What is the GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation aiming to help strengthen data protection for EU citizens and residents both within the EU and internationally. Essentially it aims to tighten up the handling and use of the personal data of people within the EU.
Anyone, or any company who collects and processes personal data (which the GDPR defines as a Data Controller) must comply with the new GDPR regulations. This may include organisations who use internal databases, for example for marketing, payrolls, or staff contact details, companies that have websites or apps, 3rd party customer relationship management (CRMs) systems, or simply if you just use email.
A large portion of the GDPR is concerned with transparency and informing individuals about how their personal data is being used, for what purpose, by whom and for how long. GDPR requires ‘data controllers’ to state what data is being processed and for what reasons. Furthermore, controllers are required to inform individuals about how long the data will be retained for. They must also specify who the subject should contact regarding any part of the controller’s data processing procedures.
“Non-compliance could lead to a significant loss of business to competitors who are able to demonstrate their GDPR compliance”
What Are The Implications for Non-Compliance?
of Global Turnover
The GDPR imposes significant penalties for non-compliance.
The most significant potential fine under the GDPR is 4% of global annual turnover of the preceding year or 20 Million Euros (whichever is the greater). This is reserved for organisations who are found to have failed to implement basic security measures.
The second largest fine is 2% of global annual turnover of the preceding year or 10 Million Euros (whichever is the greater). This would be applied to any organisation who fails to notify the relevant authorities and the individuals affected following a breach in data security. The relevant authority in the UK is The Information Commissioner’s Office (ICO).
Under the new legislation an insufficient strategy for notification of a breach could be a very costly mistake for an organisation, not to mention any legal costs associated with defending the company’s inaction.
Potentially even more expensive long term consequences for violation would be the loss of customer trust and brand confidence.
Furthermore as the deadline approaches many businesses will require their vendors to be fully compliant with the GDPR as a condition for continuing to do business. These requirements in future will typically be part of the RFQ process and / or privacy & security audits.
DOES THE GDPR APPLY TO YOUR BUSINESS?
Answering three simple questions can help determine whether your company is impacted by the GDPR:
- Does your company offer goods and services to individuals in the EU?
- Does your company have employees in the EU?
- Does your company monitor the behaviour of individuals?
If the answer is “yes” to ANY of these questions, and unless your company has special exemption from EU law, then the GDPR will most likely apply to your company.
The GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s size, location, or nature of business.The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU individuals (defined as data subjects by the GDPR).
The GDPR is a risk-based framework, and because it covers personal data, the GDPR focuses on having the right governance structure, policies and operational practices, as well as monitoring, detection and response processes in place. For these reasons, there are important implications for information security practice, which could mean significant changes for organisations that are unprepared.
While virtually all organisations will have to implement some changes to become compliant, some will be able to take partial advantage of existing compliance with other mandates and frameworks, such as ISO 27001, BS10012 and PCI, by extending those measures to the protection of personal data. However, despite having achieved compliance with other mandates, further work could still be required to comply with the GDPR.
What’s the Relevance of GDPR for My Organisation?
GDPR relates to personal data. The relevance of GDPR to your organisation will depend on several factors. Obviously, if you handle data for European citizens then it applies to you.
Personal data is any information relating to an individual, whether it’s in connection to his or her private, professional or public life. According to the European Commission, this can include but isn’t limited to a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address. Thus, there is a high likelihood that any data you process for EU citizens is relevant.
What Is The Purpose Of The GDPR?
The aim of the new rules is to ensure businesses are more open about how they use personal data, and that they consider carefully and implement the appropriate security measures to protect that personal data. By increasing transparency through suitable procedures, this will ensure that individuals are made fully aware of what they are signing up for before they consent to their information being used (processed).
Will the GDPR be Affected by Brexit?
No, the indications from the government and the Information commissioner are that the GDPR is here to stay.
