- Simon Fraser
If you are a business owner, work in IT or handle customer or employee data there is a massive shake-up to data protection laws that you need to be aware of or risk unprecedented fines.
For private individuals, this means increased rights and power over our personal data.
The General Data Protection Regulation (GDPR) is a European legislation coming into effect 25th May 2018 that governs how businesses gather, process and share personal data of European citizens. The legislation is intended to bring data protection rules up-to-date with the large strides in technology and the drastically different ways businesses leverage data, compared to 20 years ago (1998 UK Data Protection Act [DPA]). It is designed to provide individuals more control over their personal data, and create a set of unified rules with which organisations must comply or face hefty fines.
Companies now have under a year to get ready for the GDPR, or risk fines of 4% of their global turnover of the preceding financial year or €20 million – whichever is greater.
These figures dwarf previous fines for security breaches (https://ico.org.uk/action-weve-taken/enforcement/ ); the largest fine from the ICO to date has been £400,000 (TalkTalk 2016 https://ico.org.uk/action-weve-taken/enforcement/talktalk-telecom-group-plc-mpn/ , Keurboom 2017 https://ico.org.uk/action-weve-taken/enforcement/keurboom-communications-ltd/ ).
Depending on the extent of the breach and whether an organisation is found to have appropriate security measures in place, then GDPR fines may be limited 2% of the global turnover of the preceding financial year or 10million EUR – whichever is greater. However, the severity of these fines means it is no longer competitive to be noncompliant.
GDPR will not only have a significant effect on companies registered within the EU, but any company which handles the data of European citizens. Despite the UK’s decision to exit the EU and subsequent triggering of Article 50 at the end of March this year, the UK will not have finalised the exit by May 2018 and as such these proceeding will not affect the commencement of GDPR.
In data protection law, there are data “controllers” and data “processors”. The former are those who decide how and to what end personal data is collected and processed; whilst the latter acts on the controllers behalf as part of their supply chain or partners. GDPR introduces new requirements and liability to the data controllers.
Data controllers are now required to keep records of all personal data and processing activities whilst offering the customer certain rights over that data. The legislation has broadened the definition of personal data to be more intuitive and now encompasses any information that could be used to identify you.
Crucially, the liability has shifted up stream such that the controller is not relieved of their obligations when it is the processor handling the data. This means 3rd party liability is a concern when it comes to supply chain partners processing data.
GDPR as well as broadening the liability of companies, has it made mandatory that an organisation notify authorities and those private individuals affected within 72 hours of discovering a security breach.
Whilst the legislation may wield a bigger stick there are business benefits to processing data properly and putting the individual first. There is also an opportunity to provide better service within the compulsion for businesses to update their data processing.
The Regulation not only brings governance and compliance issues for business but also increase the data privacy rights of EU citizens. This provides substantial protection of the individual against organisations wrongly using their personal data. One of best things to come out of the regulation for individuals is the requirement for companies to state clearly their terms and conditions. No longer will customers be forced to pretend that they have read 75 pages of T&C’s instead companies will be compelled to express their terms clearly in one page without “legalese”.
Individuals’ Rights over their own data include: the right to be informed – you are entitled to fair processing information concerning how your personal data is used; right of access – you are entitled to confirmation that your data is being processed and access to that data and any supplementary information; right to rectification – you are entitled to have personal data rectified if inaccurate or incomplete; right to erasure – colloquially the “right to be forgotten”, you can request deletion of personal data when there is no compelling reason for its continued processing; right to restrict processing – you may block or suppress processing of your data; right to data portability – you may obtain and reuse your data for your own purposes across different service providers (so you can change banks and ask your current bank to transfer all personal data to the new one); right to object – you are able to contest processing that is based on legitimate interests e.g. performing a task in the public interest and all these are replicated for automated processing.
Business owners and leaders need to take responsibility to work out exactly what data they collect and who processes it. Ignorance is no excuse when it comes to these fines so executives need to do their homework and realise that the GDPR will affect every aspect of every business. Organisations need a comprehensive data policy that documents how they handle data, especially when dealing with partners or their supply chain. Some organisations, if large enough, will have to recruit or source a Data Protection Officer to handle the process.
Information security is already a business necessity, this legislation will demand tighter controls and policies, including educating your staff and raising awareness of threats across your organisation. Becoming compliant with this new legislation is a process that can take many months, and businesses can’t afford to waste any more time in implementing the necessary changes.
Start getting ready today.