You may have heard the Data Protection term GDPR in recent months, but what exactly is the GDPR (General Data Protection Regulation) and why does your business need to know about it? 2018 will see the GDPR come into effect in the UK. Time is running out for business owners to assess their current Data Protection compliance and to implement necessary preparation for the GDPR.
The full GDPR regulations as published on the European Commission website is 88 pages long and contains 99 articles.
Our guide acts as a summary covering the main points of the document that business owners need to be aware of, and aims to help owners understand what exactly the GDPR is, how it is going to effect their business and how you to prevent potential noncompliance to the GDPR.
Key Articles in GDPR
What Is The GDPR?
The GDPR in summary, is Europe’s new framework of data protection laws that will replace the previous 1995 protection directive, which is what the current UK law is based upon. GDPR came into effect on the 25th May 2018. The UK’s Information Commissioner’s Office (ICO) are responsible for enforcing the law.
After four years of discussion and negotiation, the GDPR was adopted by both the European Parliament and the European Council in April 2016. After it’s publication in the EU Official Journal in May 2016, a two year preparation period was enforced, to give businesses until 2018 to prepare for changes.
All businesses that ‘processes’ personal data (any information relating to an identified or identifiable natural person) in the UK will have to comply. And yes, even after Brexit, the GDPR will still apply to UK companies.
Don’t we already have Data Protection?
Currently each EU member state operates under the current 1995 data protection regulations. In the UK, the current Data Protection Act 1998 sets out how your personal information can be used by companies and the government.
The GDPR changes how personal data be used, and these updates will be included in the new Data Protection Bill, as published by the UK government.
The UK government says the Bill sets out a number of exemptions from the GDPR, which include added protectionist for journalists, scientific and historical researchers and anti-doping agencies who handle people’s information.
Although the UK’s Bill may be slightly different to the GDPR, it’s important to note that almost everything the GDPR sets out will be covered in the UK’s Bill, so all UK companies must still work towards full compliance to the GDPR.
Elizabeth Denham, the UK’s Information Commissioner further explained how the GDPR will effect the UK, “the GDPR is a strong law, and once we are out of Europe we will still need to be deemed adequate or essentially equivalent. For those of you who are not lawyers out there, this means there would be a legal basis for data to flow between Europe and the UK”.
What are the GDPR Guidelines?
The new GDPR framework aims to ‘harmonise’ data privacy laws across Europe as well as give greater protection and rights to individuals. At it’s core, it is designed to give citizens more rights and control over their information and personal data.
It also aims to simplify the regulatory environment for businesses, so both citizens and businesses can fully benefit from the digital economy. Almost every aspect of the modern day revolves around data, from social media companies to banks and retailers, your name, address and other information is constantly being stored by organisations.
Business owners are therefore expected to be compliant to the changes that are in place to protect individual’s rights. Under the terms of GDPR, not only will organisations have to ensure that personal data is gathered legally and under strict conditions, but those who collect and manage it will be obliged to protect it from misuse and exploitation, as well as to respect the rights of data owners – or face penalties for not doing so.
- Holding Information. The GDPR will require you to maintain records of all processing activities, and updates and changes to this need to be shared amongst your networking infrastructure, meaning anybody who you share data with needs to be made aware anytime updates happen such as erasures.
- Increase of Rights for Individuals. The GDPR includes the following rights for individuals: the right to be informed; the right of access; the right to rectification; the right to erasure; the right to restrict processing; the right to data portability; the right to object; and the right not to be subject to automated decision-making including profiling. Simply put, there’s little that a subject can’t demand to know about their data and what you’re doing with it.
- Consent. The GDPR contains firmer rules over what counts as consent to holding an individual’s data. Consent must be freely given, specific, informed and unambiguous. There must be a procedure in place for the withdrawal of consent or of any amendment requests.
- Children. For the first time, the GDPR brings in special protection for children’s data. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger then you will need to get consent from a person holding ‘parental responsibility’.
- Data Breaches. The GDPR introduces a duty on all organisations to report certain types of data breach to the ICO, and in some cases, to individuals. Organisations are expected to have this procedure in place in the event of a data breach.