This is because firstly when the GDPR came into effect the UK is still part of the European Union even though it has started the withdrawal process. Secondly, the UK will adopt all EU legislation immediately following Brexit. During this period, referred to as ‘The Great Repeal Bill’, the EU laws will be rewritten inline with Britain’s new status outside of the EU. So unless you are planning on denying access to your services or products to any EU citizens or residents then you will be required to comply with the GDPR or suffer the consequences.
Supervisory authorities such as The ICO have a wide range of other powers and sanctions at their disposal. This includes investigative powers, such as the ability to demand information from controllers and processors, and to carry out audits. They also have corrective powers enabling them to issue warning or reprimands, to enforce an individual’s rights and to issue a temporary and permanent ban on processing.
Individuals also have a right to bring a claim against a controller or (importantly) processor in court. They also have the right to recover both material damage and non-material damage (e.g. distress). Where more than one controller and/or processor is involved, they are jointly liable to be compensated. In certain cases, not-for-profit bodies can bring a representative action on behalf of individuals. It’s considered highly possible by some experts that this will lead to a ‘claims culture’ in future, similar to the PPI market where individuals are encouraged to pursue claims against organisations who have sloppy personal data practices, or look to exploit holes in personal data security systems.
TIME FOR ACTION
What You Need To Do To Comply
If you haven’t started considering how to implement the GDPR into your company yet then you need to start NOW as a matter of urgency.
You will need to make sure all practices, policies and processes relating to the collection and use of personal data across your organisation have been assessed and brought into alignment with the requirements of the new Regulation.
That includes understanding and complying to all 99 Articles and 173 Recitals included in the Regulations!
The following list outlines just a few key mandates defined by the regulation that your organisation needs to consider under the GDPR:
Article 5 – Principles relating to processing of personal data
Article 6 – Lawfulness of processing
Article 7 – Conditions for consent
Article 8 – Conditions applicable to child’s consent in relation to information society services
Article 9 – Processing of special categories of personal data
Article 10 – Processing of personal data relating to criminal convictions and offences
Article 11 – Processing which does not require identification
Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject
Article 13 – Information to be provided where personal data are collected from the data subject
Article 14 – Information to be provided where personal data have not been obtained from the data subject
Article 15 – Right of access by the data subject
Article 16 – Right to rectification
Article 17 – Right to erasure (‘right to be forgotten’)
Article 18 – Right to restriction of processing
Article 19 – Notification obligation regarding rectification or erasure of personal data or restriction of processing
Article 20 – Right to data portability
Article 21 – Right to object
Article 22 – Automated individual decision-making, including profiling
Article 23 – Restrictions
Article 24 – Responsibility of the controller
Article 25 – Data protection by design and by default
Article 26 – Joint controllers
Article 27 – Representatives of controllers or processors not established in the Union
Article 28 – Processor
Article 29 – Processing under the authority of the controller or processor
Article 30 – Records of processing activities
Article 31 – Cooperation with the supervisory authority
Article 32 – Security of processing
Article 33 – Notification of a personal data breach to the supervisory authority
Article 34 – Communication of a personal data breach to the data subject
Article 35 – Data protection impact assessment
Article 36 – Prior consultation
Article 37 – Designation of the data protection officer
Article 38 – Position of the data protection officer
Article 39 – Tasks of the data protection officer
Article 40 – Codes of conduct
Article 41 – Monitoring of approved codes of conduct
Article 42 – Certification
Article 43 – Certification Bodies
Article 44 – General principle for transfers
Article 45 – Transfers on the basis of an adequacy decision
Article 46 – Transfers subject to appropriate safeguards
Article 47 – Binding corporate rules
Article 48 – Transfers or disclosures not authorised by Union law
Article 49 – Derogations for specific situations
Article 50 – International cooperation for the protection of personal data
Article 77 – Right to lodge a complaint with a supervisory authority
Article 80 – Representation of data subjects
Article 81 – Suspension of proceedings
Article 82 – Right to compensation and liability
Article 84 – Penalties
What Are Your Options?
- OPTION 1 – Implement the Procedures Yourself
- OPTION 2 – Employ a Data Protection Officer (DPO)
- OPTION 3 – Sub Contract a European Data Privacy Professional