With the General Data Protection Regulation regime coming into force in the UK from 25 May 2018, key changes will be introduced to the way personal data is handled. The question, therefore, is whether your business is prepared for the forthcoming change. It is important first to understand the requirements of the Information Commissioners Office (ICO), which is now concerned about misinformation being shared in the media. The following outlines the key features of the change, with a view to how you can prepare.
What is GDPR and why is it necessary?
The purpose of GDPR is to reflect the importance of safeguarding individual personal data in the digital age. Currently, the maximum fine for a breach of data protection law is half a million, whereas, under GDPR, this will increase to a maximum of £17 million or, if higher, 4% of worldwide annual turnover. Key also to mention is the negative public implications for failure to protect personal data.
The areas to consider are:
- Those who are “controllers” and “processors” of data within your company
- The principles of data protection
- Accountability and governance
- New rights for data subjects
- Data security breaches
What is affected?
The definition of personal data is expanded under GDPR and includes a range of online identifiers, such as IP addresses, as well as sensitive personal data coming under special categories as genetic data and biometric data. Data relating to criminal convictions and offences is not included, although there are extra new safeguards relating to how the information is processed.
Who is affected?
GDPR will affect anyone handling personal data, from customer and employee records, through to manual data, regardless of where this information is stored – be it in a filing cabinet or digitally accessed via a laptop or computer – This applies to both “Controllers and Processors”.
A controller is defined as someone who is in charge of how and why personal data is being processed. A processor acts on behalf of the controller to process the data. It may be that, in a business, this role is fulfilled by the one person.
For the processor, this means that, in order to remain compliant with GDPR, they now need to keep records of how they process personal data and they can now be held legally responsible for breaches of security.
Principles of data protection
Personal data must be:
- Processed lawfully, fairly, and transparently
- Collected for specified, explicit, and legitimate purposes
- Adequate, relevant, and limited to what is necessary for the purpose
- Kept in an identifiable format for no longer than is necessary
- Processed securely and protected from unauthorised or unlawful processing, accidental loss destruction or damage.
Accountability and Governance
Companies must be able to demonstrate how an organisation is GDPR compliant and, implementing the required technical and organisational measures. These include data protection policies such as:
- Internal audits of processing activities
- HR policies review
- Employee training and adherence to policies
- The conducting of Data Protection impact assessments and, in some cases, the appointment of a Data Protection Officer (DPO). Note, a DPO becomes a legal requirement in public authorities and in organisations carrying out large scale processing of special categories of data.
The new rights that have been outlined for individuals cover the following points:
- The Right to be Informed – providing a privacy notice giving details of how information is being processed and controlled.
- The Right of Access – providing clients with the option to request details of how their information is being held, for which the company has a maximum of 30 days to deal with the request, under a chargeable fee of £10.
- The Right to Rectification – such that any inaccurate data will be corrected.
- The Right to Erasure – the right to be forgotten such that the client can request data to be deleted.
- The Right to Restrict Processing – such that data can be stored but not processed.
- The Right to Data Portability – such as to obtain and reuse personal data across different services, allowing the movement, copy or transfer of personal data, provided that it is in a structured format.
- The Right to Object – such that processing of personal data must stop immediately, unless there are compelling and legitimate grounds for processing.
- Rights in relation to automated decision making and profiling, ensuring safeguards are in place to protect against damaging decisions taking without human intervention.
Lastly, when there are breaches of data security, the ICO must be informed within 72 hours, with all organisations having a plan for how to cope with and to resolve the situation.
Given that the requirements of GDPR are complex and do not exactly offer a quick fix, don’t run the risk of incurring significant penalties, please contact us for more support.