Read our latest news articles from the NXT Digital Solutions team.
by Peter Hinchliffe Director
Posted on August 10, 2017
Following many recent discussions with clients we thought it was time to provide an overview blog on the changes to data protection legislation happening in May 2018 and outline the impacts of these changes to your business.
What is GDPR?
The General Data Protection Regulation (GDPR) is a new EU regulation aimed at helping to strengthen data protection for EU citizens and residents both within the EU and the wider world. Essentially it says to businesses and organisations “If you want to offer your services or products to customers who are EU citizens, you better make sure you look after their personal data!". The European Union’s new data protection regulation is complicated but it explains the "fundamental right" to personal data protection through its collection or distribution. The GDPR is a single set of rules that apply to all EU member states with each member state designating a Supervisory Authority (SA) to oversee and ensure compliance of the legislation. SAs will work closely together by virtue of the cross-border nature of digital data.
Does it affect my business?
Essentially, if you collect personal data (defined by the GDPR as a Data Controller) you will be required to comply with the new regulations to a certain degree as well as organisations who run websites or apps, this also includes any organisations who use internal databases, CRMs or even just plain old email. This part is extremely important for our clients!
Provable consent must be explicitly given to the data processor by the data subject (an individual) before their data can be processed. Additionally, the data must only be used for the purposes that consent has been given. e.g. if someone contacts you through your website with an enquiry of some kind, that does not give you permission to add them to your email marketing list, consent must be able to be withdrawn by the data subject at any time.
The GDPR makes reference to something called "pseudonimisation". Put simply, this is a process to transform data in a way that stops it from being attributed to a data subject (an individual) without the use of additional information. An example of this might be using a unique reference ID for someone rather than their name when storing their data in a database. A second table of names and corresponding IDs stored on a separate system would then be used to join the tables together and recreate the data. In this way if a data breach occurred and the personal data was stolen, the data wouldn’t expose actual names just the additional data.
The GDPR requires the data controller to have suitable processes defined and in place in case of a data breach. Depending on the severity of the breach, the data controller has a legal obligation to report a data breach (of identifiable or un-pseudonimised data) within 72 hours. Further information on the reporting of a data breach can be found on the Information Commissioner’s Office website.
What’s the cost of doing nothing?
The Regulation mandates considerably tougher penalties than the DPA: breached organisations can expect fines of up to 4% of annual global turnover (NB turnover, not profit) or €20 million – whichever is greater.
All public authorities and any organisation that processes personal data (the data controller) on a significant scale must appoint a Data Protection Officer (DPO) responsible for monitoring internal compliance of the GDPR regulations within the organisation. Even if you don’t feel that your organisation falls in to this category we think that it is a good idea to appoint a DPO for your organisation. This person can keep data protection high on the organisation’s agenda and ensure that GPDR compliance is achieved and then maintained. Under the GPDR a data subject has the right to erasure of their data. This means that if an individual asks you to remove their data from your systems you have to comply. All backups, all references, everything.
Will Brexit affect this new ruling?
When the GDPR comes in to affect the UK will still be a part of the EU albeit one that is beginning the withdrawal process. Secondly, the UK will adopt all EU legislation immediately after Brexit. During this time, currently being called The Great Repeal Bill, the EU laws will be rewritten in line with Britain’s new position outside of the EU. Thirdly, unless you are planning on denying access to your services, products etc. to any EU citizens or residents then you will need to comply with the GDPR or face the consequences.
Processing Data via tools e.g. Mailchimp, Sendgrid, Pardot, Google etc.
The GDPR would call these systems third party data processors. They are processing the data controller’s data on their behalf. Most (but certainly not all) of these systems are run by US-based companies who should be going through the process of becoming GDPR-compliant at this very moment if they have not already done so. US companies should also be Privacy Shield compliant. The US Privacy Shield framework has been co-developed by the US Department of Commerce and the European Commission to provide mechanisms to protect the flow of personal data between the EU and the US. The good news is almost all of the bigger US players are Privacy Shield compliant.
Testing your compliance - what to do...
The ICO have provided the following guide: See PDF document.
1) Audit your existing data backups and disaster recovery strategy in accordance with the GDPR. This is a good point to start from as, for one, it demonstrates your business is able to maintain an audit trail which it will need to begin to do more once the GDPR comes in to effect, and two it will highlight any existing downfalls.
2) After reviewing the results of your backup and disaster recovery audit, review your data processes and privacy policies; how will this need to change to remain compliant with the GDPR?
3) Begin re-writing any company documentation, especially if you do need to change your data and privacy policies. As mentioned, the aim of the GDPR is to make data handling as transparent as possible, so when re-writing, ensure this is done in as clear terms as possible to show how you seek, record and manage consent.
4) Ensure your using compliant terminology and explain the process for data subjects to be able to request or remove their data from the system from access requests.
5) Designate a data protection officer to take responsibility of the whole process and document this.
Whilst the saying “nobody likes change” may be appropriate here, it’s important to remember that the GDPR is going to reshape privacy and data policies for the better. Through implementing tighter reigns on data control, businesses are at far less risk of incurring data breaches, minimise data loss and are able to fill their customers with confidence of where their personal data lives and how it’s used.
Sources - this blog has been created from several blog sources and interpreting the current IPO documentation available.