GDPR GuideGuide to General Data Protection Regulation (GDPR)Compiled and prepared by: mkLINK Ltd, December 2017 Table of Contents Disclaimer GDPR may already be set in law, but it is not due to ‘go live’ until 25th May 2018. Therefore, it is likely to be an evolving subject, and this guide is simply meant as just that - a guide, looking at GDPR from the perspective of December 2017, before the law has actually been implemented. This guide is not definitive, but rather an educated perspective based on a collection of information from multiple sources about what is known about GDPR at the point of writing it. What Is GDPR?The General Data Protection Regulation (GDPR) will come into force on 25th May 2018 and is a Regulation designed to set the guidelines going forward for the collection and processing of personal identity information by companies and organisations. This new Regulation replaces the EU Data Protection Directive of 1995, and will be part of EU privacy and human rights law. The previous Directive meant that data laws were implemented individually in each country and were not consistent across the EU. GDPR should bring greater consistency and harmony by bringing all data protection elements under one law for all countries. The Regulation from the EU, which consists of 99 articles, under the guidance of 6 privacy principles, covers data that is produced by an EU citizen, whether or not the company processing that data is located within the EU and it covers people who have stored data within the EU, whether or not they are EU citizens. The UK was very involved in the drafting of the regulation which was designed to make companies take the issue of data protection more seriously and to strengthen the rights that EU citizens have over their data. The focus of GDPR is on ensuring that businesses are transparent and protect individual privacy rights i.e. data will be viewed more as the property (and under the control of) the individual or user rather than the business or provider. GDPR applies to all UK and worldwide companies and organisations that store, process and use the data of EU citizens, and people “living in the UK”. This means that it also applies to:
The kind of ‘data’ covered by GDPR includes data stored on / in / at:
GDPR covers organisations / groups that previously didn’t have to register under the Data Protection Act e.g. charities, sports clubs, and any group that holds personal information e.g. names, addresses, email addresses, telephone numbers, and even stored facial recognition images. Also, one important difference with GDPR is that companies will no longer need to register with the ICO, no longer need to pay a fee to them, and no longer need to disclose to them what information they intend to store about data subjects (customers and others). A Wider Scope of ‘Personal Data’ Under GDPR GDPR will also cover a much wider area in terms of what counts as personal data. Under the new Regulation, any data that could identify an individual such as genetic, mental, cultural, economic or social information will count as personal data. GDPR is a ‘Regulation’ (not a Directive) and, therefore, will apply to all EU member states. The UK referendum result means that it will no longer be an EU member state in the near future. However, GDPR will come into force on 25th May 2018, before the UK’s Brexit matters are concluded, and since it applies to companies that deal with the data of EU citizens, it (or at least the UK’s own Data Protection Bill) will apply after Brexit. UK Information Commissioner, Elizabeth Denham has said that she supports the UK adopting the EU regulation even post-Brexit because if the UK is to continue doing business with Europe, British businesses will need to share information about and provide services for EU customers. The UK’s Equivalent of GDPR? The Data Protection Bill. With this in mind, the UK is bringing in its own Data Protection Bill, which was announced in the Queen’s speech in June 2017, and was introduced to the House of Lords on 13 September 2017. This will allow UK businesses to continue doing business with the EU post-Brexit. GDPR will become law in the UK in May 2018, but the Data Protection Bill will enable UK businesses to make the transition after March 2019, the current tentative date for the UK leaving the EU (Brexit). This new UK DPB will replace the Data Protection Act 1998, and will essentially transfer the EU’s GDPR into UK law. The Bill covers many exemptions, restrictions, and clarifications relating to GDPR. Crucially, the Data Protection Bill will mean that:
DPB Extra Powers - ‘Assessment Notices’ The DPB will give extra assessment powers to UK regulators that are not currently available unless they relate to government agency. For example, new ‘Assessment Notices’ will give the Information Commissioner’s Office (ICO) the powers to enter the premises of any organisation, and to audit its data security compliance e.g. by examining documents, equipment and processing of data. If it is decided from the audit that an organisation is not DPB compliant, enforcement notices and a schedule for correction can be put in place. Fines can also be issued of the same level as GDPR e.g. 4% of an organisation’s worldwide revenue. Just as GDPR compliance sounds challenging to businesses / organisations that are not prepared, it could represent an even bigger challenge to businesses (UK companies and UK-based multinationals) / organisations that have neglected data the enormous amounts of data held in file systems. For them, the DPD will doubtless come as a shock.. Under GDPR something as simple as a published privacy policy will no longer suffice. Companies / organisations will have to keep an audit log of how they are compliant. Privacy must be by default, and companies / organisations must have concrete proof of their compliance. GDPR - The Six Privacy Principles With GDPR, there are 6 principles which give companies a broad, top level overview of which areas are covered by the new regulation. These principles are: Obtaining Valid Consent For Information Use - A Challenge Under the new regulations your company / organisation MUST be able to PROVE clear and affirmative consent to process personal data. This means that your company / organisation must remember to explain clearly, and exactly what personal data they are collecting and how it will be processed and used. Your company / organisation will therefore need to make sure that this step is built into every occurrence of personal data collection without fail and that the proof is stored and can be accessed quickly if necessary. The information that you supply has to be human understandable i.e. descriptions of products / services / treatments supplied need to clear, and not based around internal codes / product codes. Under GDPR, people must be able to opt-in rather than opt out i.e. the options for receiving information (e.g. on web page contact forms) from companies must not be already ticked. The accompanying wording must also clearly state that ticking a box means opting in. Other implications of a change in the rules regarding consent are that:
