As you’ll probably know by now, the European General Directive known as the General Data Protection Regulation (Regulation (EU) 2016/679) comes into force across on the 25th May 2018 by which time all EU member states must have implemented the regulation in their territory. As this is a regulation, it’s a Law that cannot be ignored or circumvented and certainly needs to be taken seriously no matter the size of the company or the sector in which it operates.
In this post we’ll discuss some of the new things that GDPR introduces which need to be addressed along with some gotchas that you might not know.
The regulation has been circulating around for the last few years and was finally ratified and became law in May 2016 and has been in the works for the past five years having been drafted and reviewed by Working Party 29 and many other institutions have been involved in its final version.
The GDPR will officially redact the previous European Data Protection Directive (Directive 95/46/EC) which was published on the 24th October 1995 and as a directive wasn’t a law but provided a means by which each member state was to create their own Data Protection legislation and in the UK this was the Data Protection Act (1998). The new Regulation has been designed to harmonise the data protection of EU subjects across all member states to ensure that data is processed with the same level of control no matter which member state the data subject is located.
The regulation seeks to address the protection of the data subject that is a EU person and this goes much further than existing directives and member states own data protection legislation. For example, if a US airline is providing a service to EU subjects such as the ability to book onto a flight on the US airline directly, the airline is required to process that data in a manner which adheres to the GDRP with all the same protections and requirements as if the processing was to take place inside the EU. SO, its not just EU organisations that need to adhere to the GDPR its any organisation that holds, collects and processes data on EU subjects.
Alongside the GDPR there are two other regulations which will come into effect on the same date, these being a Regulation on Privacy and Electronic Communications (replacing the ePrivacy Directive 2002/58/EC) and Data Protection rules for EU Institutions (currently Regulation 45/2001), these align and support the GDPR and so need to be considered as well.
So whats the difference between the former Data Protection Directive and the GDPR, lets list a few here:
- It is now a requirement that data subject can request an organisation to delete it’s personal data where they have withdrawn their consent (right to be forgotten) or where the data is no longer necessary for purposes for which it was collected
- The GDPR reinforces many existing rights and establishes new ones for individuals
- Organisations whose core business is to monitor personal or sensitive data on a large scale or organisations that are in the Public Sector, are required to appoint Data Protection Officer whose role is to ensure that the organisation complies with the GDPR
- The GDPR places a greater degree of accountability on the collection and processing of personal data, organisations will need to document all data that is held, where it came from (how it was obtained), who it is shares that data with and that explicit consent has been obtained to hold and process that data
- Organisations that collect data must explain the lawful basis for processing an individuals data, the data retention periods that will apply and also tell people that they have the right to complain to the territories supervisory body which in the UK is the Information Commissioners Office (ICO), if they feel that the organisation are not handling their data in a satisfactory manner, all of this needs to be in an easy to understand language which is clear and is publicly accessible. Privacy Policies will need to be clear on the above points and seek explicit consent on the collection and processing of the data prior to the collection
- The GDPR adds the right to data portability, this means that you must be able to locate an individuals data and be able to export this in a commonly used format which of course varies with the type and amount of data. This right does only apply to data that an individual has provided to the data controller or where the processing is based on the individuals consent for the performance of a contract or more importantly where the processing of an individuals data is processed by automated means
- A new data processing principle on transparency is now required to be managed, this brings with it the need to inform the data subject about how the data is to be processed, the controls that will be placed around it and details about how and who if the data is to be processed by a third party
- Requirement to notify on data breaches. Within 72 hours of the breach being discovered the organisation must report to the Regulator in the member states where the breach occurred along with the nature of the breach, the impact of the breach and what remediation was done or is to be done to prevent any reoccurrence. There are some breaches that do not need to be reported, but these would only apply in some unique circumstances. The requirement to notify does not apply if the data that has been lost [read stolen here] where the dataset is encrypted
- Data Sharing Agreements will need to be addressed to ensure that the requirements of the GDPR are stated within and are agreed by both parties, as the data processor will now jointly share the liability of a data breach where as previously it was the data controller that held the liability
- The collection and processing of children’s personal data now has specific requirements, age verification systems may need to be put in place in order that where a child data needs to be collected and processed that parental consent obtained for that data to be collected and processed
- The GDPR now makes it a legal requirement that all systems and processes incorporate ‘data protection by design and by default’. This means that all systems and processes must have a Privacy Impact Assessment carried out where the data is a high risk for individuals, this includes where a new technology is being deployed; where profiling of data is likely to affect an individual; or where there is processing on a large scale of the special categories of data. This is a big area of compliance and further research will be required about how to conduct such assessments and risk management
- One of the big sticks this regulation brings in the regulators ability to fine organisations for none compliance and for breaching the regulations. This can amount to the greater of €20 million or 4% of annual global turnover of the parent organisation. these are big numbers for an organisation and has the impact to potentially bankrupt smaller businesses but moreover the first organisation to be fined will be made an example of as a warning to others.
If you are now feeling rather uncomfortable, you are not alone. Any organisation that is fully compliant with the current legislation in their own member state should be a good way there, but the GDPR brings many new requirements which will need to be planned, tested and put in place by the 25th May 2018, so theres no time to lose…
So how should we go about getting ready, firstly read up and secondly, read up! There are many good sources of information about to tackle your readiness to GDPR. Check the regulators site in your member state, in the UK this is the Information Commissioners Office (www.ico.org.uk) which have a great readiness self assessment tool (1) which helps you to focus what areas need to addressed.
To summarise what we know so far, if you haven’t yet started thinking about GDPR and what it means to your organisation, then you need start NOW. There is no second chances to get it right, come 25th May 2018 you have to be ready. The regulation brings in rather large fines for no compliance, so get everyone on board and get going.
In part 2 we’ll look into some of the implementation tasks that you should conduct and some of the pitfalls that is likely to bring.
I hope you found this post interesting and informative and hope you’ll stop by again soon.
If you have any comments, please leave them below.
References and Links:
(1) ICO GDPR Readiness Self Assesement https://ico.org.uk/for-organisations/improve-your-practices/data-protection-self-assessment/getting-ready-for-the-gdpr/