The General Data Protection Regulation (GDPR) is a regulation which intends to strengthen and unify data protection for individuals within the European Union (EU).
The GDPR covers personal data. (Sometimes referred to as personally identifiable information – PII). This includes names, addresses, phone numbers, account numbers, email and IP addresses.
The goal of the GDPR is to give control and power over personal data back to users. It’s your personal data but in many cases you’re not really in control of it. The new law is a significant development for personal privacy which aims to return the balance back in favour of the individual.
The GDPR takes into account the many advances in new technology and media.
When the existing Data Protection Act (DPA) was introduced, in 1998, the internet was very new. People didn’t understand the full implications of what it would lead to. Additional developments such as social media and cloud computing have drastically altered the information landscape. It is clear that far more information is now being held, processed and transferred. Our personal data now contains many more types of information and it is used in more ways than ever before.
The GDPR adds new requirements for documenting procedures, performing risk assessments, notifying the consumer or user and authorities when there is a breach, as well as strengthening rules for data minimisation.
In summary, the GDPR legislates a lot of common sense data security and privacy ideas: minimise collection of personal data, delete personal data that’s no longer necessary, restrict access and secure data through its entire lifecycle.
The initial change is that you no longer have to register. If you capture, keep or process any personal data of data subjects who are in the European Union then you are subject to the GDPR.
There are a number of major new requirements in the GDPR, (see Note 10 below), but for those companies which have good procedures to comply with the current DPA, the transition to the GDPR should be easier to manage.
The regulator has lots of new rights, including very hefty financial penalties and the right to stop or restrict you from processing any personal data. For example, the regulator can audit your personal data processes, which must be documented, requiring you to produce all those procedural records.
The GDPR applies to every organisation that uses personal data to provide goods or services to anyone residing in an EU country. This rule applies irrespective of the location of the organisation itself, so UK businesses are directly affected. There are some rare exceptions in regard to law enforcement agencies.
It covers any organisation which offer goods or services, which includes both paid for and free services; or any organisation who monitor the behaviour of data subjects within the EU.
In short, if you provide any services to residents or citizens of the EU, the GDPR applies to you.
Article 4 of the GDPR uses quite a broad definition of personal data as:
“… any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person”
In effect, personal data is anything about an individual. This includes personal data collected as part of internal business processes e.g. HR records, contracts and payroll, as well as records of customers, members, prospects and subscribers.
It should be noted that from a Sales and Marketing perspective, personal data exists in both Business to Consumer activities (B2C) as well as Business to Business (B2B).
Organisations must appoint a DPO if they are a public body, or process sensitive data on a large scale or complete regular and systematic monitoring of data subjects. Deciding what is meant by large scale is open to interpretation but organisations would be advised to err on the side of caution. Earlier thoughts during the development of the GDPR about the need for a DPO indicated larger organisations would need one. If you meet that threshold and decide not to have a DPO, you will need compelling reasons.
Larger organisations – those with over 250 staff – have additional responsibilities including the requirement to document all processes involving the handling of personal data.
A DPO doesn’t need to be a specified member of staff, as a third party can be used. In Germany, this practice has been in use for some time, with specialist agencies offering DPO services.
It’s essential that the DPO has a level of independence and authority with regard to the organisation.
It’s also very important to establish that a DPO has the appropriate skill levels, training and ability to access the information they require.
It is therefore critical that the DPO has the ability to both understand the law and how it should be applied within the organisation, This expertise must be applied to an understanding of the ways that the organisation acquires and processes information, as well as the security and protection measures employed.
It’s quite likely that many individuals who currently have the role of data protection representative, may not be suited to the new DPO role.
Where you have existing customers, i.e. persons to whom you have provided a product or service – even if provided free of charge – you are permitted to stay in contact with them, provided that you:
a) can provide evidence that they are your customers, and
b) you offer them at all times the opportunity and ability to decline future contact by your organisation.
