The UK’s current data protection legislation is changing and will be fully in force from 25th May, 2018. The new kid on the block is called GDPR (General Data Protection Regulation). Its objective is to detail both the existing, and newly enhanced, obligations and responsibilities organisations will have regarding the handling of the data they hold on EU citizens.
If you’ve not already familiarised yourself with the changes, be warned… things are tightening up. Current legislation does not regard B2B contact information in the same way as consumer data. GDPR, on the other hand, does. Organisations that hold business contact details, therefore, are going to have to start treating it is as personal data, and they have a year to put all the processes and systems changes in place to ensure they meet their obligations. Also, in addition to this, far more onus is to be placed on entities not only adhering to the regulations, but also proving that they are doing so. So, bearing in mind the importance of this shift in emphasis, we thought it would be useful to give you some key facts about GDPR.
- GDPR applies to all organisations
If you process the personal data of an EU citizen, be it consumer or business related, GDPR applies to you; wherever you operate, across the world. So, in effect, although this is an EU initiative, it has global implications. And Brexit is irrelevant.
- The definition of ‘personal data’ is broadening further
From 25th May, 2018, any data that can be used to identify an individual will be considered to be ‘personal data’. This will include business contact information, as well as genetic, mental, cultural, economic and social information. There is little that will be left out.
- How ‘valid consent’ is obtained is tightening up
This is going to be one of the bigger challenges for organisations to face. They will need to be very clear about how an individual’s information is going to be used before consent is given. They will also need to communicate how it will be processed. And consent will need to be unequivocally obtained, rather than via an assumption it’s been given because someone has not ticked a box to remove themselves, as is currently often the case.
- The appointment of a Data Protection Officer (DPO) will be mandatory for certain organisations
Where large scale data processing takes place, by both public bodies and certain other entities, a DPO has to be appointed. The key emphasis lies with the quantity of data being processed, not the size of the organisation. So some organisations with less than ten staff may still need to appoint a DPO. The DPO’s role will be to ensure that personal data processes, systems, and storage not only conform to the law, but can also be evidenced to do so.
- Privacy Impact Assessments (PIAs) will be introduced
Where the risk of a privacy breach is high, data controllers will be required to conduct a PIA in order to facilitate taking steps to mitigate the knock on risk to individuals. Such projects involving personal data will require the PIA to be carried out in advance. And the DPO will then need to ensure compliance continues throughout the project.
- Data breach notification will be harmonised
GDPR stipulates that the local data protection authority must be notified of a data breach within 72 hours of its discovery. But the onus has shifted away from just being about ‘discovery’. Organisations will also have to ensure they have the processes (and technology, where appropriate) in place to detect breaches in the first place. This is likely to require both investment in systems changes and staff training.
- The ‘right to be forgotten’ will be introduced
Data minimisation is the concept that sits behind the ‘right to be forgotten’. Organisations will not be permitted to hold or retain data for any longer than is necessary. They will also not be permitted to change how data is used from what was originally agreed to at the time the data was collected. And if they wish to use data for a new project, fresh consent will have to be obtained. The ‘right to be forgotten’ also extends to enable an individual to request that their data is deleted in full. And an organisation MUST then carry this out.
- All organisations that ‘touch’ personal data will be liable
Responsibility will no longer only sit with the data controller of the initiating organisation. It will also sit with any organisation that uses personal data provided to them (eg. a service provider). This will include aspects such as data minimisation and deletion.
- All software, systems, and processes must include GDPR compliance by design
This is best explained via this example. All software will be required to facilitate the complete deletion of personal data. This must be an inherent part of the design.
- There will, in effect, only be one type of supervisory authority
Although every EU state will have its own authority, each will give exactly the same advice and messages under GDPR. This will make it easier for businesses to deal with queries that crop up regarding operations in different locations. For example, Ireland used to have a more relaxed data protection authority to other EU countries and thus many US companies were drawn to hosting their European base there. Now, any European data protection authority can take action against an organisation, regardless of where that organisation is based… and the fines will be significant.
If you’d like to understand more about GDPR and how it will impact your organisation, please visit this page.