An Introduction to the GDPR
The EU General Data Protection Regulation (GDPR) will be enforced from 25 May 2018. It affects all organisations that hold personal data on EU citizens, regardless of where the organisation is based in the world. Implementing a data protection strategy that includes encryption and anti-malware security is vital. GDPR contains a whole range of new rules that companies may need to enact for proper compliance, as there are strict fines for non-compliance. Your business may be fined up to 4% of global annual turnover for your previous financial year or €20 million, depending on the larger amount.
Loosely speaking, any organisation that holds data about any resident of the EU is expected to comply.
GDPR was adopted as an EU law in April 2016 but will take effect in May 2018. Amongst other things, GDPR deals with the data you collect in the first place, how you tell people what you are going to do with it, what you actually do with it, how you store it securely, whom you allow to access it, and – the part that seems to attract the most interest and attention – what happens if you fail to comply. Falling foul of GDPR means the possibility of a fine, and GDPR fines can go significantly higher than most laws that existed around Europe before GDPR came in.
GDPR will standardise data protection across the EU; if you do business in Europe you almost certainly need to comply; the law may seem onerous, but in a world with as many breaches as we have had in recent years, GDPR seems like just the sort of regulation we need; and you can expect to end up in hot water if you don’t comply.
GDPR applies and will continue to apply in the UK even post Brexit as the current UK government plans to pass a legislation that will essentially mirror the EU GDPR.
What do I need to do?
- Be aware. It’s not enough for CEOs, IT staff and compliance officers to be aware of what GDPR requires. Employees from the top to the bottom of an organization need to be extensively educated on the regulation’s importance and the role they have to play.
- Be accountable. Companies must make an inventory of all personal data they hold and ask the following questions: Why are you holding it? How did you obtain it? Why was it originally gathered? How long will you retain it? How secure is it, both in terms of encryption and accessibility? Do you ever share it with third parties and on what basis might you do so?
- Communicate with staff and service users. This is an extension of being aware. Review all current data privacy notices alerting individuals to the collection of their data. Identify gaps between the level of data collection and processing the organization does and how aware customers, staff and service users are.
- Protect privacy rights. Review procedures to ensure they cover all the rights individuals have, including how one would delete personal data or provide data electronically.
- Review how access rights could change. Review and update procedures and plan how requests within new timescales will be handled.
- Understand the legal fine print. Companies should look at the various types of data processing they carry out, identify their legal basis for carrying it out and document it.
- Ensure customer consent is ironclad. Companies that use customer consent when recording personal data should review how the consent is sought, obtained and recorded.
- Process children’s data carefully. Organisations processing data from minors must ensure clear systems are in place to verify individual ages and gather consent from guardians.
- Have a plan to report breaches. Companies must ensure the right procedures are in place to detect, report and investigate a personal data breach. Always assume a breach will happen at some point.
- Understand Data Protection Impact Assessments (DPIA) and Data Protection by Design and Default. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. It will allow organizations to identify potential privacy issues before they arise, and come up with a way to mitigate them.
- Hire data protection officers. The important thing is to make sure that someone in the organization or an external data protection advisor takes responsibility for data protection compliance and understands the responsibility from the inside out.
- Get educated on the internal organisations managing GDPR. The regulation includes a “one-stop-shop” provision to assist organisations operating in EU member states. Multinational organisations will be entitled to deal with one data protection authority, or Lead Supervisory Authority (LSA) as their single regulating body in the country where they are mainly established.
You can read the full legislation text here – NB 261 page PDF.