What is GDPR?
After four years of debate, the General Data Protection Regulation (GDPR) was ratiﬁed by the European Union during April 2016 and has now become law, although member states have a two year period to implement into national law.
This means that companies will be expected to be fully compliant from May 25th 2018.
GDPR is designed to give individuals better control over their personal data and establish one single set of data protection rules across Europe. Organisations outside the EU are subject to this regulation when they collect data concerning any EU citizen.
50% of global companies 1 say they will struggle to meet the rules set out by Europe unless they make signiﬁcant changes to how they operate, and this may lead many companies to appoint a Data Protection Ofﬁcer.
(1“Preparing for the EU GDPR: What You Need To Know”. Article written by James Walker, SC Media, March 4, 2016. www.scmagazineuk.com/preparing-for-the-eu-gdpr-what-you-need-to-know/article/531492/)
What is a Data Protection Officer Responsible For?
The data protection officer’s tasks are also delineated in the regulation to include:
- Informing and advising the controller or processor and its employees of their obligations to comply with the GDPR and other data protection laws.
- Monitoring compliance including managing internal data protection activities, training data processing staff, and conducting internal audits.
- Advising with regard to data protection impact assessments when required under EU GDPR.
- Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data.
- Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.
What is Personal Data?
Personal data is defined as any information relating to an identified or identifiable natural person.
This includes online identifiers, such as IP addresses and cookies if they are capable of being linked back to the data subject.
This also includes indirect information, which might include physical, physiological, genetic, mental, economic, cultural or social identities that can be traced back to a specific individual.
There is no distinction between personal data about an individual in their private, public, or work roles – all are covered by this regulation.
Could There Be Fines and Penalties for Non-Compliance?
There will potentially be a substantial increase in fines for organisations that do not comply with this new regulation.
Penalties can be levied up to the greater of ten million euros or two percent of global gross turnover for violations of record-keeping, security, breach notifcation, and privacy impact assessment obligations.
These penalties may be doubled to twenty million euros or four percent of turnover, for violations related to legal justifcation for processing, lack of consent, data subject rights and cross-border data transfers.
What Measures Will Companies Be Expected to Implement?
Companies will be required to implement appropriate technical and organisational measures in relation to the nature, scope, context and purposes of their handling and processing of personal data. Data protection safeguards must be designed into products and services from the earliest stages of development.
These safeguards must be appropriate to the degree of risk associated with the data held and might include:
- Pseudonymisation and / or encryption of personal data,
- Ensuring the ongoing confidentiality, integrity, availability and resilience of system,
- Restoring the availability and access to data in a timely manner following a physical or technical incident,
- Introducing a process for regularly testing, assessing, and evaluating the effectiveness of these systems.
What is Consent?
A key part of the regulation requires consent to be given by the individual whose data is held. Consent means “any freely-given, speciﬁc, informed and unambiguous indication of his or her wishes by which the data subject, either by statement or by a clear afﬁrmative action, signiﬁes agreement to personal data relating to them being processed”.
Organisations will need to be able to show how and when consent was obtained. This consent does not need to be explicitly given, it can be implied from his or her relationship with the company. However, the data obtained must be for speciﬁc, explicit and legitimate purposes.
Individuals must be able to withdraw consent at any time and have a right to be forgotten, if that data is no longer required for the reasons for which it was collected, and it must be erased.
What Must Companies Tell Individuals About Their Data?
When companies obtain data from an individual, some of the areas that must be made clear to the data subject are:
- The identity and contact details of the organisation behind the data request,
- The purpose of acquiring the data and how it will be used,
- Whether the data will be transferred internationally,
- The period for which the data will be stored,
- The individual’s right to access, rectify or erase the data,
- The individual’s right to withdraw consent at any time,
- The individual’s right to lodge a complaint.
What Rights Do the Individuals Have Concerning Their Data?
The regulations demand that individuals must have full access to information on how their data is processed and this information should be available in a clear and understandable way.
Individuals can make requests, and these must be executed “without undue delay and at the latest within one month of receipt of the request”.
Where requests to access data are manifestly unfounded or excessive then small and medium sized enterprises will be able to charge a fee for providing access.
What about Breaches of Security?
Companies must report breaches of security “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.
In the event of a personal data breach, companies must notify the appropriate supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it”, if the breach is likely to “result in a risk for the rights and freedoms of individuals”.
What Steps Should You Take Now?
The Irish Data Commissioner’s Office issued a pamphlet entitled “The GPDR and You” which contained 12 steps that you should take now. These steps are summarised below:
- Ensure key departments are aware that the law is changing, and to anticipate the impact of GDPR.
- Document what personal data is held, where it came from and with whom it is shared.
- Review current privacy notices and make any necessary changes.
- Review procedures to address the new rights that individuals will have.
- Plan how to handle requests within the new time frames and provide the required information.
- Identify and document the legal basis for each type of data processing activity.
- Review how consent is sought, obtained and recorded.
- You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
- Make sure procedures are in place to detect, report and investigate data breaches.
- You should familiarise yourself now with the ICO’s code of practice on Privacy Impact assessments as well as the latest guidance available.
- Designate a Data Protection Ofﬁcer to take responsibility for data protection compliance.
- If your organisation operates in more than one EU member state, determine the lead data protection supervisory authority now.
Where Should You Go For Help?
Olas Software Training & Development offers a comprehensive approach to preparing for GDPR compliance.
Please contact us on: 01-2790020 or at: firstname.lastname@example.org for more information.
Start your GDPR Journey with Olas Today!