GDPR - General Data Protection Regulation
Preparing Your Business for GDPR
The General Data Protection Regulation comes into force from May 2018, here’s how it affects you and why you should be preparing now.
When the Data Protection Act was introduced, back in 1995, it offered fairly adequate boundaries – for the time. Nowadays DPA is a little outdated, after all, who could have predicted just how much personal data would be available thanks to social media, cookies and other marketing techniques? The EU decided new protection for the privacy of the individual was required, the details of which were finally agreed on 14th April 2016 and the legislation will come into effect in May 2018. This new legislation is called the General Data Protection Regulation (GDPR).
GDPR is in two parts:
- It allows individuals to decide who can see their personal data and what it is used for.
- It brings into line every business operating in the EU, or transferring data to or from an organisation that operates in the EU, giving them one uniform way of dealing with how data is processed and stored.
The bottom line is this: when GDPR becomes law in May, businesses must become more transparent and documented in regards to the data they use, store and share with other businesses and organisations.
You might be thinking this won’t affect you until next year but you would be mistaken. You must start preparing for this transition now because there will be no grace period, no ifs, buts or maybes. When GDPR lands, if you are not ready and fully compliant you could be hit with a fine of up to 4% of your global revenue or €20m, whichever figure is greater.
DO NOT PUT IT OFF!
So what is expected of you as a business? Let’s start by defining your role and responsibilities, look at what’s changed from the old rules, then sum up what steps you should be taking.
The Data Controller - you - determines what data is processed and how it is processed. It is your job to put in place measures of compliance that meet the standards of the legislation, e.g. privacy policies.
The Data Processor, as the name suggests, processes the data for the data controller. This processing can involve collection, recording and storage of the data. The data processor has to take responsibility for recording what they do, who they are, the details of any third party, cross-border transfers and whatever security measures have been put in place.
The Data Protection Officer (DPO) is appointed by the data controller to ensure compliance with GDPR. They are (usually) a lawyer or a recognised expert in data protection law. It is their job to carry out Data Protection Impact Assessments (DPIA) which is required when there are elements of risk such as using new technology, introducing profiling likely to affect customers, or processing special category data on a large scale. The DPO makes sure all data processing records are kept up to date in case you are asked to produce them.
The Data Subject is the person whose data is being processed and controlled by you the data controller. They can be identified, or are identifiable, according to the data you hold.
The Third Party is any other individual or organisation that is involved in the data transaction.
Now we’ve all been formally introduced, let’s look at the most significant changes to data protection legislation.
Increased territorial scope: you may be thinking this isn’t such a big thing for us in the UK because Brexit is looming on the horizon. Be aware: even if the British government doesn’t retain this law post-Brexit, GDPR doesn’t just apply to organisations in EU countries; it applies to any organisation anywhere in the world that wishes to do business with an organisation within the EU. It affects the control and processing of all personal data of EU citizens, even if that processing takes place outside of the EU.
Consent: as it stands you cannot always be absolutely sure what it is you are consenting to because it is tangled up in that beautiful language Legalese. From May you will have to ensure that any request for consent for the processing, use, storage and transferability of personal data must be legible, plainly written and easy to understand. Also, importantly, it must be just as easy to withdraw consent to the use and storage and transfer of personal data as it is to give it.
When it comes to data subject rights…
Breach notification: this must happen within 72 hours of you first noticing the breach, especially when the data breach is likely to “result in a risk for the rights and freedoms of individuals.”
Right to access: the individual has the right to obtain confirmation from the controller that their personal data is being held, where it is being held and what it is being used for.
Right to be forgotten: also known as data erasure, this gives the data subject the right to request that any personal information that the data controller holds on them should be deleted, that dissemination of the data should be halted and third party usage prevented if it is no longer relevant and consent is withdrawn. The controller should weigh up the subject’s rights with the “public interest in the availability of the data” in this instance.
Data portability: the data subject has the right to receive their own personal data and then the right to further transmit that data to another controller.
Privacy by design: rather than adding data protection as an afterthought, all new systems should have it built in during their design phase.
Right then, let’s take a look at the steps your business should be taking to stay ahead of the new legislation:
- Appoint a person, or team depending on the size of your organisation, whose responsibility it is to make sure everyone within your organisation is up to speed with GDPR before it comes into effect.
- Place restrictions on the amount of staff that has access to customers’ personal data – if they don’t need to see it they shouldn’t be allowed to see it!
- When you are collecting their data let the client/customer know exactly who you are, why you are collecting their data, what you are going to be using it for, who will be allowed access to it and the amount of time you will be retaining it before deletion.
- Let your clients/customers know what their rights are; tell them that they retain control over the information stored, how it is used and who sees it and that they have the right to withdraw consent and request its deletion.
- Make sure you have their full consent. It is no longer enough to have a tick box that says something like: “…by consenting to our Terms & Conditions you are giving your permission…” etc. There has to be positive opting in where it is clear what it is they are opting for.
- If the data subject is under the age of 16 you are obligated to get the consent of a parent or legal guardian before processing their data.
To sum up then: if your website is interactive, it is imperative your clients and customers not only have the capability to fully control the personal data about them that you hold, you should make them aware that they have the option of controlling it. Let them know what data you hold, what it is used for and who has access to it, whether that is a member of your organisation or a third party.
If you are holding historic data that no longer is of use or has any significance it should be deleted unless you have the express consent of the individual, or there is some kind of legal obligation to retain it.
GDPR is coming soon, start preparing for it now. Contact us for more information.