Any company in the European Union (EU) that is not in compliance with the new General Data Protection Regulation (GDPR) is at risk of a fine of up to 20 million euros (or four percent of their company’s global top-line revenue).
UK organisations that process the personal data of EU residents have only a short time to ensure that they are compliant. Ensuring you adhere to data protection policies is crucial as the effects of non-compliance can be devastating for you and your business.
What is Data Protection?
Data Protection is defined as the law designed to protect your personal information. Data protection is about safeguarding our fundamental right to privacy, which is enshrined in international and regional laws and conventions.
Introduced to keep pace with the modern digital landscape, the GDPR is more extensive in scope and application than the current Data Protection Act (DPA). The Regulation extends the data rights of individuals, and requires organisations to develop clear policies and procedures to protect personal data and adopt appropriate technical and organisational measures.
The Data Protection Act controls how your personal information is used by organisations, businesses or the government. Everyone responsible for using data has to follow strict rules called 'data protection principles'. They must make sure the information is used fairly and lawfully, ensuring the details of their staff, clients and customers are properly protected.
These principles ensure data is:
- Only used in specifically stated ways
- Not stored for longer than necessary
- Used only in relevant ways
- Kept safe and secure
- Used only within the confines of the law
- Not transferred out of the European Economic Area
- Stored following people’s data protection rights
Why is Data Protection needed?
The principles set out in The Data Protection Act help businesses ensure the details of their staff, clients and customers are properly protected.
Any information that your business stores digitally needs to be properly protected. From financial information and payment details to contact information for your staff; data usage in the UK is protected by law.
Think about every time you use a service, buy a product online, register for email, go to your doctor, pay your taxes, or enter into any contract or service request, you have to hand over some of your personal information:
- Telephone number
- Bank and credit card details
- Health information
To mention just some of the pieces of data you share. As a company, you may deal with private information that is commonly stored by businesses; be that employee records, customer details, loyalty schemes, transactions, or data collection. All these sensitive and private details need to be protected, in order to prevent data being misused by third parties for fraud and identity theft.
GDPR apply to this specific information:
Art.4(1) "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Art.9(1) "Sensitive Personal Data" are personal data, revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership; data concerning health or sex life and sexual orientation; genetic data or biometric data. Data relating to criminal offences and convictions are addressed separately (as criminal law lies outside the EU's legislative competence).
Who does the GDPR apply to?
Those who should be most concerned with the GDPR are what are known as controllers and processors.
The definitions are broadly the same as under the DPA:
Art.4(8) "Processor" means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Art.4(7) "Controller" means the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by EU or Member State laws, the controller (or the criteria for nominating the controller) may be designated by those laws.
In other words: the controller says how and why personal data is processed and the processor acts on the controller’s behalf.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
Essentially, any organization can be a controller (including for profit companies, government entities, even non-profit associations). As long as a company is dealing with data belonging to EU residents, including those companies located within the U.S. or elsewhere, it is their responsibility to ensure the processor abides by the GDPR.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they are dealing with data belonging to EU residents. It is the controller’s responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities.
Once the legislation comes into effect, 25th May 2018, controllers must ensure personal data is processed lawfully, transparently and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
Compliance will ultimately rest in great part in how consent is obtained from the consumer. Before GDPR, companies only needed to ask once to process a customer’s data. With GDPR, an organization must get separate permission or consent to use a customer’s data for different things such as marketing, support and maintenance.
Art.4(11) "The consent of the data subject" means any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.
Controllers will need to keep a record of how and when an individual gave their consent and those consumers will have the opportunity to withdraw consent, when they want, and the business must delete any information it holds about the customer. Consumers will also be able to ask for access at “reasonable intervals” according to the GDPR, and controllers will need to respond within one month. Consumers will have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it’s stored for and who gets to see it. Individuals also will have the right to demand that their data is deleted if it is no longer necessary to the purpose for which it was collected. This is known as the “right to be forgotten.” Under this rule, they can also demand that their data is erased if they’ve withdrawn their consent for their data to be collected, or object to the way it is being processed.
Organisations must use privacy impact assessments for high-risk activities, such as monitoring. Companies must also introduce audits and frequent policy reviews. While GDPR doesn’t require an official data protection officer for companies with less than 250 employees, all organisations will need someone that’s responsible for security policies and procedures.
Data Breach Notifications
Even with the best intention, bad things can still happen. Under GDPR, data breach notifications become mandatory. A procedure should be created at each company on notifying local regulators and customers in some cases of a breach.
Art.4(12) "Data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
If a company suffers a data breach that puts individuals at risk, it is the responsibility of the company to notify a data protection authority within 72 hours of the organisation becoming aware of it. Companies should also notify the people affected by the breach, even before informing the data protection authority. If the 72-hour deadline is not met, companies are at risk of being saddled with significant fines.
What should I do?
To help prepare for the start of GDPR, the ICO has created a 12-step guide. The guide, includes steps such as making senior business leaders aware of the regulation, determining which information is held, updating procedures around subject access requests, and what should happen in the event of a data breach.
As well as this guidance, the ICO says it is creating a phone service to help small businesses prepare for GDPR. The service will provide answers about how small companies can implement GDPR procedures and starts at the beginning of November 2017.
Data protection is not just a legal necessity, but crucial to protecting and maintaining your business. For millions of digital enterprises in the EU now is the time to ensure they are in compliance. Make the right move and start preparing for GDPR and get your systems in line with the new rules. Ensuring you adhere to data protection policies is crucial, as the effects of non-compliance can be devastating for you and your business.
Further reading in the GDPR and Sources:Official Journal of the European Union. Legislative acts and Regulations.
The EU General Data Protection Regulation (GDPR).
Key Definitions. Unlocking the EU GDPR.