The GDPR, or General Data Protection Regulation, goes into effect May 25, 2018. Far more than just a UK or European initiative, it extends to every country of the globe, and applies to any business that keeps or maintains the personal information of European citizens. In Great Britain, the GDPR essentially replaces the Data Protection Act of 1988, providing new standards that are meant to mirror the GDPR and provide assurance of an uninterrupted flow of data with the EU. This is especially important in terms of policing and medical research, and it places the UK in a position of needing to comply in the wake of Brexit negotiations. Basically, if you are currently subject to the rules of the UK’s data protection regulation (DPA), you will also be subject to the GDPR.
What is the GDPR?
The General Data Protection Regulation has been developed to protect an individual’s personally identifiable information (PII). This includes a range of online identifiers, and has become far more detailed than it was under the DPA. Under the GDPR, IP addresses are now included as are a wide range of personal identifiers that have been expanded to account for advances in technology as well as the ways in which a company might collect personal data.
The GDPR applies to manually collected and filed information as well as digitally collected data. This could include personnel files or any file systems that are accessible under the new data protection rules. Even information that has been classified via key codes, colour codes or any other coded file system can fall within the scope of the GDPR, if it can be in any way attributed to a specific individual. The regulation itself was in response to the ease in which companies are able to collect personal information about their customers via their online activities, such as via their IP addresses, location, and information about their devices, among other things.
One of the most important requirements of the GDPR is one of accountability. In other words, how you comply with the regulations is as important as the compliance itself. Documenting every step of the data processing activity is necessary, as in the event of a breach you will need to show the actions you took to arrive at your results.
Sensitive Personal Data
Sensitive personal data includes several categories of personal information that could include genetic or biometric data used to uniquely identify an individual. There are a few exceptions, specifically information relating to criminal offences and convictions, though in this instance there are extra precautions that apply.
Who does the GDPR apply to?
The GDPR applies to any entity that either controls or processes the personal data of any EU subject, or any company that does business with any individual or company in the EU. If you are a controller of data, it means you collect data and dictate the how and the why of the data that is collected. If you are processor, you administer this personal data on the controller’s behalf.
Your company could be both controller and processor, or it could be two separate entities. Each is subject to its own set of rules. However, if you are a controller, you are still responsible for how the processor handles the data – meaning that you would be liable if that data is compromised. Knowing this, it will be more important than ever to ensure that the agreement you have with your processor complies with the regulations as set out in the guidelines.
Who is the GDPR most going to affect?
The GDPR will affect all companies who conduct business online, from retailers to direct marketers. Marketers in particular will have to pay closer attention to their accountability policies and procedures, as the GDPR sets out very specific regulations with regard to profiling and consent. The businesses most affected include those who are involved in email marketing, direct mail and mobile. As of February 2017, it is estimated that only two thirds of companies in the UK are prepared for the GDPR.
How do I comply with GDPR requirements?
One of the first things that the GDPR requires is the appointment of a data protection officer, or DPO. You might need to appoint a DPO if your company’s activities include:
- Large-scale processing and monitoring of data subjects
- Large-scale processing of data that includes sensitive demographic data (gender, religion, race, health, sexual orientation, etc.)
- Processing of personal data in relation to criminal offences and convictions
Such instances apply to any public authority, list brokers, or any operation that trades credit data, for example. If the only personal information your company processes is your own employees’ data for HR purposes, you are likely exempt.
The GDPR requires that:
- Personal data is collected and processed legally, fairly and in such a way that is transparent to the individual.
- Personal data is collected only for legitimate purposes, and not processed in such a manner that is outside the scope of those purposes.
- Personal data is collected, processed and retained only as is necessary to the purpose for which is was originally attained.
- Personal data is accurate and up to date when and if possible, and if unable to be updated as such must be corrected or erased in a timely manner.
- Personal data is retained no longer than is necessary to carry out the actions under which scope it was originally collected.
- Personal data is duly protected against security breaches, unlawful or unauthorized processing, access, loss, damage, and destruction through whatever technical or organizational means necessary.
It is further required that the controller demonstrate responsibility for and compliance with the principles as set out. There are some exceptions and extensions, mostly pertaining to archiving of personal data for statistical reasons, or reasons that are in the public interest, such as might be the case for scientific, historical or medical research.
