What is the General Data Protection Regulation?
The General Data Protection Regulation (GDPR) adds much more stringency to the legal duties of protecting, and correctly using, data that organisations hold about individuals. It also has much bigger penalties for organisations that break the law.
In the UK, it will officially be called the Data Protection Act 2018, but we will refer to it here just as GDPR. It will replace the Data Protection Act 1997 (DPA), and it comes into effect in the UK at 12am on 25th May 2018.
Note: If you are confused by some of the terminology, we’ve put together a simple GDPR Glossary of Terms for reference.
What effect does GDPR have on my business?
You must ensure that the ways you collect, store, manage, use and destroy data are all in compliance with the new regulations. You may also need to employ new staff, outsource services, or allocate new responsibilities to existing employees.
Roles and accountability
Data Protection Officer
You may need to allocate data protection responsibilities to specific employees or employ a new member of staff, depending on the size of your business and the data protection requirements placed on it. The following businesses MUST appoint a Data Protection Officer (DPO):
- Public Authorities,
- Businesses whose core activities involve large-scale, systematic monitoring and profiling activities,
- Businesses whose core activities involve large-scale processing of special categories of data such as ethnic origin, political opinions or religious beliefs.
DPOs can be employed or outsourced but must report to the highest level of management.
Data Controller
Under GDPR the Data Controller is the person or entity within an organisation that has responsibility for compliance. A Data Controller is the “… natural or legal person, public authority, agency or any other body, who determines the purposes and means of the processing of personal data.”
Data Processors
The old law does not apply to pure data processors, i.e. service providers who only deal with data as directed by their customer, only applying to data controllers. For example, if you are a mailing house that accepts data from a client for generating mailshots (traditional mail or email), GDPR introduces direct rules and accountabilities for you, including,
- Keeping records of data processed,
- Designating a Data Protection Officer (where required),
- Notifying the Data Controller where there has been a breach.
Under GDPR, data controllers can only use data processors, “providing [that there are] sufficient guarantees to implement the appropriate technical and organisational measures so that the processing meets the requirements of GDPR and ensures the protection of the rights of data subjects.”
Accountability
This is all about considering (and demonstrating that you have considered and managed) data protection risks. You must have clear policies in place to show that you meet the required standards and you should establish a culture of monitoring, reviewing and assessing your data processing procedures.
Privacy Impact Assessments
Businesses are required to carry out a data protection impact assessment when they intend carrying out any processes that use new technology likely to result in a high risk to data subjects. This is especially necessary when there will be automated processing (including profiling), and from which decisions result that affect the data subject, and for large scale processing of personal data.
The principle of Privacy By Design
Businesses must take data protection requirements into account from the inception of any new technology, product, or service that involves the processing of personal data. There is also an ongoing requirement to keep those measures up‑to‑date.
Notification
The old DPA requires an organisation to notify (register and pay a fee) the ICO that they will be processing personal data. This is no longer a requirement under GDPR, replaced by an obligation on the Data Controller and Data Processor to maintain detailed documentation. They must record:
- Processing of records,
- Data locations,
- The purpose of processing,
- The lists of data subjects used,
- The categories of data,
- The security procedures.
If you have fewer than 250 employees, the requirements are less onerous. You only need to comply if your processing is, “… likely to result in high risk to individuals, the processing is not occasional, or includes sensitive personal data.”
Employee data
Because the processing of employee data inevitably means “sensitive personal data”, there will be an obligation on all organisations to maintain proper documentation, no matter what their size.
Where does GDPR apply?
Old data protection laws apply if you are located in the EU, or make use of equipment located in the EU, such as servers. GDPR applies globally, if you offer goods or services to EU residents or if you monitor their behaviour (or keep records about them).
If you want to transfer data beyond the EU (for example, if you use a server based in the US to do your email marketing), you need to ensure that the destination country has been recognised as having “adequate or equivalent” data protection regulations. You will also have to ensure that suitable safeguards are in place to ensure the protection and security of the data you are transferring.
Obligations and penalties when in breach
GDPR removes the requirement for registration and associated fees. This also means, however, that the Information Commissioner’s Office loses their main source of income. So in turn this will probably make them keener to catch organisations in breach and fine them (because they get a share of the fine)!
