From 25 May 2018, the EU General Data Protection Regulation, or GDPR, will come into play for organisations in the EU. This means all UK businesses that process personal data of any residents based in the EU will need to be compliant with the new GDPR regulations by this date.
A Summary: What is the GDPR?
The GDPR replaces the current Data Protection Act, due to the rising necessity for online security and privacy. The GDPR has a much wider scope than the current DPA. In essence, the GDPR extends the rights of individuals to their personal data, which means that any organisations handling personal data must stick to strict procedures in order to protect personal data, and ensure they adopt new measures to keep data secure.
The GDPR was set by the EU council back in April 2016, and will come into force 25 May 2018.
Overall, it’s a very long document that sets out requirements for organisations and EU member states on data protection, but the main aim is to enable individuals to control any personal data. It also makes provision for an EU Data Protection Board to be created.
Key Themes of the GDPR
Overall, the key themes of the GDPR cover the following:
The creation of a single set of established rules across the EU and beyond Europe to comply to
Non-EU companies that do business in the EU will still need to comply.
– A broader definition of what personal data includes
More data now comes under the definition of personal data. Essentially, any data that can be used to identify a person now comes under this.
– Obtaining consent has changed and consists of new regulations
Consent needs to be clear and simple, and should be explicitly stated rather than silence meaning someone agrees.
– Privacy by design – new processes must keep this in mind
The privacy in your service or product should be built from the beginning, not just as an after thought.
– Data breach notifications have new requirements, meaning you will need to notify customers over any breaches
You will be required to report any data breaches to data protection authorities within 72 hours of becoming aware of it. Data subjects must be notified where risks to them are high.
– “The right to be forgotten” is essential for data subjects
You must give data subjects the opportunity to be forgotten or wiped from your system, and follow through with this.
– The need for consent when processing data of children
In order to process data of children, parental consent is needed for under 16s, or possibly 13 if the EU changes this.
– For particular companies, nominating a data protection officer (DPO) is essential
DPOs are needed for all public authorities, and when there is monitoring of data subjects on a large scale.
– Mandatory Data protection impact assessments will become a requirement
Your organisation must adopt a risk-based approach before any high risk data processing. You will need to have privacy impact assessments if your privacy breach risks are high.
– New regulations for international data transfers
You need to know the risks when it comes to transferring data outside of the EU.
– Data processors now have a shared responsibility for the protection of personal data
Data processors can be held liable for any breaches, with direct legal obligations.
– Data portability has new requirements
Data subjects should be able to request a copy of their own data in a suitable format and transfer it to other processing systems.
For more detail, you can read the final regulation text over on the Official Journal of the EU.
These themes cover the broad aspects of what the GDPR is trying to achieve, but it’s worth reading to see exactly what will impact your business.
For instance, when it comes to the right to be forgotten, it isn’t quite as simple:
Right to erasure (‘right to be forgotten’)
1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or
her without undue delay and the controller shall have the obligation to erase personal data without undue delay where
one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise
processed;
4.5.2016 EN Official Journal of the European Union L 119/43
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or
point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds
for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which
the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in
Article 8(1)
You can see how some of these regulations are more complex than you may realise. So it’s essential to go through the document and ensure you will meet the requirements.
Why does my business need to comply with GDPR?
Penalties are much tougher than before. And with data breaches being very common, and the growing severity and scale of security breaches, it has never been more vital to protect the data of your customers.
But the UK is leaving the EU due to Brexit. I’m not affected, right?
Wrong. Despite the fact the UK will be going ahead with Brexit, the government has stated that GDPR will still affect UK businesses, alongside any other organisations that store, manage or process consumer data.
Any organisation found to be in breach can be fined around €20 million or 4% of annual turnover worldwide for a big breach of customer information. Whichever is more. This could obviously lead to the insolvency of businesses everywhere.