The General Data Protection Regulations (GDPR) is coming into force in the EU from May 2018. GDPR is about protecting the privacy of an individual’s personal data. It’s been introduced to bring different rules across EU countries into a single set and to make sure companies respect and take care of the personal data that they hold on their customers and prospects.
There are five key elements of GDPR that are most important and most relevant for you now:
1. The Fines
On paper GDPR brings fines of up to €20,000,000 or 4% of Global Turnover of a business, whichever is the higher. However, it’s going to take some significant non-compliance, intentional poor behaviour and slack attitude towards security to get hit with the highest level (plus compensation on top) but if the intent was to get companies to sit up and take notice, then it’s working.
You will need to consider GDPR for each part of your business that processes personal data and assess the risks to the individuals whose data you process. You’ll also need to consider the commercial, financial and reputational risk to your company. It doesn’t mean you must go into full lock down mode but you will need to take GDPR seriously and adopt appropriate actions.
2. The Principles
These principles underpin the GDPR legislation. In very quick summary, personal data must be:
• processed lawfully, fairly and in a transparent manner;
• collected for specified, explicit and legitimate purposes;
• adequate, relevant and limited to what is necessary;
• accurate and up to date;
• kept for no longer than necessary;
• and processed with appropriate security against access or loss.
It would be difficult to argue with the reasonableness of these principles and the challenge now lies in adopting the processes and controls to ensure that these principles are upheld.
One of the key aspects of GDPR is that it demands that companies not only comply with the rules but are able to demonstrate how they comply.
This means that you may need more policies and statements, and you will have to ensure that your senior team and staff are adequately trained. At the highest level this means undertaking Privacy Impact Assessments (specific assessment processes defined in GDPR) to determine what the risks are and what you need to do to mitigate them. It also means you’ll need to do much more record keeping and ensure your IT security and processes are up to date and appropriately strong.
4. Lawful Basis
The principles covered earlier include the requirement to ensure data is processed lawfully and this is achieved is by one of six Lawful Bases stated in the GDPR. Three cover public interest, legal necessity or vital interests of the subject but the ones relevant to most companies are consent, contractual necessity and legitimate interest.
There has been a lot of focus on “consent”, along with a lot of myth and misunderstanding. The Information Commissioners Office (ICO) in the UK have been providing much greater clarity here, confirming that GDPR Consent is not mandatory for processing data. It is just one Lawful Basis that you can rely upon. And it is potentially the most difficult to successfully achieve. The threshold for consent has been significantly raised under GDPR and there are many ways that it can be invalidated. It also confers additional rights on the individual and consequently it could lead to higher levels of fines for non-compliance than if it was not relied upon in the first place. The ICO suggest Legitimate Interest is the better option for most companies.
5. Data Breaches
This is where the key issues are going to arise and where the biggest fines are likely to be applied. The rules around reporting of data breaches (along with the requirements to take technical and organisational measures to avoid them in the first place) have been significantly raised. The new legislation demands that you must report any significant data breach to the local supervisory authority within 72 hours of first becoming aware of it. That’s a very short amount of time to assess what has occurred. Furthermore, there is a requirement to notify personal data breaches to the affected data subject without undue delay. The key is to do everything to ensure that any risk of a data breach is minimised and prepare for the event well beforehand so that you’re drilled and ready to act.
These five points provide a sound base to gain an understanding of GDPR and the practical implications. It’s worth taking the time to investigate more to ensure you’re prepared well before the enforcement date of May 25th, 2018.