How to prepare for GDPR in 2018
The growing digital economy is impacting how businesses operate. There are also increasing concerns about current data protection laws, rights and privacy for both consumers and companies. As a result, the latest GDPR changes are set to lay the foundations for the long-term future of data handling in the UK.
GDPR: Basics and background
The General Data Protection Regulation (GDPR) is the new data protection bill. It will come into force in the UK on 25th May 2018.
The government has confirmed that all organisations that handle personal data will need to comply with the GDPR and that Brexit will have no impact on the adoption of the new regulation.
To date, businesses have operated in accordance with the existing UK Data Protection Act 1998 (DPA) and have taken guidance from both the Information Commissioner’s Office (ICO) — the DPA requires every organisation that processes personal data to register with the ICO. With the GDPR implementation date approaching, the EU’s Working Group Article 29 is providing guidelines relating to data protection including data breach notifications.
As business networking and magazine articles delve into the new legislation, this New Year we’ve put together a handy bitesize guide that tells you all you need to know about the new legal framework.
A recent Data IQ research report in association with Experian revealed that 7 out of 10 organisations are either currently reviewing their privacy policies or have already done so.
So what do we need to know?
What data does the GDPR cover?
Under the GDPR, data collection must exist for a specific purpose, and can only occur when it falls under the any of the below reasons:
- There is consent — this must be freely given, specific, informed and unambiguous;
- It is legitimate — the data is required to fulfil contracts or activity;
- It is a legal requirement — the data is required to comply with certain legislation.
Similar to the DPA, the GDPR covers ‘personal data’. The definition is more comprehensive under the GDPR. For example, it states that an online identifier i.e. an IP address- can be considered as personal data.
This typically includes:
- Basic identity information such as name, address and ID numbers (although not limited to name, address or date of birth)
- Web data such as location, IP address and cookie data
Marketing lists, contact details and HR records largely compile this type of information. It applies to both automated information and manual filing systems where data is made available based on specific criteria. The GDPR definition is wider than the DPA’s definition and so a chronologically-ordered set of manual data that contains personal information may fall under this definition.
Pseudonymised data i.e. that which may be key-coded may also be relevant depending on how difficult it is to relate the pseudonym to a particular person.
Sensitive personal data
There are minor changes between the DPA and GDPR. Under the GDPR, for example, these special sensitive personal data categories include genetic data and biometric data, where companies use this to identify a specific individual (Article 9).
Personal data exclusions exist in relation to specifying criminal convictions and offences. However, there are a variety of measures that relate to its processing (Article 10). This sensitive category also covers health, political opinions and financial information.
Under the GDPR, full restrictions apply to several categories of data. As a result, in gathering the below data, companies must receive explicit consent. This includes data relating to:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
Processor and controller roles
The GDPR will apply to both ‘controllers’ and ‘processors’. The controller handles the hows and whys of data processing, while the processor then acts on the controller’s behalf.
The GDPR places specific legal obligations on both. A processor, for example, must keep records of personal data and activities. Following its introduction, you will have greater liability if a breach occurs. This is a new requirement.
As a controller, you will also have significantly more obligations on you to confirm and clarify that you, as a processor, comply with the new GDPR.
The ICO has produced a 12-step plan to inform businesses about the changes under the new regulation and best practices to meet compliance standards.
1. Inform main decision makers
Awareness is key. Start by considering or looking at your organisation’s risk register, to consider resource implications.
2. Assess all information
Run an audit of the personal data that you store. Consider and record where it came from and who has (or has had) access to it.
Companies must record and maintain information on activities and processing. While this will be a big shift initially, it will help keep data organised and contribute positively to the marketing arm of the business over the long-term.
3. Privacy information
Look at your current privacy notices and make updates where necessary so that these comply with the new legislation.
Along with providing specific information such as your identity and how you propose to use their details, additional measures will come into play relating to explaining the lawful basis for processing data, data retention periods and individuals’ right to privacy.
4. Individuals’ rights
Under the GDPR, individuals have clear rights. These are:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object; and
- the right not to be subject to automated decision-making including profiling.