- Design & Data Protection Impact Assessments. It has always been good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as part of this. However, the GDPR makes privacy by design an express legal requirement, under the term ‘data protection by design and by default’.
- Access to your data. As well putting new obligations regarding collecting data, the GDPR is focused on giving the individuals whom data you hold more power. When someone asks a business for their data, they must stump up the information within one month
Key Articles –
Articles 17 & 18 – Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically.
Articles 23 & 30 – Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
Articles 33 & 33a – Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are addressed.
Article 35 – Article 35 requires that certain companies appoint data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc.
Articles 36 & 37 – Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to Supervisory Authorities and data subjects.
Article 45 – Article 45 extends data protection requirements to international companies that collect or process EU citizens’ personal data, subjecting them to the same requirements and penalties as EU-based companies.
Article 79 – Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.
Will My Business Be Effected?
It’s extremely rare that any charity, business or organisation of some sort does not need to comply to the GDPR. Most industries are due to be complaint because the GDPR states that both personal data and sensitive personal data are covered by GDPR. Personal data means any information that can be used to identify a person.
This can be a name, address, IP address you name it. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.
These definitions are largely the same as those within current data protection laws and can relate to information that is collected through automated processes. The GDPR does however outline that pseudonymised personal data can fall under the law, if it’s possible that a person could be identified as a pseudonym (a fictitious name).
Overview of Effects on Businesses
The European Commission claims that by having a single supervisor authority for the entire EU, it will make it simpler and cheaper for businesses to operate within the region. Indeed, the Commission claims GDPR will save €2.3 billion per year across Europe.
What that means, they say, is regulation will guarantee data protection safeguards are built into products and services from the earliest stage of development, providing ‘data protection by design’ in new products and technologies.
An important addition to the GDPR that business owners also need to be aware of, is that the GDPR allows a data subject’s (the citizen you have data over) right to lodge a complaint against the data holder.
This means that anybody who’s data you hold, has the right to turn around and accuse your company of non-compliance to the GDPR if they can identify infringements and miss compliance that you are making. They also have the right to compensation of any material and/or non-material damages from an infringement and breach of the GDPR that your company holds.
Effects for Citizens & Their Rights
The number of data breaches and hacks which have occurred over the recent years has greatly increased, and the unfortunate reality for many citizen’s is that their private data has been compromised. Arguably the biggest and most important change that the GDPR will bring for citizens is that businesses have to inform the individual and relevant supervisory local authority if there has been a data breach. The GDPR compliant breach notificaton, means that companies will have to report details of the incident and losses.
Consumers are also promised easier access to their own data in terms of how it is processed, with organisations told that they need to detail how they use customer information in a clear and understandable way. GDPR also introduces a stricter ‘right to be forgotten’ process, which allows people who no longer want their data processed to have it deleted.
We love this video from itpro which debates the GDPR and what it brings or businesses and citizens further.
How can I prepare for GDPR?
Preparing for the GDPR doesn’t have to be complicated. The GDPR may seem complex, but when it’s stripped down, a large amount of the principles already exist int he UK’s Data Protection Act, so if you are following this fully currently, then you shouldn’t have a huge amount of work to do to comply to the GDPR. There are steps you take now to get your business complying.
The ICO explained “you are expected to put into place comprehensive but proportionate governance measures,” “Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.”
- Storing Information. You should document what personal data you hold, where it came from and who you share it with. This needs to be organised and clear.
- Education. Anybody processing data in your company needs to be educated about the GDPR and it’s implications.
- Individual’s Rights. You should check your procedures to ensure they cover all the rights that individuals have. This includes how you would delete data and how you would provide data, online and electronically.
- Children. Start thinking now whether you need to put systems in place that verify individual’s ages and assess whether obtaining a parental or Guardian consent for any data your business holds is necessary.
- Consent. It’s important to review how you seek, record and manage consent and whether you need to make any changes.
- Data Breaches. Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Data Protection Officer. Designate someone in the company to take responsibility for data protection compliance. Assess where how this role will sit with your organisation’s structure and consider formal designation.