You may hold other personal data, for which you rely on the consent of the data subject, e.g. lists of leads, prospects, website contacts or blog subscribers. In these cases, it is essential that:
– their consent was freely and knowingly given, and that you can prove this,
– that you use their information only for purposes consistent with the consent that was given,
– that the data subjects have the opportunity to withdraw their consent.
This area is complex, and the exact way in which the regulations should be applied will be dependent on the ways in which any existing personal data – and consent – was acquired. Furthermore, it is essential to plan and implement compliant processes and systems that follow a Privacy by Design framework to ensure that all personal data held or processed in the future is secure. Above all, it’s essential that you document all your processes concerning the handling of personal data, and that these are designed with the individual’s privacy rights as the main consideration.
This is one of the hardest areas to address and really needs to be evaluated by a proper Risk Assessment.
One thing to bear in mind is that the risk should be evaluated from the point of view of the individual and should be gauged according to the size or scale of the risk to the individual.
The GDPR describes the risk areas but there is an element of judgement for each organisation. It is not as simple as identifying how many individuals’ data you process, but rather the type of data and extent of processing all affect the level of risk, e.g. if you are responsible for a small amount of personal data which could if not properly managed, present a very serious potential impact on the individual, then the risk is high.
As the protection of privacy becomes ever more of an issue for individuals, having a good reputation in this respect will become a differentiator and will allow customers to make a more informed choice based on trust.
– The processes for ensuring compliance should also support good information governance, while generating procedural and operational efficiencies, including storage and costs savings.
– Concepts such as Privacy by Design can help to ensure that operational processes are planned and developed in a way that helps to avoid later disruption, manage reputation, and drive the quality of products and services.
– New GDPR requirements such as pseudonymisation and encryption of personal data will help to support big data analytics, by ensuring that large volumes of data provided for analysis are delivered in a way which supports the privacy of the individual, and helps to release the value of that information.
Compliance with the GDPR means properly designing and documenting compliant systems, procedures and processes which ensure the protection of personal data. This starts with executive ownership of the responsibility for personal data and will also entail training, good record keeping and the review of working practices.
The law has new requirements regarding the use of consent and how it should be obtained. To ensure individuals are being treated fairly, consent must be freely given and individuals fully informed. It is not acceptable to rely on silence or inactivity as consent.
It is definitely not enough to publish a policy which describes the intent to comply with GDPR.
Breach notification – An important requirement that companies must notify data authorities within 72 hours after a breach of personal data has been discovered. Data subjects may also have to be notified, but only if the breached data poses a “high risk to their rights and freedoms”
Fines – The higher fines are generally applied if the rights of individuals have been breached, if there are issues around international transfer and where there is non-compliance with the regulator. The second tier of fines, which are still significant, refer to more procedural and operational failures.
The Right to Erasure and To Be Forgotten –The GDPR includes rights for personal data published on the web. This relates to the right to stay out of the public view and “be forgotten”.
Extraterritoriality – This new principle says that even if a company doesn’t have a physical presence in the EU but collects data about EU data subjects, e.g. through a website, then all the requirements of the GDPR will apply. In other words, the new law will extend outside the EU. This will especially affect e-commerce companies and other cloud businesses.
Privacy by Design (PbD) – The new law makes explicit the principles of minimising data collection, retention and gaining consent from consumers when processing data.
Data Protection Impact Assessments (DPIA) – When certain data associated with subjects is to be processed, companies must first analyse the risks to their privacy.
The first step is to recognise that something needs to be done, this shouldn’t be ignored and should be done in the next few months.
The next step is to carry out an assessment of your current situation to establish how compliant you are and what to do next – “Where are we now? “And where do we need to be?”
Once you know where you need to be, you can make a considered decision and include GDPR compliance requirements into your overall risk and compliance framework.
Your approach to auditing should provide a measure of two key factors: Risk and Readiness.
It should be recognised that the steps towards compliance are dependent on your circumstances, so there is no fixed template which will suit all organisations. Variations in size, activity and operational practices mean that each organisation will have a unique risk profile that can vary considerably.