These are similar to those that already exist under the DPA, albeit with some considerable enrichments, so the transition should be a swift and simple one. The right of data portability, right to erasure and right to cease profiling are all new, however.
Company procedures should cover how you plan to delete personal data if required. There must also be information relating to the electronic delivery of information, bearing in mind the format too. Ultimately, companies need to work out who will govern and make decisions on all data-related aspects.
5. Subject access requests
You must be aware of, and prepare for questions and requests relating to how you will handle customer and consumer data. Consequently, this will provide your existing and potential customers with assurance and peace of mind.
How this has changed
The time given to comply has reduced from 40 days to a month and in the majority of cases, it will not be possible to charge for complying with a request.
6. Lawful basis for processing personal data
Identify. Document. Update. The ICO recommends this process when it comes to managing the lawful basis for your processing activity.
At present, there are no practical implications relating to how we, as businesses, process personal data, yet this does come into play following the introduction of the GDPR.
So how do you tackle consent in the run-up to 25th May 2018? For businesses, it’s about reviewing current processes on how you gather, record and then look after this consent. For many, it will be a case of updating existing consents now if they do not meet this standard.
The main takeaways are:
- Consent must be freely given, specific, informed and unambiguous.
- A positive opt-in must take place – consent cannot be inferred from silence, pre-ticked boxes or inactivity. This means that simply allowing your recipient to unsubscribe from marketing lists, for example, will not be allowed. Instead, they will need to manually accept your offer to communicate with them.
- This opt-in must be separate from other terms and conditions.
- It must be simple for people to withdraw consent.
As businesses are getting their 2018 processes, systems and strategies up and running, it’s important now, well ahead of May, to update your approach to consent to ensure it is compliant with GDPR, or find other ways to receive consent.
The GDPR will introduce special protection for children’s personal data, especially in reference to commercial internet services such as social media websites.
If this is applicable, consider how you can verify individuals’ ages and obtain consent from parents or guardians.
9. Data Breaches
You will need to have suitable processes in place to detect, report and investigate a personal data breach. In certain circumstances, under the new rules, businesses must report a breach to the ICO. These largely relate to when this risks jeopardising an individual’s rights or freedoms.
10. Data Protection
Privacy by design will become an express legal requirement. Using the term ‘data protection by design and by default’, ‘Data Protection Impact Assessments’ (DPIAs) will be obligatory in some situations, particularly where activities are likely to lead to a high risk for individuals.
While this may appear not to apply, it is crucial that businesses consider when this would be necessary, who would manage it and where it would take place.
11. Data Protection Officers
Some businesses are formally required to take on a Data Protection Officer (DPO).
For those with more than 250 employees, businesses must have information on data collection and processing, its retention period and the technical security measures that are in place.
For SMEs, it’s about building awareness and protection into daily data handling. Consequently, companies need to have clear and compliant processes that gather, handle and store data in an appropriate, secure and timely fashion.
If your business operates in more than one EU member state, it must assign a lead data protection supervisory, i.e. the location where your central administration is, and document this information.
What are the fines?
Significantly tougher than the DPA, organisations in breach of GDPR are liable to pay up to 4% of annual global turnover or €20 million – whichever sum is greater. As a result, these fines can be given for failing to show compliance and therefore these can be issued even when something has not necessarily gone wrong.
Let’s not panic
Elizabeth Denham, the UK’s information commissioner, who is responsible for data protection enforcement, emphasises the “scaremongering” that is taking place relating to the possible repercussions for companies. “The GDPR is a step change for data protection,” she stated. “It’s still an evolution, not a revolution”.
The EU’s GDPR website says the legislation aims to “harmonise” data privacy laws. Therefore, it may be best to interpret as short-term pain for long-term positive, accurate and protective gain.
Visit here for more information on how to prepare your data processes and the ICO’s recommendations in the run-up to the implementation of GDPR.
Contact us for trusted IT solutions and consultancy that will keep you heading towards your business goals throughout GDPR. We provide tailored advice on how to handle GDPR in your business.