I have been asked in a number of meetings over the past few months “what is GDPR?” and in some cases “What do I have to buy?”
But let’s get one thing straight from the start GDPR is NOT an IT problem you can’t just buy something and make it go away. This is a common misconception and I thought I would take the time to jot down what I have learned so far and see if it can help you.
The EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018. It applies to all organisations processing personal data of EU residents, the regulation will introduce a new and enforced way that organisations handle data protection. The penalties for non-compliance of GDPR can be up to 20 million euros or 4% of company’s annual turnover. In addition, data subjects get a right to claim for compensation against an organisation under GDPR.
It is important to understand your obligations and to start working towards your compliance requirements. Being ready by 25th May 2018 will be a major undertaking, but the risks of not being prepared for GDPR are too big to ignore.
What are the new requirements?
Privacy by Design – GDPR has introduced formal principles of Privacy by Design into their Regulations which includes reducing your data collection to what you actually require and the retention of this data to gaining clear consent from the consumers to process their data.
Right to Erasure – The current EU data protection Directive already provides a right for consumers to request data deletion. But GDPR extends this regulation to include data that’s been published out to the internet. This is where you hear a second term known as the “right to be forgotten” which extends to keeping your data fully out of the public view and ensuring it is removed from all systems.
Breach Notification – Within 72 hours of a personal data breach been discovered you have to inform the appropriate authorities. This has to also be extended out to the data subjects if the data is classified as “high risk to their rights and freedoms”.
Fines – Now this is where most company’s ears perk up, GDPR introduces fines that can be up to 4% of a company’s global revenue or 20Million Euro – whichever is higher
Data Protections Impact Assessments (DPIA) – A DPIA is required in high-risk situations, for example where a new technology is being deployed or where a profiling operation is likely to significantly affect a subject.
Data Protection Officer (DPO) – Not all companies have a DPO, but if you don’t I would advise that you assign this duty so someone in your organisation to take proper responsibility for your data protection compliance. Below are the regulation details identifying if you need a DPO.
“DPOs must be appointed in the case of (a) public authorities, (b) organisations that engage in large-scale systematic monitoring, or (c) organisations that engage in large scale processing of sensitive personal data (Art. 37). If your organisation doesn’t fall into one of these categories, then you do not need to appoint a DPO.”
Consent – GDPR introduces new strict regulations around collecting data, you have to make sure that you are clear and concise when requesting consent from the subject. You have to define what the data is been collected for and make sure that all it is used for. As a controller of data, you are responsible for making sure you have an audit trail of consent for all data collected from a subject. You may as a business need to review how you’re collecting and recording consent and if you need to make any changes to your procedures.
Children data protection – GDPR will bring in special protection for children’s personal data, focused particularly on commercial internet services such as social networking. To put this into context if you collect data about children, then you will need consent from the parent or guardians to process any personal details lawfully. It may have significant implications for your organisation if your business is aimed at children and collects their personal data. All consent has to be again clear and defined when collecting children’s data and your privacy notice must be written in language that children will understand.
Does Brexit mean I have to comply?
There are few of misconceptions around Brexit when it comes to GDPR. The main one being that “Brexit means we don’t have to comply”. This is FALSE! Businesses will still have to adhere to this regulation, this an EU regulation that protects EU citizen’s data. Which means if you hold any details about an EU Citizen you have to make sure you are compliant and have taken the necessary steps regardless of the jurisdiction.
As I said above GDPR comes into force next year 25/5/2018 and we will still be in the EU so don’t burrow your head in the sand.
Now there are a number of other requirements that you may need to meet to comply with EU GDPR, but I am not a legal expert. So please take the time to investigate where you stand in relation to GDPR understand your risks and what data you hold. Attend an event and discuss it further with legal experts to help you start and build your foundations for GDPR.
Author: Mark Carlton, Group Technical Services Manager