The GDPR (General Data Protection Regulation) will replace the Data Protection Act 1998.
The GDPR will take effect on 25th May 2018. Since the UK will still be part of the EU when it comes into effect, Brexit will not delay its implementation. The UK government has published plans for the Data Protection Bill which will implement the GDPR into UK law.
The GDPR will be applicable to every company or organisation in the EU, which either controls or processes personal data.
What is personal data? It is any information about an individual that’s identifiable to them. So, it doesn’t need to be your name, address etc. it could quite easily be your date of birth and nationality, if that identifiable factor sets you apart from others within the data list, or even your DNA.
Data being gathered must comply with the following rules:
- It must be produced lawfully, fairly and transparently
- It must be collected for specified, explicit and legitimate purposes
- It must be adequate, relevant and limited to what is necessary for processing
- It must be accurate and kept up-to-date
- It must only be kept for as long as necessary to complete the purpose it was gathered for
- It must be processed in a manner that ensures it’s secure
All data will need to be stored in a structured way to easily identify a breach, should one occur. All data must be stored securely and only kept for the duration befitting its purpose of use.
Data Subjects & Consent
The GDPR warrants that each data subjects’ consent will be mandatory and recorded before it can be used. The controller must keep proof of when consent was given. Group consents will not be applicable, as separate consents will be required for each purpose of processing.
For example: within online retail, consent will be sought for every purchase made – irrespective of if the subject is a regular shopper at the site or not. The subject must voluntarily opt-in to their data being held and be proven that they made a level judgement when accepting to opt in.
It is no longer acceptable to presume compliance with the choice to opt out.
The data subject can also request for access to all information held on them. This will no longer be chargeable to the subject. A data subject can withdraw their consent for their data to be held at any time and have the ‘right to be forgotten’ – which means, if requested, all data relating to the subject should be deleted. Proof must be kept of this deletion.
It cannot be assumed that ‘historical consent’ is still applicable – this will need to be revisited and re-requested.
Information notices must be published covering the new regulations, at the point at which you are contacting the data subjects. Subjects must also be made aware of their data rights.
Whereas the Data Protection Act of 1998 only held the controllers of data responsible for its integrity, the GDPR will also include processors who handle the data, within its remit. Controllers and processors must keep written records of what they’re doing with the data they have compiled.
The GDPR will also apply to organisations outside the EU who offer goods or services to EU data subjects and/or monitor EU data subjects (e.g. by using cookies). Following Brexit if you are trading within the EU, you will need to have an EU representative.
The penalties for non-compliance will be:
Fines will range from €10M or 2% of your annual global turnover to €20M or 4% of your annual global turnover, based on the previous year’s figures - for breaches of data. However, fines can still be imposed if there are infringements by the data controller or processor.
The data controller is obliged to notify a breach of personal data to the relevant Supervisory Authority within 72 hours of the breach occurring and to the data subjects immediately. The GDPR have also stated they will implement rules on penalties for breaches other than fines (e.g. it will become a recordable offence to re-identify anonymised or pseudonymised data).
Insurance / Legal
Professional Liability insurance cover will need to be increased to protect each company from the possible impact of the upper tier fine being levied.
Also, where companies hold or process data for a 3rd party, contracts will need to be rewritten to incorporate potential breaches and fines. Delineation of responsibility should be highlighted in the contract in the event of a breach involving a controller or a processor.
It is believed that the ICO will target all sizes of companies to set a precedent that no-one is exempt from non-compliance.
It is expected that all companies will be hacked at some point and their data breached, it is how the company is prepared for it and how they handle it that will be the litmus test.
All IT policies will need to be rewritten and updated in relation to the new governance.