The GDPR stipulates that any company processing personal data would need to establish a lawful basis for doing so. Under the current DPA, this is known as “conditions for processing.” What this means is that you are required to outline your reasons for processing the information and make a lawful case for it.
This could be the case if, among other reasons:
- There was a legal compliance to be met
- If you were acting under official authority
- To protect the interests and personal data of another person
- If it was necessary to a task carried out in the public interest
- If the processor is exercising an official authority
Lawful processing also requires that you document the steps you take to carry out each process, however many of these rules are not applicable to public offices or authorities.
In the scope of the GDPR, you will find references to both ‘consent’ and ‘explicit consent’, though there does not seem to be a clear differentiation between the two. What is clear, though, is that any consent must be freely given, and must represent a specific and clear-cut representation of the individual’s intentions.
What this means is that the consent given must be clear, and it must be verifiable. Lack of response or inactivity regarding the agreement does not constitute consent, and a record must be kept as to how and when the consent was granted. The individual in question will have the explicit right to withdraw their information any time they wish.
If you have already obtained consent through a transaction conducted while under the jurisdiction of the DPA, you are not required to re-obtain consent if the standard of consent meets the GDPR requirements. To assure your compliance, you should review your current consent protocols to be sure that they line up with the new guidelines.
Children’s data is more closely protected under the GDPR. For organizations who provide information, products or services targeted towards children, further care must be taken to protect their personal data:
- Privacy notices must be written in such a way that a child can understand
- Consent to process the child’s personal data must be provided by a parent or guardian
- The age of consent (so to speak) for online access as such is 16, though some member states can reduce that age to 13 in certain circumstances, but no younger
The onus of responsibility is especially important in cases where the child’s personal data is used to create an online profile or for marketing purposes. A specifically worded exception comes into play when the processing is related to counselling or protective services offered directly to the child.
An individual’s rights under the GDPR
Among the many rights set out by the General Data Protection Regulation, the following individual rights are guaranteed:
Right to be informed: These rights are generally set out through a privacy notice, which must be concise, transparent, easily understood and easily accessible.
Right of access: An individual will have the right to confirm that the data is or has been processed, and should have access to their information at any time. This includes access to any supplemental information that corresponds to the personal data, such as purchases made, services rendered or anything the person may have signed up for, like a mailing list.
Right to rectification: a person has the right to rectify personal data if it is incorrect or incomplete in any way. If you share this data with a third party, it is your responsibility to inform that party of the rectification, and you are also required to inform the individual of whom their information has been shared with.
Right to object: an individual has the right to object to the way their information is being used. This includes cases of the information being used for research or scientific purposes, but it usually applies to cases of profiling or direct marketing. If somebody exorcises their right to object, you must cease the activities in question immediately.
Right to erasure: an individual has the right to request that their information be deleted at any time, for any reason.
The right to data portability: this gives individuals the right to move, transfer, copy and reuse their personal information from one IT environment to another. This might be the case if you wanted to upload transactional information from your bank account in order to compare prices for a service or product.
Right to restrict: the individual has the right to restrict the processing of their personal information
Rights in relation to automated decision making: if an automatic action is taken on behalf of an individual without human intervention, you must respect the rights of that person to obtain human intervention, and provide an explanation of the action when requested. This particular aspect is very similar in scope to the current DPA.
Consequences of GDPR non-compliance
Any loss of data under the GDPR can result in significant fines to the company. To give you an idea of the scope of these penalties, the current maximum fine for a data breach under the DPA is £500,000. The GDPR raises this limit in excess of €20 million, or 4% of global turnover, whichever is higher. The fine is determined by the level of threat to the individual’s privacy if their data is breached, stolen, misrepresented or lost. Breach reporting is mandatory under the GDPR, and stringent reporting guidelines are outlined in the act so there is no room for a claim of ignorance. A company that is in breach may be subject to additional reporting requirements if the breach results in increased risk to the safety or freedom of the individual. The best course of action is to follow guidelines to the letter and report any data breaches as soon as is humanly possible.
EC-MSP: your GDPR compliance headquarters
If you have any questions or concerns about the GDPR and how it will affect the way you do business, call EC-MSP today. One of our data security technicians would be happy to answer any questions you might have about next steps.