Even though GDPR is fast approaching, an alarming number of businesses still aren’t taking the required steps to ensure that they’re compliant. What is more worrying is that not everyone is aware of the changes taking place, and we have less than a year before they come into force!
Here’s everything you need to know…
Who, what, why and when…
What is it?
The EU's General Data Protection Regulation (GDPR) is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used.
Why do we need it?
Currently, the UK relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
When will the GDPR go live?
25th May, 2018
Who does it affect?
It affects every business within all 28 EU Member States.
GDPR also businesses outside the EU who process the personal data of EU residents and offer them goods and services, irrespective of whether payment is required; or where the processing by a business relates to the monitoring of the behaviour of EU residents in so far as their behaviour takes place within the EU.
Our company is based in the UK, do we still need to comply given Brexit?
Yes. The GDPR will go into effect before the 2 year leave deadline of Brexit and UK firms must comply with GDPR until then. Even after Brexit, UK firms that offer goods or services to EU residents still need to comply.
What happens if we don’t comply?
You may be fined up to €20mm or 4% of your worldwide turnover (revenue), whichever is greater. You may also be subject to lawsuits by affected data subjects.
Will the fines really be enforced?
In the first instance, Member States will have individual discretion on criminal sanctions for GDPR infringements. Though it is too early to predict how different supervisory authorities (SAs) will enforce their powers, it seems inevitable that Member States will have variable approaches.
When can I process data under the GDPR?
Once the legislation comes into effect, controllers must ensure personal data is processed lawfully, transparently, and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
What do you mean by ‘lawful’?
'Lawfully' has a range of alternative meanings, not all of which need apply. Firstly, it could be lawful if the subject has consented to their data being processed. Alternatively, lawful can mean to comply with a contract or legal obligation; to protect an interest that is "essential for the life of" the subject; if processing the data is in the public interest; or if doing so is in the controller's legitimate interest - such as preventing fraud.
At least one of these justifications must apply in order to process data.
What data is considered ‘personal data’?
The GDPR categorizes a broad swath of data that a person could be identified from, such as name, email, location, IP address, tattoos and online behaviour as personal data.
When can people access the data we store on them?
People can ask for access at "reasonable intervals", and controllers must generally respond within one month. The GDPR requires that controllers and processors must be transparent about how they collect data, what they do with it, and how they process it, and must be clear (using plain language) in explaining these things to people.
People have the right to access any information a company holds on them, and the right to know why that data is being processed, how long it's stored for, and who gets to see it.
What is the ‘right to be forgotten’?
This is the right of the individual to have their personal data deleted “without undue delay”, for example where data is no longer necessary for the purposes it was initially collected or processed.
Can people move their data?
Controllers must now store people's information in commonly used formats (like CSV files), so that they can move a person's data to another organisation (free of charge) if the person requests it. Controllers must do this within one month.
Can I still market to my existing customers?
Providing they meet the new rules, existing consents should still apply. Where personal data is processed for direct marketing, the individual’s right to object should clearly be brought to their attention.
How do I obtain consent?
In general, consent needs to be explicit, opt-in, and freely given. This means popular opt-out based consent of today will no longer be acceptable.
What is an opt-in statement?
No longer can consent be obtained by silence or opt-outs, instead an active process (e.g. ticking a box) must be completed to class as consent. Companies must be able to demonstrate that the individual has actually given consent for their data to be processed.
The new rules outline that “Silence, pre-ticked boxes or inactivity should not therefore constitute consent.
Does the GDPR apply to cold calling?
Yes! If customers haven’t opted-in to your communication, it’s a breach of GDPR.
Management and maintenance
What happens if we suffer a data breach?
If you suffer a data breach that puts the rights and freedoms of individuals at risk, you must notify a data protection authority (the Information Commissioner's Office (ICO) in the UK) within 72 hours of your organisation becoming aware of it.
While you can't be expected to detail every aspect of a breach upon discovering it, you should notify the data protection authority of the nature of the data that has been breached, and the approximate number of people affected. You should also detail the potential consequences for those people and what measures you have taken or plan to take.
Do all organisations now have to appoint a Data Protection Officer?
It is not necessarily compulsory for all organisations to appoint a DPO as this will be dependent upon a number of factors. According to the ICO, a company should appoint a DPO if they:
- Are a public authority (with the exception of courts acting in their judicial capacity)
- Carry out large scale systematic monitoring of individuals, such as, online behaviour tracking; or
- Carry out large scale processing of special categories of data or data relating to ciminal convictions and offences
Any organisation is able to appoint a DPO if they wish to do so. However, even if a company chooses not to appoint a DPO because the above doesn't apply to them, they must still ensure that they have sufficient staff and skills in place to be able to carry out their obligations under the GDPR.