General Data Protection Regulation: All You Need to Know About GDPR
Effective from 25th May 2018, the fast approaching General Data Protection Regulation (GDPR) will ensure people have more rights regarding how their data is stored, used and shared by companies and hefty fines will be implemented for failure to provide sufficient IT security to protect personal data.
Breaching the terms of the GDPR can result in fines of up to 4% of a company’s annual global turnover or 20 million euros (whichever is greater) as a maximum enforcement, which means failure to address the new regulations could result in catastrophic implications for organisations.
Despite Brexit, optimism is high, with some organisations spending up to £3.5 million on becoming compliant
As it’s a law of direct enforcement, it means that there are no amendments to previous regs and it will immediately replace any existing data protection laws in the EU Member States.
So, what do businesses need to know about GDPR?
The GDPR, which will supersede the UK Data Protection Act 1998, is going to introduce tougher penalties for data breaches and non-compliance of regulations, giving more control back to individuals on what businesses can and cannot do with their personal information all whilst harmonising data privacy laws across the EU.
Once the legislation is effective, personal data must be processed lawfully, transparently and purely for specific purpose. If the data is no longer required, it has to be destroyed or deleted. People have the right to order a business to delete their personal data so long as certain criteria is met, for example, there’s no legal ground for keeping it stored on record.
The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established
Large companies may want to consider hiring or nominating a Data Protection Officer or Data Controller within their business to be the first point of contact to manage data requests and queries. Companies with less than 250 employees should find it easier to manage without the additional resources, so long as they keep well documented records on their processing activities.
If you’re a business operating outside of Europe and think you’re out of the GDPR scope… think again!
The biggest difference between the GDPR and previous jurisdictions is that it applies to all businesses which process the data of an EU citizen, even if the processing doesn’t take place on EU soil. These activities include:
- Offering goods or services to EU citizens
- Monitoring behaviour that takes place within the EU
Non-EU businesses will need to appoint an EU representative if they are processing the data of a European citizen and should review their web operations and marketing practices as data collected will still need to be protected under GDPR rules.
News from EfficientIP says almost three quarters (72 per cent) of businesses are “confidently prepared” for GDPR, with 100 days to go
Any organisation in the world that provides services into the EU will be held accountable, which means companies in the U.S., for example, will still need to treat the May 2018 deadline as a priority.
UK businesses and Brexit
“We’re leaving the EU soon so we won’t have to comply, right?”
Wrong! As the enforcement of GDPR will take place prior to the completion of Brexit in March 2019, the UK will still be very much under the EU umbrella for a further 10 months. Furthermore, back in August 2017, the UK government proposed a Data Protection Bill that would transfer the GDPR into UK law after it leaves the EU anyway.
The GDPR will have direct effect in UK law from 25 May 2018. There are derogations (flexibilities) within the GDPR where the UK can exercise discretion over how certain provisions will apply.
Basically, the GDPR is going to affect anyone currently offering services within and to the EU market, otherwise trade with businesses in the EU will be out of the question.
Requesting consent for personal data use must be given in an easily readable form, understandable in layman’s terms, with the purpose for data processing attached to the consent.
Consent must be explicit, rather than implied or made under duress and it must be made just as easy to withdraw consent as it is to give.
Reporting a breach
Any breach, whether it’s accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed that could cause a risk to the rights and freedoms of an individual will need to be notified to controllers and the UK’s Information Commissioner’s Office (ICO) within 72 hours of first becoming aware of the breach.
The information commissioner (ICO) reiterates his call for stronger sentences for data theft after a court fined a woman just £1,000 for selling 28,000 customer records
The same procedure applies to businesses outside of the EU, except notification would need to be made to an EU regulator or your EU rep.
Right to access
In a bid to offer transparency of data processes, people are given the right to see how their personal data is being processed, stored and for what purpose. Upon request, controllers will be required to provide this information in electronic format, delivered within 1 month and free of charge.
Right to be forgotten
If the data stored is no longer relevant for its original purposes, there is no public interest in the availability of the data or an individual simply wants to withdraw consent, then the data must be deleted or no longer used.
New research reveals data protection and privacy fears as GDPR deadline looms. More Brits to decide to exercise the right to be forgotten.
It’s been reported that 34 per cent of Brits are already planning to exercise this right!
Privacy by design
Systems used in the storage and management of personal data must have the inclusion of data protection from the start, rather than as an addition.
What about technology?
It’s impossible not to link GDPR with technology, as tech systems will be at the core of ensuring compliance is a success, playing a huge role in the easy management and storage of personal data and supporting GDPR in the following ways:
- Keeping data secure with advanced privacy settings, authorised access and data encryption
- Improved data accuracy with employees being able to input their own personal details remotely
- Easily accessible data, readily available when an employee requests their right to access
- Easily amended when an employee would like to give consent, withdraw consent, update information or delete
- Monitors consent with reports highlighting gaps to chase up
- Simplifies the process of portability
- Ability to adjust privacy levels accordingly
- Delivery of GDPR training remotely and stored training completion details for compliance
However, it’s not all plain sailing with just good tech in place.
With the ongoing advancements of technology in the workplace, there have been many concerns about the risks of data leaks, especially with the increased implementation of the Bring Your Own Device policy (BYOD).
A bring your own device (BYOD) policy starts with HR setting the terms for new employees
Therefore, it’s important to invest in a HRIS that supports the GDPR requirements (if you’ve not done so already), which should be in alignment with proper GDPR guidance training and a watertight BYOD policy and procedure.
If you need further information on the GDPR, you can head over to the official GDPR website or check out an easily readable PDF of the full guidelines here.
With regards to drafting a secure policy, The National Cyber Security Centre has a great policy framework resource which can be found online.
Is your business prepared for the implementation of GDPR? We would love to hear your advice or concerns regarding GDPR – leave us a comment!
Since it is getting closer to May 25th I wanted to highlight that GDPR is no joke and everyone will be affected whether you are a business or a consumer. As we take our client privacy seriously, CakeHR will be GDPR compliant by the time the legislation comes into force. If you need any additional info or have any questions feel free to contact me – email@example.com!
We will be as transparent as you need us to be! 🙂