An overview of the new General Data Protection Regulations
The new General Data Protection Regulation comes into force in May 2018. This is a complex and lengthy piece of legislation that will apply to any business that currently has to comply with the Data Protection Act in the UK.
We’re leaving the EU so we don’t have to worry about this……
Wrong! The GDPR applies to ‘any entity that either controls or processes the personal data of any EU subject, or any company that does business with any individual or company in the EU.’ The GDPR will come into force before the UK leaves the European Union, and the government has confirmed that the regulation will apply, a position confirmed by the Information Commissioner.
The GDPR introduces much tougher penalties than the current Data Protection Act. Businesses found in breach can expect fines of up to 4% of annual global turnover or €20 million – whichever is greater. Data breaches are commonplace and increase in scale and severity every day. As Verizon’s 2016 Data Breach Investigations Report reaffirms, “no locale, industry or organization is bulletproof when it comes to the compromise of data”, so it is vital that all organisations are aware of their new obligations so that they can prepare accordingly.
What is personal data?
The definition of personal data has always been pretty wide but the GDPR seems to broaden it further. The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information.
Some of the challenges………………….
Consent becomes increasingly important – Proving valid consent for using is likely to be amongst the biggest challenges faced by business. Businesses will need to ensure that they make it clear how they will use peoples information and use simple language when asking for consent to collect personal data. Expert opinion suggests that most of the consent mechanisms currently in the market are not valid under the GDPR.
Privacy by design – Software will be required to be capable of completely erasing data, this will be a challenge for a lot of software systems.
The GDPR introduces the right to be forgotten – Organisations must not hold data for any longer than absolutely necessary. Businesses will also need fresh consent before changing the use of any data and will need to have processes and technologies in place to delete data in response to requests from those who data they hold.You may need a Data Protection Officer – You might need to appoint a Data Protection Officer if your companies activities include:
Large-scale processing and monitoring of data subjects
Large-scale processing of data that includes sensitive demographic data (gender, religion, race, health, sexual orientation, etc.)
Processing of personal data in relation to criminal offences and convictions
According to a study by the International Association of Privacy Professionals (IAPP), this requirement means that, in Europe alone, 28,000 DPOs will have to be appointed in the next two years.
Introduction of mandatory Privacy Risk Impact Assessments – A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct privacy impact assessments where privacy breach risks are high to analyse and minimise the risks to their data subjects.
There is no doubt that the GDPR will pose a significant challenge and the size of the penalties could easily lead to business insolvency. Data breaches are commonplace and increase in scale and severity every day. As Verizon’s 2016 Data Breach Investigations Report reaffirms, “no locale, industry or organization is bulletproof when it comes to the compromise of data”, so it is vital that all organisations are aware of their new obligations so that they can prepare accordingly.
What you need to do
You’ve got just over 12 months to prepare so start planning. You could start with an audit of any companies that provide you with data or telemarketing services; using reputable, reliable companies for these services will be a real time saver. There are some fantastic publications available such as the EU GDPR Pocket Guide – https://www.itgovernance.co.uk/shop/product/eu-gdpr-a-pocket-guide and the Implementation and Compliance Guide – https://www.itgovernance.co.uk/shop/product/eu-general-data-protection-regulation-gdpr-an-implementation-and-compliance-guide from IT Governance. And if you are going to need a DPO appoint one early to give them time for an early assessment of processes and systems.