How To Comply With The New GDPR Data Protection Regulation
What is the General Data Protection Regulation (GDPR)?
The EU General Data Protection Regulation (‘GDPR’) replaces the Data Protection Directive 95/46/EC. It has been designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.
The GDPR is due to replace the existing Data Protection Act 1995 (‘Act’), on the 25th May 2018.
The main changes to the Act are primarily regulatory, however organisations and businesses must prepare now to ensure that they comply with the GDPR. Therefore, companies must now put greater emphasis and effort into their processes, including contractual agreements when sharing data.
What are the penalties for non-compliance?
Breaches of the GDPR can incur fines of 4% of a company’s global turnover or up to 20 million Euros (whichever is greater).
This is the maximum fine that can be imposed for the most serious infringements, for example, not having sufficient customer consent to process data or violating the core of ‘Privacy by Design’ (see below) concepts. There is a tiered approach to fines. For example, a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment.
Who does the GDPR apply to?
The GDPR applies to both data controllers and processors who manage personal or sensitive data. A data controller is classified as a person or persons who determine the purposes for and the manner in which the data is to be processed. While a data processor is anyone who processes data on behalf of the data controller.
The GDPR also applies to all companies in the EU and also to those companies outside of the EU who process information on EU nationals. It must also be noted that companies which operate in the “Cloud” are not exempt.
Main changes to be made and what companies must do to comply
If you have over 250 employees you must have an appointed data officer.
Companies should ensure that they review their current consent procedures in order to comply with the GDPR. A company will now need to disclose why it is collecting the data, the legal basis for collecting the data and retention periods etc. This must be done in a clear language for the user to easily understand.
When looking to obtain your customers contact details you must use crystal clear terms when asking for it. Customers must be able to withdraw their consent as easily as they gave it, you can’t hold on to any details if the customer demands that it gets deleted from your accounts. At every opportunity you must also give customers the option to opt out.
In the event that the security of your data has been compromised, data processors must now inform controllers and customers within 72 hours.
Right to be informed
You must now ensure that you have transparency over the use and collection of personal data. Information should be easily accessible, written clearly and in layman’s terms, and must be free of charge. The ICO sets out here when and what information you should give individuals.
Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects. See here for more information.
Right to Rectification
If data is inaccurate or incomplete, individuals have the right for it to be rectified. You must notify any relevant third parties of such notifications. You now have one month to comply, in most cases you can not charge, and you can refuse to rectify data if it is manifestly excessive. If you do refuse you must tell the individual why you are refusing, that they have the right to complain to a supervisory authority and that they have the right to a judicial remedy. You must ensure that you do this with undue delay. See here for more information.
Right to Erasure
Individuals have the right for data to be erased and to prevent processing under specific circumstances. Although under the GDPR there are no limitations to this, if the data or processing is likely to cause an individual distress or damage, the case for the right to have the data removed will be significantly greater. See here for more information.
Right to Restrict Processing
Individuals have the right to restrict processing of personal data, companies are able to store the data but not continue to process it. You must also inform any third parties about any restriction. See here for more information.
Right to Data Portability
Individuals who are data subjects are entitled to receive information on personal data concerning them if they request it and are also entitled to transmit this information to another controller. See here for more information.
Right to Objection
Individuals can object to processing of data based on legitimate interests or performing a task in the public interest, direct marketing and processing for the purpose of scientific research/statistics. See here for more information.
Rights in relation to automated decision making and profiling
There are safeguards in place to protect individuals from any potential damaging decisions made without human intervention. However, this right does not apply to every situation, such as being authorised by law. See here for more information.
Privacy by design
Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. More specifically – ‘The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects‘. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
Additional points to consider
The GDPR ensures special protection concerning data on children, mainly around social networks. You should ensure that you have systems in place which verify the age of the individual and to obtain parental/guardian consent. Usually this is under the age of 16 in most countries, however its 13 in the UK.
Consent – under the GDPR this must now be easy for an individual to understand, along with being easy for the individual to withdraw from.
Further steps to ensure compliance
1) Make sure your team are completely clued up on rules and regulations of the GDPR before (25th May 2018).
2) Review and document all data processing activities and security processes within your company. This is essentially a massive audit of all the personal data your business holds. Be sure to identify the what, when, where and why, including legal processing for every bit of data you hold for your customers and clients.
3) Assess third party assets and how they manage your clients’ data also. For instance, if you sign up your clients to CRM software using their personal details, it is your responsibility to ensure that the CRM providers are also fully GDPR compliant.
Things you must not do
- Cold-contact consumers without their direct consent i.e. you can’t buy a list of consumers unless they’ve consented to be contacted by third party sites; or
- Sell your contacts list unless they’ve consented to being sold.
Please note that the above information provides a summary of the main measures which should be undertaken by companies to ensure compliance with the GDPR and is not exhaustive. Please refer to the Information Commissioner’s Office’s website for further details.
You will also find it useful to review this blog post which details how the equity crowdfunding platform Seedrs is preparing for GDPR compliance.
PayPal’s view of the GDPR.
The UK ICO’s self-assessment GDPR tools.