What does the General Data Protection Regulation mean for businesses?
All businesses and organisations keep records containing personal data. It’s unavoidable – if you have customers, employees, job applicants, suppliers, or a mailing list, you need to keep records. Those records will contain data such as contact information, purchases, payments, staff records, etc. Now, the rules around how that data is managed are being tightened under the General Data Protection Regulation (GDPR). Companies must have the correct processes in place, before the new regulations apply in May 2018. Time is running out, so what do you need to do?
Additional EU legislation to protect personal information will become law in the UK on 25 May 2018. This is when the General Data Protection Regulation comes into force. It’s important to note that Brexit will not affect the implementation of the new rules. This is because the GDPR will apply to organisations based within the EU, as well as those located outside the EU, who trade within it.
The new rules are being introduced to ensure consistency across international borders. It’s easier than ever to trade with customers and suppliers overseas, so it makes sense to have a standard approach in relation to data.
In order to protect personal information and ensure it is managed within the conditions set out by the GDPR, there will be restrictions placed on the transfer of such data outside of the EU.
The UK Data Protection Act already covers the handling, storage and processing of personal data, so it’s likely that the majority of organisations affected by the GDPR, will already be complying with current legislation. They will need to update and amend their processes to comply with the new rules.
The GDPR places great emphasis on the security of personal data. This is intended to protect people against unauthorised use of, or access to, their data, via cyber-attacks, data breaches, or accidental loss. Organisations have an obligation to implement appropriate measures to properly protect data.
Definition of ‘Personal Data’
The importance of personal data is being formally recognised under the new regulations. There’s a distinct move towards personal data being seen as belonging to an individual, just as much as their DNA does. The new legislation is very consumer-focussed in terms of putting them in greater control over what information is stored and used.
Under the GDPR, the definition of what constitutes ‘personal data’ is wider. In addition to general information, there are additional categories, such as IP addresses, which can be used to identify individuals. This is to keep up with the development of technology and the fact that people are doing more online than ever before.
Essentially though, any information that could identify someone, is personal data – even if that data has been anonymised.
It also applies whether the data is electronic, or manual.
There are several additional responsibilities for businesses in relation to data under the GDPR.
It’s up to the organisation to prove they have consent to store and use data, as well as being able to demonstrate how and why it is used. They must also have documented processes for security.
Consent must be a conscious decision and cannot be assumed or automatically opted into. It must be given with a clear understanding of the purpose for which the information is being collected. People must actively give their consent and be made aware that they can withdraw it at any time. This means you can no longer accept a business card and assume that allows you to add the details to a mailing list.
There must be a valid ‘lawful basis’ for the storage and processing of personal information. Organisations must only use information for the specific purpose it was obtained and nothing more. This already exists in part, under the DPA’s ‘conditions for processing’ but there is greater accountability and a requirement for the ‘lawful basis’ to be properly documented under the GDPR. Steps must also be taken to ensure information is current, kept up-to-date and held for only as long as necessary to fulfil the requirements for which it was collected.
Privacy notifications must include the reason for obtaining and processing data. You may have already received notifications from some of the companies and organisations with whom you have a relationship, telling you about how they are changing the way they handle your personal information. This is evidence of how they are also getting ready for GDPR.
The onus is squarely on the organisation holding the data and accountability is key. In addition to managing and processing rules, there’s an obligation to report certain types of data breach to the relevant authority, for serious breaches, that obligation extends to also notifying the affected individual(s). The breach could be a loss, damage or destruction of data, accidental disclosure, or unauthorised (external, or internal) access to data. The report must be made within 72 hours of becoming aware that such a breach has occurred.
People will also have easier access to the information that is held about them. They can request the information and withdraw permission for it to be kept, or ask for it to be corrected. Companies will have to amend or delete data, as specified. This information must be provided within one month, free of charge, although if requests are repetitious, vexatious or excessive, a reasonable fee may be levied.
Failing to meet the requirements of data management under the GDPR could lead to serious consequences. The upper threshold for fines is a huge €20 Million or 4% of turnover, whichever is greater. If you compare that with previous fines under the UK’s Data Protection Act, where some of the biggest fines ran into hundreds of thousands of pounds, you can see just how big the GDPR’s teeth are.
What should you do now?
- Prepare your business for the new regulations. Ensure all staff have the relevant information, provide training and, consider certification.
- Consider carrying out a Data Protection Impact Assessment (DPIA). This is an ICO-recommended tool, which can help to identify any weaknesses in data handling. It also enables an organisation to easily assess how they can effectively meet their obligations under Data Protection legislation. Check out the ICO’s guidance to PIAs.
- Ensure your data protection policies are documented – including any staff training and certifications.
- Review your current processes; document existing data handling and security. Audit the data you hold, where it was obtained, the purpose for which you have it and what you do with it. Delete any data you no longer use or need.
- Index anyone with whom you share data and list the reasons why. Examine how you communicate with people for whom you hold data and how you amend or delete data where necessary.
- Check your consent and privacy notifications. Do your current consents meet GDPR requirements? If not, get them re-issued and amend your records for any withdrawn or amended consents.
- Map out the procedures you will need to implement to meet GDPR requirements for the following:
- Lawful basis. Establish your organisation’s lawful basis for data processing. Make sure you have properly documented it and included it in your privacy notifications.
- Subject Access Requests. Formalise how you will deal with requests for access to personal data, as well as amendments and deletion of data.
- Data breaches. Document how you would investigate and where necessary, report a data breach.
- If necessary, appoint a Data Protection Officer (DPO) for your organisation. Some organisations, such as public authorities, are required to appoint a DPO, but it can be useful for any organisation to have someone who holds responsibility for ensuring compliance practices are maintained. The DPO – whether formally required, or not – should report at board level, be given adequate resources for undertaking the role and carry out their DPO duties independently.
The full text of the GDPR, can be found here and the EU’s GDPR portal contains additional guidance. The European Commission also has a catalogue of information here, which also contains links to Data Protection Authorities around the world.