Andy Ward, director atbluesource, explains the key GDPR facts that all business must be aware of
General Data Protection Regulation (GDPR) will apply unilaterally in all EU member states, with the official compliance date being 25th May 2018. GDPR will affect any business, UK or otherwise, that collects or retains personally identifiable data from any individual in Europe. Brexit cannot be used as an excuse either, as UK companies will still need to comply when dealing with countries in the EU.
Non-compliance could see organisations face fines of up to €20 million or 4 per cent of global annual turnover – whichever is higher. The increased financial impact of fines and the expected frequency of their enforcement, should be a major concern – as failing to understand the facts about GDPR will prove to be costly. Ourresearch across UK organisations indicates that there is still a gap between GDPR awareness and action. I have therefore highlighted below the areas that businesses should be aware of so they start to prepare for now – to achieve successful outcomes.
GDPR applies to all
If an organisation process the personal data of an EU citizen, be it consumer or business related, GDPR applies – wherever they operate. So, in effect, although this is an EU initiative, it has global implications – regardless of Brexit.
Liability for all organisations that touch personal data
Responsibility will no longer only rest with the data controller of the initiating organisation, but will also apply to any organisation that uses personal data provided to them. This rule will even cover aspects such as data minimisation and deletion.
Mandatory appointment of a Data Protection Officer (DPO) for certain organisations
A DPO must be appointed, where large scale data processing takes place, by both public bodies and certain other entities. The criteria isdetermined by the quantity of data being processed – not an organisation’s size. The DPOwill have to ensure that personal data processes, systems, and storage not only conform to the law, but can also be evidenced to do so.
Widening definitionof personal data
Once the 25 May 2018 deadline has passed, any data used to identify an individual will be considered to be ‘personal data’. This will include business contact information, as well as genetic, mental, cultural, economic and social information.
Tightening up on how ‘valid consent’ is obtained
This is likely to become a major headache for organisations, as they will need to be very clear about how an individual’s information is going to be used – before consent is given. They will also need to communicate how it will be processed. Consent will need to be clearly obtained, rather than via an assumption it’s been given – because someone has not ticked a box to remove themselves, as is currently often the case.
Introduction of Privacy Impact Assessments (PIAs)
For areas where there is a real threat of a privacy breach, data controllers will have to conduct a PIA to alleviate the knock on risk to individuals. Such projects involving personal data will require the PIA to be carried out in advance and the DPO will then need to ensure compliance continues throughout the project.
Harmonisation of data breach notification
GDPR demands that a local data protection authority must be notified of a data breach within 72 hours of its discovery – so the burden has shifted from just being about ‘discovery’. Organisations will also have to possess the processes – and technology – in place to detect breaches in the first place. This means greater investment in both systems changes and staff training.
Introducing the right to be forgotten
Organisations won’t be allowed to hold or retain data for any longer than is necessary. Also not permitted, is changing how data is used from what was originally agreed – at the time the data was collected. If data is used for a new project, fresh consent will have to be obtained. The ‘right to be forgotten’ also enables an individual to request that their data is deleted in full – and this must be completed.
GDPR compliance must be included by design – in all software, systems, and processes
This can be construed as meaning that all software,for example, must facilitate the complete deletion of personal data – and this must be a key part of the design.
There will only be a single supervisory authority
Under GDPR, each EU state will have its own authority, but all must provide exactlythe same advice and messages. This consistency will hopefully make it simpler for businesses to deal with queries regarding operations in different locations. However, any European data protection authority will be empowered to take action against an organisation – regardless of where the organisation is located.