How will GDPR affect you?
What is the General Data Protection Regulation?
By now it is likely you have heard of the upcoming General Data Protection Regulation or GDPR, which despite Brexit, will be enforced in the UK from the 25th of May 2018.
It is critical that all organisations dealing with personal and sensitive data adhere to the new extended principles of the original EU Data Protection Directive of 1995 to ensure the security of EU citizen data. In this blog series we will look at the key principles of GDPR, common myths surrounding the new regulation and ask, ‘Are you ready?’ with our downloadable guide.
Understanding what is changing
GDPR should not be considered a completely new set of rules for businesses in the UK, rather as an extension or improvement on the existing Data Protection Act (DPA). Clearly, the more compliant with the original DPA legislation your company is, the easier it will be to meet GDPR requirements. As a result, understanding your current level of compliance through a detailed gap analysis is a vital first step in forming an implementation plan.
‘’The new regime is an evolution in data protection, not a revolution’’
Steve Wood, Deputy Commissioner (Policy), Information Commissioner’s Office
The new initiative also ensures that data protection legislation is consistent across all member states with enforcement led by each Supervisory Body, overseen by the European Data Protection Board. In the UK, the Supervisory Body is the Information Commissioner’s Office (ICO).
A key change which has likely grabbed the attention of business leaders is the increased penalties surrounding breaches and non-compliance.
Under GDPR, there are two levels of fines an organisation can expect for being in breach of the new regulation. The higher fines, which could reach 4% of annual global turnover or €20 million, whichever is higher, represents a significant increase in the ICO’s power to impose fines on organisations from the previous £500,000 limit for DPA. Infringements vary from processing conditions, obtaining consent, data subject rights and failure to adhere to the subject access request process.
The second, lower fine of 2% of annual global turnover or €10 million, again whichever is highest, could be imposed as a result of non-compliance. In practice, this could be the failure to implement effective technical measures such as ‘privacy by design’, general obligations between data controllers and processors or failing to maintain auditing records. Additional details on the conditions for imposing fines can be found in Article 83 of GDPR and on the ICO website.
While this is a significant increase in fines, Elizabeth Denham, Information Commissioner at the ICO has stated in her ‘GDPR – sorting the fact from the fiction’ blog series that issuing fines will still be considered a last resort.
The new legislation also addresses the fact that currently there is no legal obligation to report breaches of personal data. Under GDPR all breaches that may result in a risk to the rights and freedoms of natural persons must be reported within 72 hours of discovery and ‘without undue delay’. A personal data breach is defined as any ‘physical, material or non-material damage to natural persons’ (GDPR, Article 33, Recital 85) such as loss of control over their personal data, identity theft or fraud, or any other ‘significant economic or social disadvantage’ to the individual affected. In situations where there is a high risk to data subjects, controllers also have a responsibility to notify them of the breach along with measures taken to mitigate the effects.
The reporting of breaches to the ICO is not necessary in situations where the data breached poses no threat to the rights and freedoms of the data subject. Additionally, notification to data subjects is not required where data controllers can evidence that their actions have mitigated any risks to data subjects or if the data itself was unintelligible or encrypted.
Data subject rights and consent
While fines and breaches are probably the first area organisations are concerned about, a key aspect of GDPR is the re-evaluation of what consent is and what rights the data subject (the individual who is the subject of the personal data) has over their information. GDPR forces companies to consider not only gaining explicit consent to collect data, but also consent to process the data they already have stored. The GDPR principle of storage limitation also forces organisations to assess whether they should still be in possession of data which falls outside of its auditing or legal obligations.
Consent under GDPR requires an explicit affirmative act to opt-in to communications. ‘Silence, pre-ticked boxes or inactivity should not therefore constitute as consent’ (Article 7, Recital 32). Consent is tied to the purpose in which it was collected, for example consenting to receive a newsletter does not equal generic consent for all company communications, particularly where third parties are involved. Controllers, (those who are determining the purposes and means of processing personal data), should also only collect information that is necessary as part of the data minimisation principle.
Maximising the opportunities GDPR creates
It is understandable to be concerned over the level of work required to become compliant, particularly as the deadline of the 25th of May 2018 fast approaches. While we have discussed some of the pitfalls that GDPR could cause for organisations, it is worth considering the key benefits that compliance could bring.
One of the fundamental aspects of good information security, regardless of the sensitivity of the data, is knowing what you have and where it is stored. GDPR enables organisations to fully take stock of their current data practices and adopt a proactive approach to compliance. The implementation of best practice through new and updated data protection policies and infrastructure can help promote reduced costs through efficiency gains and of course, reduce the risk of a data breach.
Even with the best security processes and systems in place, employees still need to be aware of their responsibility to information security. Employees are often cited as the greatest risk to an organisation’s information security, so coupling policy with dedicated employee training and awareness campaigns are critical to ensure a culture of good cyber security.
Data led decision making should also be more accurate under GDPR, from strategy to marketing activity, as a result of data being held under a centralised single version of the truth. Accurate and freely given data from prospects and customers will enable marketers to tailor their messaging with targeted services and products, as well as drive product innovation in a competitive market.
Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter.