The General Data Protection Regulation (GDPR) is high on the agenda for many data professionals, but for some executives and users of customer data, there is a much lower level of awareness. As a result of working with businesses and public sector organisations, it is clear that there is much work to be done to ensure all those impacted by its introduction next year are in possession of all the facts.
This short paper is a primer – a basic introduction; Want to know more? Read on.
GDPR – What are you waiting for?
14 April 2016, the EU Parliament approved the GDPR after four years of discussion, consultation and drafting. This new legislation is considered to be a substantial advance on the protection of personal data and respect for privacy by data processors. In the UK, it will replace the Data Protection Act 1998 (DPA) and will take effect within 2 years of approval, i.e. by May 2018.
The GDPR seeks to create a more harmonised and unified data protection legal framework but for some, there is a view that Brexit may reverse the requirement for UK compliance. At present, the general view is that while this may in the short term create some confusion, the GDPR will still apply to UK organisations.
So, what’s it all about – in a nutshell…
The GDPR enhances the data protection rights of EU data subjects’ data worldwide (so wherever their data may be processed, stored and used). It codifies and provides clarity of a data subject’s ability to gain access to, and ultimately erasure of, their information (known as the right to erase and the right to be forgotten).
In general, organisations will need to provide easier access to personal data, with clear and easily understandable information on its processing, use and storage.
A subtle word on risk…
With risk as a continuum, the GDPR expects organisations to do more as their data processing poses increased prospects of harm or damage. As such it divides risk into a category with two stages of “risk” and “high risk.” This distinction is important as “high risk” activities require distinct obligations. As a result, the identification of the quantum of risk, and the question of the extent to which the “high risk” category is reached are significant matters for consideration by management.
What are the obligations?
Organisations will be required to report data breaches to regulatory authorities within 72 hours, and in “high-risk” situations, notify the individuals whose data may have been compromised (whether exploited or not). Remember here that all data must have proportionate levels of security driven by the level of risk that it carries. So… organisations have security obligations under the GDPR and can be in breach if they don’t take proactive steps to maintain privacy and security of data.
A Historical Bone of Contention? – Consent
Say goodbye to implied consent and other forms of presumed or hidden acceptance to storing and using a stakeholder’s data. Under the GDPR, customer consent must now be explicitly obtained. Of importance here, is that full disclosure will be required regarding how, and where the data will be used and this must be a fundamental part of the consent process. Wooly statements will not suffice! Customers may withdraw their consent to any of these at any time. It must be remembered that these factors will influence how to lawfully retain customer data, if there is an extended need to do so.
With the power to raise fines for a breach of the GDPR of up to 4% of total annual worldwide turnover or €20,000,000, the GDPR clearly means business.
Businesses should expect regulators to exercise their powers to examine their data usage and the physical premises to check the GDPR compliance. Those businesses likely to be regarded as at least “playing ball” and entering into the spirit of the Regulation will be those carrying out data protection impact assessments, adhering to codes of conduct and proactively seeking certification through approved third party mechanisms. Ultimately, the ICO will be looking to see that privacy by design is the order of the day.
And so, to Privacy by Design…
My advice to users and processors of data within any organisation is to raise your awareness, seek out your Data Protection Officer internally and understand the new obligations you’ll be facing together with your organisation’s response. Remember, order of the day will be technical and organisational measures demonstrating compliance with the GDPR core principles, ensuring the rights of data subjects are met and that only data necessary for the specific purpose is processed.