The European Union’s General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in over two decades, are you prepared for it? If the answer is no & you handle other people’s personal data, then you better get a move on – educate yourself & take necessary steps to avoid being hit with hefty fines, before GDPR comes into force across all EU member states on 25 May 2018. Well done for discovering my article, read on to gather ideas, tactics & strategies on how to tackle this going forward & be GDPR-ready.
The EU Parliament spent over 4 years discussing and negotiating the GDPR and finally approved it on 14 April 2016 and set the enforcement date for 25 May 2018 – from that date any organisation that operates within the European Union (EU) or handles personal data belonging to EU citizens and fails to comply with the new regulation could face heavy fines and/or be suspended from carrying out business activities within the EU.
The GDPR is a new set of rules governing the privacy and security of personal data with the aim to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisations approach data privacy. The GDPR replaces the previous 1995 Data Protection Directive law which current UK law is based upon.
What’s the point of GDPR?
The introduction of this new set of rules has been designed to give control back to EU citizens over how their data is processed and used, as well as to simplify the regulatory environment. In Europe the privacy is a fundamental right of every citizen, it is about ensuring the rights and freedom of all EU citizens and ensuring that data is not put at higher risk or violated, it’s about protecting that data so the concept of privacy and security is what the GDPR has been formed around.
‘Brexit’ is happening, should you still prepare?
You will need to comply with the GDPR if you process data about individuals in other EU member states through activities such as selling goods or services to EU citizens. If you only deal within the UK, then the position after UK’s exit from EU is unclear, but the British government has indicated it will implement an equivalent legislation, the Data Protection Bill, which is expected to largely mirror the EU’s GDPR.
Are small/micro companies going to be impacted?
Yes, individuals, organisations & companies that handle any personal data such as name, address, IP address which can be used to identify a person or personal sensitive data such as religion, political views, sexual orientation, biometric data etc. will need to comply with the GDPR.
What organisations must do
There are several things organisations have to do in order to comply with the GDPR, including…
- Keep records of all processing of personal information by mapping and auditing data flows so organisations must know what personal data they hold, where it’s stored, where it’s sent and how it’s processed
- Cross-border transfers – establish & put in place safeguards for cross-border data transfers to help determine how best to safely transfer data to different jurisdictions
- Apply & maintain strong data security to prevent data theft or loss so making sure the anti virus software is always kept up to date as well as putting in place other security measures
- Only collect personal data when required and what’s relevant by seeking appropriate consent & provide notification of personal data processing activities so this means you must have a justifiable reason as to why you are collecting a persons data and you can’t just do it incase there’s a small chance you might need it one day
- Parent’s consent is needed to collect data from those under the age of 16 in most EU countries but some member states class 13 as the age a person can give consent
- Consult with regulators before certain processing activities, if you are a UK resident, you can contact the Information Commissioner’s Office (ICO) to check if you can collect certain highly sensitive data
- Provide data protection training to person’s with permanent or regular access to other people’s personal data
- Conduct Data Protection Impact Assessment on new processing activities to ensure all person’s data is safeguarded
- Implement Data Protection-by Design, so this means you should include data protection from the onset of designing systems and implementing appropriate technical and infrastructural measures
- Third party processors – take responsibility of the security and processing activities of third-party so you need to make sure third-party processors such as health insurance, pension, payroll and other vendors or service providers are compliant with GDPR
- Data Protection Officer – consider appointing a Data Protection Officer if your organisation processes a high volume of personal and/or sensitive data. Public Authorities and large organisations with more than 250 employees that process sensitive personnel data must appoint a professionally qualified Data Protection Officer
- Be prepared to demonstrate that your organisation is complaint with GDPR on demand, ICO can request information and evidence on how you process personal data at any time and you must be prepared to provide this
- In the event of a data breach, you must notify your countries data protection agency, which in the UK is the Information Commissioner’s Office (ICO) of any risk within 72 hours and you must also notify affected individuals in certain circumstances.
