GDPR – What is it and how will it affect me?
The new EU General Data Protection Regulation (GDPR) is a global data protection law that will affect any organisation with customers in the EU or which processes the personal data of EU citizens.
In the UK, the GDPR will apply from 25 May 2018 and the government has confirmed that the UK’s decision to leave the EU will not affect the adoption of the GDPR.
One of the main aims of the GDPR is ensure that personal data protection is accomplished. In the new GDPR, the 'right to be forgotten' is strengthened and this means that organisations now must – if there are no other legal interests by the firm – securely delete the personal data of what is referred to as the data subject.
Like the current Data Protection Act (DPA), the GDPR applies to 'personal data'. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – for example an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
How will it affect organisations in the UK?
According to the GDPR, every organisation that processes personal or sensitive information acts as either a 'controller' or as a 'processor' and both are equally responsible for ensuring compliance. A data 'Controller' is defined as any entity that, alone or jointly with others, determine how and why personal data is processed. A data 'processor' is defined as any person (other than the employee of a data controller) who processes data on behalf of a data 'controller'. In reality, what this means is that if you process sensitive or personal information, you will almost certainly fall into one of these categories.
Organisations will need to make sure that they have in place a number of measures, with some existing measures being updated and other new measures being introduced. For example the GDPR requires public authorities, as well as other entities, that are processing personal information to appoint a data protection officer (DPO), when the 'core activities' require 'regular and systematic monitoring of data subjects on a large scale' or consist of 'processing on a large scale of special categories of data'. Also there is an inclusion of mandatory privacy impact assessments (PIAs) in the GDPR, mainly as a result of the influence of the UK’s Information Commissioner’s Office. The GDPR requires data controllers to conduct PIAs where privacy breach risks are high to minimise risks to data subjects.
For most organisations that keep data such as HR records, customer lists, or contact details etc., the change to the definition is unlikely to make any practical difference. It can reasonably be assumed that if an organisation holds information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
The new regulations have also introduced a requirement for organisations to notify the local data protection authority of a data breach within 72 hours of discovering it. This means organisations will need to ensure that they have in place the technologies, procedures and processes to enable them to detect and respond to any data breach and report it within the designated period.
The penalties that are being introduced under GDPR are severe. The GDPR has established a tiered approach to penalties for breaches which enables the Data Protection Authorities (DPAs) to impose fines, for some infringements (eg breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent), of up to EUR20 million or 4% of annual worldwide turnover , whichever is the higher. Other specified infringements could attract a fine of up to EUR10m or 2% of annual worldwide turnover, whichever is the higher.
The proper erasure of information is not something that is often seen in software. However, in the future, under the new GDPR, all software will be required to be capable of completely erasing data. This has always been a difficult problem and will certainly create a challenge for organisations.
What do you need to do?
The UK Information Commissioner has issued a 12 point checklist of actions that need to be taken. These are:
- To ensure senior/key people are aware of GDPR and appreciate its impact.
- To document any personal data you hold, where it came from and who you share it with. Conduct an information audit if needed.
- Review your privacy notices and plan for necessary changes before GDPR comes into force.
- Check that your procedures cover all individuals' rights under the legislation – for example, how you would delete personal data or provide data electronically in a commonly used format.
- Plan how you will handle subject access requests within the new timescales and provide any additional information.
- Identify and document your legal basis for the various types of personal data processing you do.
- Review how you seek, obtain and record consent. Do you need to make any changes?
- Put systems in place to verify individuals' ages and, if users are children (likely to be defined in the UK as those under 13), gather parental consent for data processing activity.
- Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Adopt a 'privacy by design' and 'data minimisation' approach, as part of which you'll need to understand how and when to implement Privacy Impact Assessments.
- Designate a Data Protection Officer or someone responsible for data protection compliance; assess where this role will sit within in your organisation’s structure/governance arrangements.
- If you operate internationally, determine which data protection supervisory authority you come under.