Data protection legislations in the UK are changing and it will be fully enforced from May 2018. This new legislation being 'General Data Protection Regulation' (GDPR).
The main objective of GDPR is to detail the current and newly enhanced, obligations and responsibilities organisations must follow in order to safe-guard the data of EU citizens. Even B2B organisations, need to be treating their data. You now have less than a year to be fully compliant and put all the processes and system changes in place to ensure your meeting the standard.
1). Who GDPR applies to
Simply put almost every business. GDPR applies to all organisations who handle data of EU citizens. This aspect will contribute significantly to organisations all around the world whom are looking to tighten their security. However here is the specific criteria for companies required to comply:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data processing impacts to the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.
2). Stronger sanctions
Failure to comply with the new GDPR regulation will result in some serious fines. More specifically if you violate your obligated duties of record-keeping, security, breach notification and privacy impact assessment. Then regulators have the authority to issue penalties of up to €10million or 2% of the organisations global turnover. There's more......... If you fail to comply with the legal obligations of processing data (E.g. consent), data subject rights, cross- border data transfers. Then be prepared to face fines of up to €20 million or 4% of turnover.
Put it this way, do you remember TalkTalks data breach incident last year? As a result they had to pay a penalty of £400,000. If this same incident happened again but under the new GDPR regulations then TalkTalk could have faced penalties of £59 MILLION.
Though not every breach or failure to comply will result in these massive fines, it is a possibility.
3). How ‘valid consent’ is obtained is paramount
Data consent and processing is likely to be the most challenging change for organisations. GDPR now requires organisations to provide clear and affirmative consent in the event of data collection. Organisations need to be more clear than ever on how individual data will be used and processed. As without valid consent, any data processing initiatives will be questioned by the authorities. A double opt-in feature is mandatory, which works as an advantage for firms as they can improve the quality of their databases with active consumers.
4). Current principles remain but new rights introduced such as:
- The right to be forgotten: This refers to the erasure of any data at the request of the subject. Which now forces companies to put measures in place to discover, manage and delete user which can be a difficult task.
- Right to data portability: This refer to the individuals right to obtain and reuse their personal data for their own purpose across different services (using a common, computer readable format). Allowing them to move, copy or transfer data from one IT environment to another in a secure manner.
5). Mandatory privacy impact assessments
A PIA (Privacy Impact Assessment) is a tool for identifying and assessing privacy risks throughout the development life cycle of a program or system. If you are planning to implement any new technologies which are likely to result in a risk to personal data, then as a business you are required to perform an impact assessment before carrying out any processing.
The PIA should identify any risks by the collection or processing of data.
6). Mandatory appointment of Data Protection Officers
This mandatory role must be filled if your organisation processes data on a large scale which require systematic monitoring of data subject or handles data of special categories (e.g health, race, sexual orientation and religion etc.) or personal data regarding criminal convictions and offences.
Tasks of a DPO are mainly to supervise the organisations compliance of GDPR and oversee how staff deal with personal data. Your DPO can be an existing member of staff, however you can also appoint an external service provider.
More importantly the chosen DPO must:
- Be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices.
- Give their contact details to the relevant DPA
- Be provided with the appropriate resources to carry out tasks and maintain expert knowledge.
- Report directly to the highest level of management
- Not carry out any other tasks that could result in a conflict of interest. Your IT manager for instance may not be the best person.
7). More harmonised EU data protection regime
Although every EU state will have its own authority, each will give the same advice and messages under GDPR; there will be an increased co-operation and consistency between EU regulators. This means that organisations only have to deal with one universal regulator, rather a different one for each EU country.
8). Mandatory data breach notification
GDPR will ensure all organisations are constantly monitoring their systems for data breaches. As it will be mandatory to report any cyber incidents which risks data to the local data protection authority, within 72 hours of discovery.
This means organisations need start considering implementing the right technologies or start outsourcing their IT duties. In order to be able to detect and respond to a breach. For most organisations this will require a bit of training throughout the entire business, ensuring data breaches are correctly understood, prevented, recognised and reported.
9). All organisations that ‘touch’ personal data will be liable
Responsibility will no longer only sit with the data controller of the initiating organisation. It will also sit with any organisation that uses personal data provided to them (eg. a service provider).
10). GDPR requires Privacy be design
Now all organisations must put 'privacy' as a paramount consideration at the design stage of any project. To ensure that privacy and the protection of data is no longer an after thought.
And Finally..
The UKs exit from the EU will not mean that companies will not need to be compliant, it was announced in June that the UK Government has confirmed its intention to bring the EU General Data Protection Regulation (GDPR) into UK law, ensuring the country’s data protection framework is “suitable for our new digital age, allowing citizens to better control their data.”
If you are unsure on what to do next or would like to know more? We can aid you in your journey towards GDPR compliance, click here to book a call with one of our consultants. Alternatively contact us here.
If you've found this article useful please share on Twitter, LinkedIn or Facebook and give us a follow.