Under the old legislation there is no requirement to notify the ICO should you suffer a data security breach. This changes under GDPR, with a requirement to report data security breaches. These must be reported to:
- Data Controllers (if a Data Processor breaches),
- Regulators (if a Data Controller breaches and the result is a risk to the rights and freedoms of individuals). This must be done “without undue delay (within 72 hours of discovery if feasible)”,
- Affected Data Subjects, for example where the breach could leave them open to financial losses. If the risk is high, this notification must be made “without undue delay.”
Penalties
Fines across the EU for a Data Protection Breach vary greatly. The UK has had a maximum fine of £500,000 for a breach of the DPA. Some of the stated goals of GDPR, however, are to ensure that fines are consistent across national borders and to impose a significant increase in penalties, to emphasise the importance of good data management and security.
The new fines are to be split across two tiers:
- Up to 2% of worldwide turnover in the preceding financial year or €10m (whichever is the greater) for violations relating to internal record keeping, data processor contracts, data security and breach notification, data protection officers and data protection by design and default,
- Up to 4% of annual, worldwide, turnover of the preceding financial year or €20m (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects rights and international data transfers.
The Information Commissioner’s Office also has increased enforcement powers and grounds for seeking judicial remedies under GDPR, including a power to carry out audits and to require (demand) information be provided and to enter and search premises.
Practical steps
Note: these aren’t in a specific order, but intended as a practical checklist. The headings are just for ease of reading—many subject areas overlap.
Strategic:
- Identify all existing data systems and all personal data you process.
- Develop, and implement, a policy on data storage and retention.
- Train staff on their data protection responsibilities.
- Put internal reporting procedures in place, have an internal breach register and train staff on notification and use.
- Develop and implement a data breach response plan and have templated notifications so that staff can act promptly.
- Review existing compliance programs and update/expand as required to meet the new requirements.
- When using Data Processors, review contracts. Ensure they undertake to be compliant and that you include terms relating to immediate notification of any data breach.
- Consider GDPR compliance when developing new technologies, services and goods, and keep clear records.
Internal processes:
- Ensure you have clear records of all data processing activities and that the records are available.
- Ensure all policies and procedures are available and written in clear, concise and easily understood language.
- Examine Human Resources’ processes, employment contracts, handbooks and policies, especially privacy notices and other “fair processing” information given to employees; is consent properly acquired?
Outbound:
- Assess whether your organisation uses consent correctly, to justify data retention and processing.
- Consider how you will gain consent for the use of the data you hold for advertising, marketing and/or social media purposes.
- Examine your privacy notices: update them as necessary.
Resourcing:
- Ensure that you have the resources allocated to plan and implement GDPR requirements and make any required changes.
- Consider appointing a Data Protection Officer.
- Ensure that you can respond to Subject Access Requests within one month (note that you can no longer charge an admin. fee under the GDPR).
A word on IT
Ensure your IT support provider is fully conversant with GDPR, and understands how it affects your own IT infrastructure, specifically.
The ultimate, legal responsibility remains yours, but the technology you use must be kept sufficiently secure, and correctly deployed. Changes may be necessary, for example, improving storage security, using strong encryption when moving data, and reducing the access individual users have to sensitive parts of your network.
If you are at all worried, have the conversation as soon as possible—don’t leave it until the last minute.
In conclusion…
GDPR has a wide-reaching effect on most businesses, both large and small, as it applies to every organisation that uses personal data in any way, and even to some individuals.
Within GDPR there are many as-yet-undefined terms, such as what counts as “large scale” and what is “new technology” and it is likely that these will only be determined as part of case law i.e. when a company is prosecuted for a suspected breach and their defence (or prosecution) need an accurate description of such terms.
Useful links
- The Information Commissioner’s Office’s site about GDPR
- The ICO’s useful leaflet: “Preparing for the General Data Protection Regulation (GDPR) 12 Steps to Take Now“, which provides more helpful advice.
- Our own short GDPR Glossary of GDPR terms for reference.
Disclaimer
Bristol IT Company is an IT support and software development organisation: we are not lawyers! As a consequence this article must only be considered a layman’s guide to GDPR.
If in any doubt, obtain competent legal advice to ensure that your business is in compliance.
Remind me again: when does GDPR happen?
It’s in effect from 12am 25th May 2018.
At the time of writing (12/3/18), the bill is still in its second “committee” stage in the House of Commons, however no more significant changes are expected and Royal Assent is predicted to be given before the end of March (meaning it then becomes law).