Everything you wanted to know about GDPR, but were afraid to ask
What is GDPR?
The General Data Protection Regulation (GDPR) is the new legislation which will be enforced from 25th May 2018. It requires businesses to protect the personal data and privacy of citizens for transactions that occur within the EU.
Basically, it will mean the introduction of tougher fines for non-compliances and breaches, people will have more of a say over what a company does with their data, and there will be identical data protection rules throughout the EU.
You may have some work to do to ensure that your data is secure before the GDPR deadline. It’s vital that you comply with the legislation, otherwise, you may be fined.
If you have a business, or in fact any data on any EU citizen, then the GDPR applies to you. Here’s everything you need to know to prepare you for 2018.
Why is it changing?
Europe’s previous 1995 Data Protection Directive was no longer sufficient as the amount of digital information we create, capture and store has dramatically increased. Plus, the old regime meant that countries created their own data protections acts, none of which matched.
So, after years of discussions the GDPR was born.
A regulation is effectively a law, not a set of minimum requirements (like the Data Protection Directive was). So there is now one high standard across all 28 EU countries. To comply with these changes it will take some investment to meet and to administer.
With this transition comes a new standard for consumer rights regarding their data. Its provisions require businesses to protect the data and privacy of EU citizens for transactions that occur within EU member states. Placing more responsibility on the data controllers and data processers.
It also regulates the exportation of data outside of the EU.
In 2016, companies in the UK lost more than £1billion to cybercrime. Major data breaches have given criminals access to names, birthdates and addresses and even social security and pension information. So, the GDPR is set to offer greater protection.
Who will be affected?
The GDPR will affect every business and public body that processes the personal data of EU residents, including:
- Every employer in the EU.
- All businesses that offer goods or services to individuals in the EU or that monitor their behaviour, including companies that don’t actually have a presence in the EU (meaning that the GDPR will have extraterritorial effect).
- All businesses that process the personal data of EU individuals on behalf of other businesses (which refers to data processors)
It is highly likely that you will be affected by the change. How aware are you?
Many of the GDPR’s main concepts are the same as those in the current Data Protection Act. This means if you are already complying with current law, then you have the foundations for an easy transition.
However, with the new legislation comes a few big changes which you need to carefully consider. We’ve established what they are for you:
The conditions for consent have been strengthened.
The request for consent must be given in a simple, clear, intelligible and easily accessible form, with the purpose for data processing attached. This is the change which will have most of an effect on SMEs.
There will be strict and hefty fines for any company which doesn’t comply.
Under Article 83 (5) under the Regulation, serious infringements will result in a fine.
The highest fine of up to €20,000,000 or, in the case of an undertaking, up to 4% of total worldwide turnover of the preceding year, whichever is higher and apply to breach of:
- The basic principles for processing including conditions for consent
- Data subjects’ rights
- International transfer restrictions
- Any obligations imposed by Member State law for special cases such as processing employee data
- Certain orders of a supervisory authority
The lower fine of up to €10,000,000 or, in the case of an undertaking up to 2% of total worldwide turnover of the preceding year, whichever is the higher apply to breach of:
- Obligations of controllers and processors, including security and data breach notification obligations
- Obligations of certification bodies
- Obligations of a monitoring body
- Direct liability for data processors
Organisations that process personal data of other companies whilst providing a service (like cloud providers) will be directly liable for breaches of the GDPR.
Data breach reporting.
Data controllers must notify, within 27 hours, the relevant Data Protection Authority about data breaches which may result in risk to the rights and freedoms of individuals. They must also be notified if there is a ‘high risk’ to their rights and freedoms.
New and expanded individual rights.
Individuals have the ‘’right to be forgotten’’, so their data is removed. They also have expanded rights to object to processing, including the right to object to direct marketing (which could seriously affect businesses which rely on analytics).
Limitations on profiling.
Including the requirement to obtain prior consent to profiling.
Appointment of Data Protection Officers.
If your organisation is a public body or its core business requires regular monitoring of individuals on a large scale or handles personal/criminal data, then you must appoint a Data Protection Officer with expert knowledge in data protection.
Mandatory data mapping and documentation requirements.
Controllers and processers will have to prepare and maintain comprehensive records of their processing activities.
Data protection impact assessments.
This will be compulsory before any ‘high risk’ processing of personal data, including profiling or use of sensitive personal data such as health records.
Transfers outside of the EU.
Companies need to confirm that their international transfers of employee and customer data are carried out following to one of the methods approved by the European Commission. For example, EU Standard Clauses, Binding Corporate Rules, etc.)
How will businesses be affected?
Ultimately, the GDPR will require businesses to completely change the way they collect, process, securely store, share, and wipe personal data.
Contracts may have to be renegotiated to ensure GDPR compliance.
Insurance arrangements will also need to be reviewed, and cyber and data protection exposure added to existing policies or purchased as stand-alone policy where possible.
What about Brexit?
Brexit will not impact the effect of the GDPR on the UK. The withdrawal from the EU is extremely unlikely to happen before the regulation becomes enforced in May, so therefore the rules will still apply.
Even post-brexit, Non-EU companies will still have to comply with the GDPR when data passes through any EU country and the UK will still continue to follow the regulation.
You should be considering the impact of GDPR irrespective of Brexit.
How to prepare
There is no reason why the new legislation should catch you out if you prepare properly. Here’s a checklist of things that need to be done before the transition:
- Make everyone in the company aware of the changes
- Document all the data you hold, where it came from and who you share it with
- Review any of your privacy notices
- Have procedures in place to detect, report and investigate any breaches to data
- It is recommended to appoint two data protection roles
- Check how data flows across the borders both within the EU and outside of it
- Prepare for data subjects to employ their extended rights (e.g. their ‘right to be forgotten’)
- Check if your organisation carries out cross-border processing
Are you GDPR compliant? It may feel a little overwhelming but if you swat up and do everything that you can to comply with the regulations, then you shouldn’t have any problems.
NOTE: Please remember that we are not solicitors, nor have we noted every single aspect of the Regulation. We take no responsibility for any non-compliance.