The GDPR (General Data Protection Regulation) is an EU led initiative to overhaul data protection legislation. It’s been classed as the biggest shake up of data protection in a generation and its outcomes will supersede the 1998 Data Protection Act and the 1995 EU Data Protection Directive. Its use has been agreed by all EU member states and will come fully into force on 25th May 2018.
But won’t Brexit mean this doesn’t apply to us?
Brexit will
not stop the implementation of GDPR. The GDPR is an EU regulation, not a simple directive, this means it is automatically lawfully applicable for all EU member states – given this agreement to go ahead with GDPR happened before the Brexit vote, GDPR and its rules will still apply and come into force on the 25
th May next year.
What happens if I don’t want to comply?
The big issue that everybody is talking about is the fines. Currently the maximum fine for data breach or miss use of personal data is £500k. TalkTalk probably had one of the most famous breaches of recent times – they got fined just £400k. The new fines are a maximum of €20m or 4% of global turnover – whichever is higher! Under the new regulations, TalkTalk would have been fined in the region of £50-60million.
So what are the main differences coming into force?
As with any new legislation or regulation, it’s complicated and there are lots of documents/reports to be read and, being honest, we still think there are a lot of grey areas still to be bottomed out (supposedly the ICO will deliver full guidance in Summer 2017, but so far, we’re still waiting for that).
However, some of the key differences already apparent are:
The Role Of Controller And Processor
Under current rulings, data breaches and issues are the responsibility of the controller (i.e. the legal owner of that data) and the fines go to them too. Under GDPR, it will introduce the role of the processor – processors don’t own the data but have a legitimate reason for working with it on behalf of the controller. A nice simple example is if you outsource your PAYE. Your company is the controller of the personal data (Names, addresses, salary, NI number etc), but you’re passing that information to a processor to get your PAYE ran. If your PAYE data is leaked, it’s both your fault and you’re both liable.
The Use Of Third Countries
As noted above, all countries in the EU have adopted GDPR. But what also has been brought into place is that if a data breach happens in a third country (i.e outside the UK and EU), GDPR rules still apply. So if you’re data is breached in the US or China, you’re still at fault and still liable to fines. This is of concern to many organisations as it brings questions in around cloud based services – how many cloud/web-based email, finance or CRM packages are hosted in the US whom don’t have to update their procedures to be GDPR compliant?
Introducing The DPO
Under GDPR certain organisations are going to be required to appoint an official Data Protection Officer (DPO). Organisations that must have a DPO appointed fall into one or more of three categories; they are a public sector body, they regularly and systematically monitor data subjects on a large scale or they process large volumes of special data (see below). This is where some of the vagueness comes in – currently there is no exact definition of large scale (is it 100 records a month or 10,000 or 1m?).
The DPO’s role is to lead the organisation in its compliance with GDPR, provide advice in relation to data protection and act as the main contact for any investigations from the authorities. To be appointed a DPO, the individual must have expert knowledge of data protection, must work in an independent manner, must work in a confidential way and, most importantly, it doesn’t have to be a current employee (you can outsource this role to a professional organisation if you wish).
Special Data
Special data is data which includes an individual’s health, race, political leanings, sex life, religious stance, trade union membership or any data relating to a child (under 16). Special data has two main implications; as noted above if you’re processing a lot of it, you require a DPO and if you are processing it, you must have a specific legal reason for doing so. It’s understood that breaches of special data will likely be hit by the higher level fines too.
Consent
For us in the digital world, the importance of consent has been high on the agenda for a number of years – remember the cookie law? Well consent is a
big part of GDPR. You must be able to demonstrate when questioned by the authorities (the ICO in the UK) records that demonstrate:
- whether or not they have withdrawn consent at any point.
- how they gave consent and
- what they were told their data would be used for at that time,
- when they consented,
- who consented to that record being stored
The Right To Erasure
More commonly known as the right to be forgotten in the media. This is a new addition to the ‘Rights of Individuals’ (there were 6, there are now 8). This part of GDPR notes that any individual has the right to request their data be deleted – but, for obvious reasons, only in certain circumstances. For example, a record of a financial transaction cannot be deleted until the legal six years has passed.
As a controller/owner you also don’t always have to delete the record in full – you can delete certain aspects of it to ensure it cannot be used to identify an individual. This is useful, as you can keep records that may have been requested to be deleted while still complying with GDPR, i.e. just delete the user’s name, phone number, email and main address lines but retain the additional, non-identifying information, so you can still find out things like product popularity by postcode, date or time.
The Right To Data Portability
Within GDPR, individuals now have the right to receive and reuse their personal data that you hold for their own purposes and with different service providers. The data must be provided to them in a structured and commonly used format (CSV for example). You have one month to provide this if it is requested.
Documentation, procedures and processes
To start to be compliant with GDPR, there are a lot of new procedures and processes you and your organisation will need to implement so that, should a breach occur or a complaint be lodged, you can quickly and accurately confirm to the ICO that you have acted in a legal and responsible way and aim to avoid any fines. We’ll be picking up some of these elements in later blogs – so keep checking back!