General Data Protection Regulation
Are you compliant?
WHAT IS GDPR?
The General Data Protection Regulation (GDPR) is the European Union’s new legislation to strengthen and unify data protection for EU citizens. It will apply in the UK from 25 May 2018. The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
WHY IS THIS SO IMPORTANT?
The current Data Protection Directive (PDP) was enacted in 1995. Since then, both the complexity of the regulations and the public awareness have been growing hand in hand with the thriving technological progress. With many businesses operating across borders, international consistency around data protection laws and rights is crucial both to businesses and individuals.
WHAT IF YOU DON'T COMPLY?
If you fail to comply with the Regulation you could find yourself being fined up to €20 million or 4% of your company’s global annual turnover, whichever figure is larger, and your reputation could be seriously damaged.
Who does the GDPR apply to?
The GDPR applies to any organisation that operates within the EU or with EU data. Organisations can be considered ‘controllers’ and/or ‘processors’.
The definitions are broadly the same as under the DPA. Controllers say how and why personal data is processed and the processors act on the controller’s behalf
What information does the GDPR apply to?
The GDPR applies to ‘personal data’. However, the definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria
What is new?
The most significant addition is the accountability principle. The GDPR requires you to show how you comply with the principles – for example by documenting the decisions you take about a processing activity.
You are expected to put into place comprehensive but proportionate governance measures. Good practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
You are Data Processor if you decide:
What IT systems to use to collect personal data.
How to store the personal data
The detail of the security surrounding the personal data
The means used to transfer the personal data
The means used to retrieve personal data about certain individuals
The method for ensuring a retention schedule is adhered to
The means used to delete or dispose of the data.
You are Data Controller if you:
Collect the personal data in the first place
Decide the legal basis for doing so
Decide which items of personal data to collect
The purpose or purposes the data are to be used for
Which individuals to collect data about
Whether to disclose the data and if so, who to
Whether subject access and other individuals’ rights apply
How long to retain the data or whether to make non-routine amendments to the data.
Processor, Controller or both?
Identify your responsibilities
[Holding data on your own servers]
As a Data Processor, you will have to safeguard data and ensure data resilience to a high standard. You will have significantly more legal liability than controllers if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
Physical security of data:
The building where the servers are housed must be adequately secured against fire, flood and theft.
At least one other secure building should be used for data storage and business continuity.
Backups are the backbone of restoration and continuity. In the unlikely event of a successful hacking or ransomware attempt affected servers are less of a problem if a backup can be restored.
You must have a cyber resilience strategy in place to reduce the risk of data breaches. It should include enterprise-grade tools as robust firewalls, anti-malware/virus tools and monitoring against hacking and staff visiting suspicious phishing websites.
[Entering and maintaining personal data]
As a Data Controller, you will have to comply with rules concerning consent, access, rectification and portability of data.
Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity. Consent must also be separate from other terms and conditions, and you will need to provide simple ways for people to withdraw consent. Consent has to be verifiable, and individuals generally have more rights where you rely on consent to process their data.
Remember that you can rely on other lawful bases apart from consent – for example, where processing is necessary for the purposes of your organisation’s or a third party’s legitimate interests.
The GDPR sets out the information that you should supply and when individuals should be informed. The information you supply is determined by whether or not you obtained the personal data directly from individuals.
The GDPR clarifies that the reason for allowing individuals to access their personal data is so that they are aware of and can verify the lawfulness of the processing
Individuals are entitled to have personal data rectified if it is inaccurate or incomplete. If you have disclosed the personal data in question to third parties, you must inform them of the rectification where possible. You must also inform the individuals about the third parties to whom the data has been disclosed where appropriate. The right to erasure is also known as ‘the right to be forgotten’. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data whether there is no compelling reason for its continued processing.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
Keep a record of data operations and activities
Carry out a data Privacy Impact Assessment (PIA) for systems and projects
Consider if you will be required to designate a Data Protection Officer (DPO)
Notify the supervisory authority of a Data Breach
Review data processing processes
*Extended information is available in our Support Portal.