GDPR – What is it and what do we need to do??
GDPR may be considered a new regulation, but really it is simply a much needed update to the Data Protection Act (1998), which was based on EU law from 1995 – some 23 years ago!
Think back to what you might have been doing in 1995 – I was working in my first ‘real’ job as export sales and marketing manager for Bridgedale UK Ltd; the internet was in it’s infancy and we have constant debate about whether it would ever take off; we had one computer for the sales team of 4 people, and one email address sales@… which we shared. I had a portable word processor which I had bought to complete my dissertation a couple of years earlier, which was good for typing at least…
So the evolution of the internet, as well as major advancements in technology (I mean, social media…. what even was that??? Reality TV shows hadn’t begun to dominate as they do now) mean that the way we communicate, and the way in which individuals and organisations share information has changed massively between then and now, and the old DPA rules and regulations have become obsolete.
Before we look at the impact of, the facts that we are currently aware of, and the steps which we need to take to be compliant with GDPR, I feel it is important to remember that GDPR is coming into effect to protect us – who hasn’t had a nuisance call from a company who has bought your data from another company, who in turn bought your data from another 3rd party 4 times removed? How many of us have been a victim of some sort of identity fraud or hack in the past five years?
So, with that in mind, what do we know? Please note that the below is only a basic framework, and does not capture all requirements, just those which I think are most relevant. I would like to take this opportunity to extend my thanks to Christian Mancier of Gorvins Solicitors in Stockport for all of his insight and expertise, and would highly recommend that you seek expert advice when reviewing your own organisation’s GDPR compliance.
The EU General Data Protection Regulation (GDPR) comes into effect in the UK on 25th May 2018
- There is no transitional period – it starts from this date.
- Whether we are inside or outside Europe on this date, or in future, makes no odds whatsoever – the regulation impacts globally if you are to ‘interact’ within the UK or EU regardless of Brexit. I say ‘interact’ rather than ‘trade’ as GDPR refers to communication with individuals whether on a paid (trading for example) or free (those maddening market research polls as an example)
The major changes to GDPR in comparison with the DPA
- Fines for non compliance with GDPR are being increased from the current £500 maximum to €20m or 4% of global turnover, whichever is greater!
- Compliance must be demonstrated by organisations rather than being taken for granted
- Organisations are subject to audit by the ICO to prove their compliance
- The compulsory breach notification clause is new and important
- The wider geographic scope mentioned above means that any organisation dealing in any way with the EU must comply
- Individuals have enhanced rights (the right to be forgotten for example)
So, what constitutes data?
It’s not just paper or computer files… data is any information which is processed by automatic equipment, or recorded with that intention, or part of a relevant filing systems.
So think about all the different ways in which you hold information about your clients, ‘prospects’, and staff. Bearing in mind that CCTV footage, videos and photographs are also considered data.
Personal data means any ‘data’ relating to a living individual, which can be used to identify that individual…
The eight principles of GDPR
Data must be…
- Processed fairly, lawfully and transparently
- Collected for specific, explicit and legitimate purposes, and not further processed in any other way
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- Accurate and kept up to date
- Kept in a form which permits identification of the data subject for no longer than is necessary
- In accordance with the data subjects’ rights
- Processed in such a way that ensures appropriate security of the personal data
- Not to be transferred to a third party unless the provisions of the Regulation are complied with
New concepts of GDPR
- compliance must be documented and demonstrable
- consent must be shown as compliant and “un-bundled”
- records of processing activities must be kept and up to date
- Enhanced rights – “delete it / freeze it, correct it”
- includes an individual’s right to be informed, of access, of rectification, of erasure, to restrict and / or object to data processing
- Breach notifications
- Certain breaches must be reported to the ICO within 72 hours (note, not 72 working hours) of the organisation becoming aware
- where the breach is ‘high risk to the rights and freedoms of the individual’ then the individual concerned must also be notified without undue delay
- Data processors
- data controllers (your organisation) must seek adequate guarantees from data processors (any 3rd party suppliers who process our data) that they are compliant, and these arrangements must be documented in writing
- Sub-processors are only to be used with written consent of the data controller
- A data processor in breach becomes a data controller for GDPR purposes
- There is a two tier system of fines… 1st tier offences face fines of up to the higher of €10m or 2% of global turnover, with 2nd tier offences attracting double this level of fines
- Data Protection Officer
- certain organisations (not SMEs) must appoint a DPO
- Registration and Fees
- no registration is required under GDPR, however an annual data protection fee will be levied to all organisations under the Digital Economy Act
- the proposal is a 3 tier system of fees ranging from £55 to £1000 per annum
GDPR – Immediate next steps from the ICO
The ICO have issued the more guidelines as what to do next in a 12 step guide to Preparing for GDPR, covering the below areas, and you can download the full guide HERE
- do all your key people understand GDPR?
- Information you hold
- time for a data audit – what/where/how/who?
- Communicating your privacy information
- review your current notices for compliance and amend accordingly
- Individuals’ rights
- do your existing procedures cover all new rights of individuals
- Subject Access requests
- review your existing processes to cope with the new timelines
- Lawful basis for processing
- once identified update your privacy notices to reflect the legal basis for your processing
- review and amend how you seek, record and manage consent
- do you need to update any processes or information in relation to children?
- Data Breaches
- design, communicate and implement procedures to detect, report and investigate any breaches
- Data Protection by Design and Data Protection Impact Assessments
- familiarise yourself with the ICO’s code of practice
- Data Protection Officers
- designate someone in the organisation to take responsibility for data protection, whether or not you need to formally register a DPO
- If you operate in more than one EU member state you will need to determine your lead data protection supervisory authority.
That’s GDPR as we understand it in a nutshell…. as I’ve said above, it is important that the 25th May deadline is adhered to, so if you haven’t yet started working on your plan now is the time to do so.