As a result of new legislation, the laws regarding Data Protection are changing to become stricter, as well as more organised. Most companies will need to make changes to training, processes, and information that is stored and retained, as well as responding to requests. Largely, this is building on good working practices and creating a base of evidence to represent these good processes and procedures – it is nothing to be worried about. This blog explores the introduction and topic of the General Data Protection Regulations, or GDPR.
What is the General Data Protection Regulation?
As a result of the EU seeing a need for a more up-to-date, standardised data protection act, the General Data Protection Regulations were introduced, and are due to take effect on Friday 25th May 2018. This new legislation concerns the protection of personal and sensitive data, and how it is used, handled, and stored. It is a binding legislative act that tackles outdated or inconsistent data protection laws (such as the UK’s 1988 Data Protection Directive) currently standing in the EU’s member states, and promotes the secure, free flow of data.
Why was the GDPR introduced?
As a result of technological advancements in the last 20 years, the capabilities of computers and phones have drastically changed since previous data protection laws. Today we create data at an unprecedented rate and this has implications for how this data may be used, beyond the original intention. This new binding legislative act tackles outdated data laws in the European Union, such as the EU Data Protection Directive of 1995. The EU identified a need for a new, standardised data protection framework that tackles the recent technological and social /working practice advancements that can create new risks associated with our personal information.
Will Brexit make a difference?
As of the 29th March 2019, the United Kingdom will have left the EU. However, GDPR will still apply to UK businesses and how they handle or control personal data. After Brexit, businesses trading in the EU will still need to comply with the GDPR, hence its level of importance and priority to many companies within the UK and the European Union.
What are the consequences?
As of the 25th of May 2018, any company, business or organisation that fails to comply with the regulations and principles, (examples might include not notifying their local data authority of a breach within 72 hours, failing to service Subject Access Requests within one month, not managing consent properly, or sharing information with other parties without appropriate controls) could face the following fines:
Data breaches deemed to be the most important, in terms of data protection or data lost, could lead to fines of up to 20 Million euros (£18 Million) or 4% of global annual turnover, depending on which is the greater value.
Other data breaches deemed to be less serious could lead to up to fines of 10 Million euros or 2% of global annual turnover, depending on which is the greater value.
Important principles of the GDPR
The data protection principles outline the main responsibilities and obligations for organisations. Personal Data should be:
- processed lawfully, fairly and how it was originally stated to be used;
- collected for defined and legitimate purposes and not further processed in a manner that is conflicting with those purposes; further processing for other reasons, such as scientific or historical research purposes or statistical purposes will be considered to be compatible with the initial purposes;
- limited to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; steps must be taken to ensure data is accurate and doesn’t become outdated or invalid;
- kept in a form which permits identification of data subjects for no longer than is necessary; personal data may be stored for longer periods so far as the personal data will be processed solely for compatible purposes;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against data breaches (accidental loss, destruction or damage etc.) using the appropriate measures
As well as bringing new sanctions, the GDPR brings more accountability, obligations and restrictions. The GDPR:
- Applies to companies worldwide that process the personal data of EU citizens
- Widens the definition of personal data
- Makes the designation for a Data Protection Officer mandatory for organisations with 250+ employees, or organisations that are public authorities
- Tightens rules for the methods for obtaining consent to use personal data including; unambiguous, specific, opt-in with an opt-out capability, and the regular revisit and refresh of consent.
- Introduces privacy impact assessments (PIAs) on systems and products
- Requires businesses to notify the local Data Protection Authority of any data breaches within 72 hours
- Restricts data handling principles that require organisations not to hold data for any longer than necessary (stricter retention period)
- Expands liability beyond data controllers to all businesses that touch personal data (Data Processors)
- Requires privacy by design, which means systems, processes and products must respect the principles of data protection from the design stage
- You must give your data subjects more information when collecting their personal data
- The age barrier for collecting data is ascending from 13 to 16
- You must remove, anonymise or redact data you are not using for its original purpose
As we approach the 25th of May 2018, many businesses are making the necessary changes to comply with the GDPR. There are some articles fear-mongering about GDPR, but make the key changes to your business, and you will not need to worry. Are you struggling to achieve compliance? If so, review Excelpoint’s pre-configured, but customisable solution that addresses many of the operational considerations associated with rolling out a fresh approach to GDPR . Our team at Excelpoint continuously work to improve our software, so our solution always reflects the latest technology and working environments. For more information on GDPR you can visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/