The General Data Protection Regulation came into force on 25 May 2018. Every organisation must comply with the regulation, regardless of its size. Penalties for noncompliance are severe – up to 4% of annual turnover or 20 million Euros – whichever is greater.
GDPR intends to strengthen and unify data protection for all individuals in the EU. The regulation aims to give citizens full control of their personal data. In reality, if you are compliant with the Data Protection Act you will be largely compliant with the new regulation, albeit with a few changes to your policies and processes.
GDPR does, however, introduce a number of key changes, for example regarding organisations gaining explicit, rather than implied, consent to process an individuals data. GDPR also strengthens individual rights towards profiling and automated decision making. For most companies, a few changes will be required, however, if you process large volumes of data the compliance process will be far more intensive. Depending on the size of your company, you may need to assign GDPR management responsibilities to a Data Protection Officer (DPO).
For more information, we highly recommend reading the following information:
Further reading: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Useful summary infographic: https://www.itgovernance.co.uk/eu-gdpr-infographic
Explicit consent is a key requirement under the new GDPR regulations which become enforceable on 25th May 2018.
- To safeguard data successfully, organisations must know what data exists and whether it contains personal information (referred to as “Data Flows”). Data flows should be mapped out and a legal basis for processing assigned to all data held in the organisation. This is to prevent organisations from holding large volumes of personal data with no clear and legal reason to do so.
- Keep information secure with appropriate technical and organisational safeguards. It is your responsibility to ensure there are adequate security measures in place to protect data in your care. Under the GDPR, it will be essential to show that data is secured properly according to its sensitivity and classification. You may be required to provide evidence of this.
- Data must be processed fairly and lawfully in a transparent manner. You should clearly communicate how you use data in simple terms.
- Data must be collected for specific, explicit and legitimate purposes. You are not permitted to be ambiguous about how you use data. It should be easy for your audience to understand.
- Data must be accurate and relevant to its purpose. It should not be excessive. For example, you should not collect irrelevant or inappropriate data if you have no legitimate need to do so for the purpose of processing.
- Data must be kept up to date and removed when no longer needed. You should conduct regular reviews to ensure you delete or return data you no longer need to hold.
- Data must be kept in a form which allows easy identification of subjects.
- You must be able to demonstrate compliance with all principles of GDPR. It will be useful to start documenting the steps you take to address the regulation and collect evidence of the actions you take. This could take the form of screenshots, meeting minutes etc as appropriate.
- Consent is a major part of the requirement – it must be very clear what a user is opting into when they sign up for anything, for example, your company mailing list. You can no longer rely on pre-ticked forms as a form of consent. You will need to demonstrate how you gained consent – therefore you may not be able to rely on data you did not collect in line with the new regulation.
- Freedom of information – Under GDPR individuals are permitted to request to see any data you hold about them. You cannot refuse to do so. You must be able to provide this data in a structured and commonly readable format (e.g. Excel, Word). You must respond to these requests within one month, and unlike under the Data Protection Act, you may not charge a fee to provide the data.
- If a data subject asks you to remove their data, you must remove it. You may also need to provide evidence of how you removed the data. There are some exceptions to this, for example within the prison service.
- If you use data for marketing purposes, you must give an individual a right to object at the point of first communication and in your privacy notice. The regulation is slightly ambiguous about contacting people within a business context for business purposes versus contacting a consumer on a personal basis, however, you should always take care and ensure your communications have a legal, consensual or legitimate underpinning.
This is not an exhaustive list of the requirements but was put together to outline the main considerations to bear in mind. For more information please refer to: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
Preparing for GDPR Compliance
Source: Information Commissioner’s Office: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Summary of Steps to GDPR Compliance
- Maintain awareness with key decision makers and inform them of GDPR requirements.
- Conduct an audit of your processes to ensure they comply with the rights individuals have:
- The right to be informed
- The right of access
- The right to rectification
- The right to erase
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
- Conduct an audit of data in your care and document what data you hold, where it’s from and who you share it with (information audit).
- Establish and document consent i.e. log details of who has subscribed to receive emails from you, how they subscribe, where the evidence is and what you are authorised to contact them about. For example, having consent to contact someone about their appointment does not mean you can send them advertisements unless they have opted-in.
- Communicate privacy information to stakeholders in time for GDPR implementation.
- Provide stakeholders with information on your governing authority. In most cases, this will be the Information Commissioners Office. You must provide stakeholders with clear information on how to complain about how you handle data if they wish to do so.
- Implement privacy and cookie notices on your website.
- Check your internal procedures to ensure they cover all the rights of individuals e.g. how you would delete personal data and how you would provide it if requested. It is worth doing this beforehand so you are ready in time for 25th May 2018.
- Identify lawful bases for processing of data and document this in privacy notices.
- Put strict processes in place for data pertaining to children. You will be required to gain parental consent for processing data pertaining to children under the age of 16, and in some cases children under the age of 18.
- Have procedures in place to detect, report and investigate a personal data breach.
- If you process any data outside of the EU you need to determine your supervisory authority in the relevant territory and ensure that data processing complies with GDPR regulations if the individuals you are processing data about live within the EU. For example, companies based in the US are still required to comply with GDPR if they process data about individuals in the EU.
- Clearly communicate your approach to subject access requests. Under GDPR an organisation is not allowed to charge for subject access requests.
- Implement measures to comply with subject access requests i.e. if you are asked to give an individual information on the data held about them, you must do so promptly and in a commonly accepted format e.g. Microsoft Excel, Word Document, PDF. It should be easy for the individual in question to understand what data is held about them or to transfer it to another party.
- Implement measures to ensure breaches can be detected, reported on and investigated.
- Delete old data that is no longer required or when asked to do so by an individual.
- Ensure no data is shared with third parties without explicit consent from the individual.
- Demonstrate you comply with the requirements and collect evidence of the actions you take to remain compliant.
This is not an exhaustive list of the requirements but was put together to outline the main considerations of GDPR. For more information please refer to: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/