Power to the people
The primary aim of the GDPR is to give power and control back to the people over their personal data, so this law allows individuals to…
- Withdraw consent for procession – organisations must make it easy for people to withdraw consent as it is to give it, they cannot use difficult to understand terms and conditions filled with legal jargons
- A person can request a copy of data a company holds on him/her and the company must provide an electronic copy of the individuals personal data for free and the individual can make request for changes if they find anything that’s incorrect
- Data Portability – Individuals can request to transfer data from one organisation to another so allowing individuals to obtain and reuse their personal data for their own purposes by transferring it across different IT environments, the machine readable format must be easy to transfer such as a CSV file
- Right to be forgotten – Individual’s can request to have their information deleted when there’s no justifiable reason to keep hold of it
- Object to automated decision-making processes – Where decisions are solely made by automated means without any human involvement, and profiling where automated processing of personal data is used to evaluate certain things about an individual which can be part of an automated decision-making process.
What regulators can do
The regulators from each member state will have certain powers to take action where needed, in the UK’s case, the Information Commissioner’s Office (ICO) can…
- Ask for record of processing activities and proof of steps taken to comply with the GDPR
- Impose temporary data processing bans, issue data breech notification, or order deletion of personal data
- Suspend cross-border data flows
- Enforce penalties of up to €20 million or 4% of annual global turnover (whichever is greater) for non-compliance.
Impact of GDPR on businesses
- Commercial data use restriction – GDPR poses restriction on businesses on what they can do with data to extract commercial benefits.
- Compliance spending – operational processes and data structural changes can cost a huge sum of money on compliance spending.
- Increase trust and confidence – Implementing the GDPR strengthens customer choice and confidence as the reputational risk of data breach will have huge financial & brand damage implication on organisations
- Safeguard consumer data security rights – In the long term GDPR is a necessary step to legally safeguard data security rights in this digitised world
- May lead to loosing customers and trust if found to be non-compliant with GDPR as risk around data security may exist.
34% of Websites in the EU are not complaint
A recent research carried out by VPN Mentor (the web privacy experts) found approximately 66% of websites in the EU are not GDPR compliant. Unsurprising Germany has the most websites (67%) that do meet the GDPR standards and worrying the U.K pales in comparison with only 31%. You can read the full report by clicking here.
10 ways you can take action now
- Assign a dedicated individual (or team) to focus on GDPR – doesn’t have to be a full time person but there needs to be someone whose role is to focus on GDPR
- Start listing all the systems that houses data – make a list of all systems used and what data resides within each so stuff like who it’s shared with, who has access to it, how long the data is retained & for what purpose is it used for
- Determine if you are a data controller – an entity that decides the purpose and manner that personal data is used, or will be used for, or a data processor – the person or group that processes the data on behalf of the controller, processing is obtaining, recording, adapting or holding personal data
- Understand the transfer of data between you and a third-party – your third-party might be processors such as vendors, marketing companies etc., so you need to know where the data is going between you and other party and have all the right requirements in the contract and be very clear on the data controller and data processor relationship
- Document the personal data that is collected in each system – you need to be able to drill in and know all the the data elements and start documenting it, things like dietary needs, HR benefits and others will only be identified when you drill down to a much deeper level
- Determine if automated data can be deleted (right to be forgotten) – you need to know what automated data might be deleted, how right to be forgotten requirement can be met
- Determine if data can be ported (data portability) – so think about where are you today in being able to extract data to an easily readable format such as a CSV file, you also need to ensure you have a business process to meet the technical capability
- Consent: Be able to provide evidence that a user opted in to marketing programs – you will have to be able to document and provide evidence of the consent path by audit tracking when a person opted in or out, also the opt-in check box cannot be checked by default, the decision has to be made by the individual affected on whether to opt-in or not
- Review security controls and determine what gaps exist – as you start to identify all the data elements held within different systems, think about how these systems are protected, who has access to it, and at that moment you will be able to identify where there’s security gaps and begin to plan on how to remediate those
- Review the data breach plan, you need to be able to report breaches within 72 hours – If your a data controller or data processor, It’s critical to know what your responsibilities are to your partner controller or processor.
I hope you found my article interesting, informative and useful and hopefully it has helped you better understand and prepare for the incoming GDPR. You can watch my presentation video by clicking here or why not expand you knowledge further on GDPR by clicking here.
Nazrul Hoque – 01 April 2018