- International. If you operate in more than one EU member state (you carry out cross boarder processing) you need to determine your lead data protection supervisory authority.
- Lawful Basis. You should identify your lawful basis for the processing of the data you do. This is vital, as under the GDPR individual’s rights will be modified depending on your claimed lawful basis for holding their information.
- Design & Data Protection Impact Assessments. You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
Protecting your organisation against Data Breaches
Cyber Security is a key component in any strategy to bring your in-line with GDPR compliance requirements. It’s important to implement a good Cyber Awareness and Security Strategy with the following elements
Identify -> Protect -> Detect -> Respond -> Recover
Most organisations will have some form of protection, but many lack the ability to detect a security breach and the necessary skills to identify new threats. We would tend to recommend most organisations start with planning against threats and implementing good Security Practices. We have a useful guide on Email Security Best Practices which will help you get started.
Whilst not an exhaustive list, here are a few quick recommendations to get you started:
- Protect your Devices with a Good Antivirus Software and Regular updates. Ensure updates are being deployed and virus scans are actually completing.
- If you don’t currently have a Firewall, it would be best to look into the options. A firewall will protect your network from external attacks, and will help secure remote workers; protecting both your data and your customers.
- Your hosted email environment should be protected with Multi-Factor Authentication. If you are on Office 365, you can configure this within your tenant, or request your provider does so.
- MFA everywhere else! – If you online applications such as Xero, Quickbooks, SalesForce, Dropbox etc. Allows you to implement MFA, most do, then roll it out. It will protect you in the event of a password breach and is a strong method of protection.
- Implement a solid Password Management tool to encourage staff to use different passwords across systems, whilst storing them in a secure place. Your provider should be able to recommend the right solution for you.
- Ensure users have their own user names, passwords and permissions.
- Use a good Backup system that not only backs up systems and data, but one that stores (and transmits) data in an encrypted way. Ensure you have multi-versioning in place so you can restore from an exact point.
What If I Don’t Comply to GDPR?
By now, your organisation should be fully compliant with GDPR, if your not, technically you are breaking the law.
It’s still as relevant today as it was prior to the 25th of May 2018 to get your company compliant to GDPR standards. Osterman Research outlined the most common Data Technologies that organisations will spend more on specifically to address the GDPR. The sooner you address them, the less money you will spend, before technology companies raise the prices in preparation for the GDPR panic.
The time and money it may take to assess your company and implement suitable measures will be more than worth the cost of risking a potential breach to compliance and facing a devastating penalty.
If your organisation doesn’t comply, if it is not processing data correctly, it will be fined, and this cost will be dramatically bigger than the cost of a fine for noncompliance to Data Protection Act of 2017.
From a theoretical maximum of £500,000 that the ICO could levy (in practice, the ICO has never issued a penalty higher than £400,000), penalties will reach an upper limit of €20 million or 4% or annual global turnover – whichever is higher.
Fortunately, not all infringements of the GDPR will lead to those serious fines. Besides the power to impose administrative fines as described above, a supervisory authority also has the (corrective) power to (amongst others) issue warnings, reprimands and orders before payment is expected.
The GDPR will also have the right to enforce undertaking on a company to commit a course of action that will improve their compliance and avoid further action. It should be noticed however that these practices and all monetary fines will be decided upon depending on the breach committed and what company has committed them.
Monetary penalties are not the only concern business owners need to be aware of. Prosecutions including prison sentences could also take place for deliberate breach and noncompliance to the GDPR standards.
Steve Sullivan’s report of the proportions of different ICO Actions showcases however how monetary penalties are still the most popular choice of sanction.
from fines worth only £160,000 in 2010 to over £3 million in 2017, it goes without saying that the ICO are becoming more vigilant and pro-active at investigating and sanctioning non-compliant firms.
Assess your compliance simply with a GDPR Compliance Management system, which includes:
- Easy to use portal breaks up assessment in insightful questions
- Fully reviewed assessment by a UK Data Protection solicitor
- Full information security & data protection compliance assessments
- Confidential advice from Cyber Security experts to help correct breaches
Save time and spot failures before it’s too late.