The way that data is managed, stored, collected and used has been overhauled. New European laws are being bought into effect on the 25th of May 2018. If you own, control or collect data, you will need to know how the General Data Protection Regulation affects you. The GDPR is the new data protection law covering Europe. It replaces the 1995 data protection directive which is currently enforce in the UK.
Within the General Data Protection Regulation there are large changes for the individual, businesses and organisations that handle personal information. The intension in to “harmonise” data privacy laws across Europe allowing for greater protection and rights of the individual.
What is going on?
In April 2016, the General Data Protection Regulation was adopted by the European Parliament and the European Council. This process alone took over 4 years of discussion and negotiation. After publication in the EU official Journal in May 2016 businesses and organisations were given a 2-year preparation period to make necessary changes before the May 2018 enforcement date.
The General Data Protection Regulation GDPR will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Who does it apply to?
General Data Protection Regulation requires effects all industries and organisations that process personal data covering public and private sectors.
When is this happening?
The General Data Protection Regulation will come into effect on 25 May 2018.
SME’s and General Data Protection Regulation
The focus for change and probably the most common area that SMEs will have to account for is that under the General Data Protection Regulation, companies must keep a thorough record of how and when an individual gives consent to store and use their personal data.
Specific consent will require active agreement from the individual. Inferred agreement from pre-selected boxes or unclear wording will be in violation of the new regulations. This consent will have to be documented and accessible to audit.
- How did you gain consent?
- How can individuals withdraw consent?
- What data do you hold?
- Why do you hold the data?
- Where do you store the data?
- How is your data collected?
- How will you demonstrate compliance?
- How will you record and report any data security breaches?
What do I need to do?
Time is running out, if you have not looked at your privacy and data collection, internal systems, partnerships and security you need to act now. Businesses need to ensure they meet the new security requirements imposed by the General Data Protection Regulation.
There are large fines and penalties for non-compliance, as much as 4% of annual turnover.
Compliance is not gained by simply implementing software or new technology. Businesses must look at everything they do with data and their entire business practice, ensuring all considerations are met. We have listed below a handful of key action points, it is crucial however to make sure that your business is doing the right thing with the data it controls.
- Understand how data moves around your business, including associated processes.
- Understand what new data types and category changes apply to your business.
- Develop a specific work stream dedicated to reviewing and documenting data security.
- Identify and resolve issues within your security architecture.
- Develop a proactive security process to detect and mitigate data leaks.
- Monitor and audit security processes to stay on top of regulatory requirements.
- Adjust internal systems to account for new data types and categories.
- Consider working independent DPO to ensure your data protection systems and policies are correct.
The Information Commissioners Office (ICO) are the UKs independent authority set up to uphold information rights in the public interest. They have provided an overview of the key themes of the General Data Protection Regulation to help organisations understand the new laws. The below document is intended for those who have day-to-day responsibility for data protection.
Authorities can impose fines of up to 4% of an organisation’s global annual turnover, or €20 million — whichever is higher.
Notification of data breaches
Organisations must notify their supervisory authority within 72 hours of any data breach, and they may also have to notify their customers.
Data Protection Officer (DPO)
In some cases, GDPR requires organisations to appoint a independent DPO reporting directly to management. Responsibilities should include identifying and issues around the businesses data protection and security.
Rights of the Individual
General Data Protection Regulation (GDPR) gives individuals the rights to be forgotten. When somebody does withdraw consent, unsubscribe or request removal, their details must be permanently erased. It is no longer enough to just delete from a mailing list.
Security controls must be in place to guarantee the safety of any data processed by the organisation. The GDPR is a good opportunity to review and tighten these controls as they are likely to come under tighter scrutiny.
What about Brexit?
The UK is implementing a new Data Protection Bill which largely includes all the provisions of the GDPR. There are some small changes but our own law will be largely the same
If you control or work with personal data of any form and have not yet considered how the General Data Protection Regulation will affect you, it is time to act. In May 2018, regulatory auditors will be looking for businesses in violation of the new regulation, there will be no excuses and no-where to hide if no suitable data protection measures have been taken. We are happy to help with client’s digital security and welcome any questions you have around this topic. Contact us if you need to talk further.