of an individual. It allows organisations to identify potential privacy issues and come up with a way to mitigate them.
- Data Protection Officers – The GDPR requires some organisations to designate a Data Protection Officer (DPO). These organisations will include public authorities and organisations that monitor data subjects on a large scale or process sensitive personal data on a large scale.
- International Organisations and the GDPR – The GDPR includes a provision which will assist organisations that operate in a number of EU member states. Multinational organisations will be entitled to deal with one Data Protection Authority, referred to as a Lead Supervisory Authority (LSA) which will act as their single regulating body in the country where they are mainly established.