So, what is the General Data Protection Regulation (GDPR), and what does it mean to organisations in the UK? Well, it’s a piece of EU legislation that pretty much re-writes the data protection rulebook and, for the first time, will be globally enforceable (watch out Facebook!).
Here are some key points…
- The GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens; any company that works with information relating to EU citizens must comply with the requirements of the GDPR, making it the first global data protection law.
- The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information. From implementation, hardly any personal data will not fall under the GDPR, making it difficult for organisations to avoid having to comply with its requirements.
- The GDPR requires all organisations collecting personal data to be able to prove clear and affirmative consent to process that data (that means using simple language and being very clear on how it will be used). A recent report from the EU said that most consent mechanisms currently in place are not valid under the GDPR.
- The GDPR requires public authorities processing personal information to appoint a data protection officer (DPO), as well as other entities, when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”.
- The GDPR requires data controllers to conduct Privacy Impact Assessments (PIAs) where privacy breach risks are high to minimise risks to data subjects. This means before organisations can even begin, projects involving personal information must conduct a privacy risk assessment and work with the DPO to ensure they comply, and continue to do so, as projects progress.
- The GDPR harmonises the various data breach notification laws in Europe and is aimed at ensuring organisations constantly monitor for breaches of personal data. From implementation, organisations will have 72 hours to notify the Information Commissioners Office (for the UK) of a data breach – so organisations will need to ensure they can detect and respond to a data breach that quickly.
- The Right to be Forgotten – organisations must ensure they only have the minimal amount of data needed for the task at hand, and it cannot be used for any other purpose; they must have the processes and technologies in place to delete data in response to requests from data subjects. Also, organisations may not to hold data for any longer than necessary.
- In the past, only data controllers were considered responsible for data processing activities, but the GDPR extends liability to all organisations that touch personal data. This means that even organisations that are purely service providers and work with personal data will need to comply with rules such as data minimisation.
- The teeth on the dog – Regulators will now have authority to issue penalties equal to the greater of €10 million or 2% of the entity’s global gross revenue for violations of record-keeping, security, breach notification, and privacy impact assessment obligations. However, violations of obligations related to legal justification for processing (including consent…), data subject rights, and cross-border data transfers may result in penalties of the greater of €20 million or 4% of the entity’s global gross revenue.
The best approach right now is to start to plan on how these changes will affect you and your organisation.
OK, so that is quite a lot to take in and it offers some real challenges to business and public bodies – the key ones being around data management. How do you maintain Confidentiality, Integrity and Authorised Access to your data and yet comply with a minimalist approach to data gathering? If you use a third party to collect customer data what will be your mechanism for assessing them as part of your PIA?
The best approach right now is to start to plan on how these changes will affect you and your organisation. Identify your DPO and/or start training. There is a tonne of useful information and advice on the ICO’s website so go and take a look, and maybe give them a call.
Thankfully Microsoft Azure and Office 365 have already been assessed by the EU regulators and have been certified as compliant with GDPR – so if you are thinking of adopting these technologies it might be a good time to take the leap.