Data Protection Impact Assessments - DPIAs Under GDPR, Data Protection Impact Assessments will become an important (and mandatory) way of identifying, assessing and mitigating or minimising privacy risks with data processing activities. This could be particularly relevant when a new data processing process, system or technology is being introduced. DPIAs also support the accountability principle. In other words, they help organisations to comply with the requirements of GDPR and demonstrate that appropriate measures have been taken to ensure compliance. The importance of the use of DPIAs in building compliance is underlined by the potential penalties of failing to do so. If companies / organisations fail to adequately conduct a DPIA where it is deemed to have been appropriate, this could result in fines of up to 2% of an organisation's annual global turnover or €10 million, whichever is greater. Many Organisations Will Need To Appoint a Data Protection Officer (DPO) If you are a public authority processing personal information, or if your main activity involves the regular and systematic monitoring of data subjects on a large scale, or if your main work involves the processing on a large scale of special categories of data you will need to appoint a Data Protection Officer (DPO). This person will need to be very familiar with all aspects compliance with existing (and new) UK and the new EU regulations. This could therefore have an impact on staffing and resources (for training). The DPO’s role will include:
There Will Be a Common Data Breach Notification Requirement of 72 hours Your organisation will need to have the capability and systems in place to enable it to monitor for, identify and notify the ICO of a data breach within 72 hours of discovering it. Under GDPR, data subjects have the right to ask to view what data you store about them. If you have stored data in paper files, GDPR still applies and this may pose an obvious challenge. Also, whereas the Data Protection Act allowed businesses to ask for a nominal charge for subjects to see their data, under GDPR this will be free. Your company / organisation must not hold data about a person for longer than is necessary, must not change the use of the data from the purpose for which it was originally collected (when consent was given for that specific purpose), and must delete any data about a subject at the request of that data subject. This gives subjects the right to opt out completely i.e. ‘the right to be forgotten’. GDPR does not, however, over-ride all individual country / industry laws on this issue i.e. banking laws where some of your details may need to be retained. Article 12 of the GDPR specifies that a request for access or destruction of personal data must be free of charge, easy to make and must be fulfilled without ‘undue delay’ and at the latest within one month (although it is currently understood that this may take longer in some cases). This is one important way in which GDPR differs from previous data laws, and puts control back in the hands of the data subject. Companies and organisations must provide an accessible way for data subjects to unsubscribe from / opt out of receiving online and offline communications that they have previously consented to. The company / organisation must comply with the request, and record when the request was made. Your customers / data subjects will have a ‘right of portability'. This means that, under GDPR, a person can force a company to transfer all data that is stored about them to a competitor and that company cannot refuse. This could be particularly challenging for large companies. Customers can ask companies / organisations not to combine their personal details with (for example) their purchase history to enable profiling that could take the form of e.g. targeted advertising. This could have serious implications for some aspects of marketing e.g. grocery retailing. Liability Goes Beyond Data Controllers Under GDPR it won’t just be the Data Controller (DC) who is held liable for data processing issues. Liability and responsibility will extend to all organisations that touch the personal data of the subject / subjects. This will help to ensure that companies / organisations take a close interest in all parts of the data storage and processing chain to ensure compliance all the way along, within the organisation, and in the choosing and management of 3rd party relationships. Privacy Must Be Designed and Built-In To The System Privacy by design means that your software, your systems and processes must be designed around compliance with the principles of data protection every step of the way. If you use 3rd party companies e.g. cloud suppliers, you are reliant on them building-in privacy by design, such as encryption. Other elements of your systems, such as bespoke software written before privacy by design and using software that doesn’t use encryption is, therefore, likely to be non-compliant. Old systems may, therefore, need to be replaced. The Regulations Apply Wherever You Are In The World Under GDPR, any European data protection authority is able to take action against organisations regardless of which country they are based in. The penalties for non-compliance with GDPR are much greater than the penalties for non-compliance with the existing Data Protection Act. Figures / analysis by Oliver Wyman, for example, show that FTSE 100 companies could face fines of up to GBP 5 billion for breaches of the GDPR. Had GDPR been in place for the past five years, the top listed UK companies could have been fined GBP 25 billion. Under GDPR, failing to gain consent to process data or a breach of privacy by design, will mean that companies / organisations will be fined up to €20 million, or 4% of their global turnover (whichever is greater). Under GDPR, fines will be levied using a tiered approach, depending upon the scope of the violation. Lesser violations e.g. records not being in order, or failure to notify the supervisory authorities, or not conducting a PIA where it was necessary, could mean that companies / organisations incur fines of 2 per cent of global turnover. What Does All This Mean For Your Business / Organisation? GDPR will mean that companies / organisations like yours will need to take a fresh look at how they deal with personal data in all aspects of operations, and what business relationships they have with 3rd parties. GDPR requires privacy by default. Each EU citizen and person living in the UK will have the right to expect that data about them is stored securely and those storing the data e.g. companies / organisations, must be able to demonstrate compliance. Hardly any data will not fall under GDPR which means you will need to take GDPR seriously and become very familiar with it and its implications. GDPR also means that:
|