The General Data Protection Regulation (GDPR) protects the personal data of EU citizens. If your company handles the personal data of EU citizens, regardless of where you are based in the world, you’ll need to take some important steps to ensure that data is correctly controlled, processed, maintained, retained, and secured.
The penalties can be up to €20,000,000 or 4% of your annual gross revenue so it MUST be a top priority for your team in 2017.
No idea where to start? Don’t worry, we have brought in one of our neighbours in our The Old Pub offices, Paul Hutton, COO at Boxmodel – one of the UK’s leading suppliers of software and application development – to give you an overview of the GDPR and what it could mean for your business…
The clock is well and truly ticking on the GDPR time bomb! Myself and the team at Boxmodel are here to help you diffuse it in a safe manner without the need to purchase expensive protective clothing or armored vehicles.
With only a year to run on this clock, it is now that many may start to find little beads of sweat gathering on their forehead. At Boxmodel, we can sympathize with this, as there is only one more turn of the yearly clock to run before we must comply with the General Data Protection Act too. And after all, it’s the biggest change in data protection we have seen in history.
Some may take the opinion that since the UK are leaving the EU the GDPR will not impact them. This couldn’t be further from the truth! The Information Commissioners Office (ICO) is very much behind the GDPR and will be a leading force in ensuring compliance. The goal is for consistency across the EU, a focus that the Article 29 working Party has had throughout.
What’s the first step, then?
To understand what we are dealing with. We have all been used to ensuring we adhere to the Data Protection Act (DPA) since 1998, when the act consolidated the earlier Data Protection Act 1984 and that of the Access to Personal Files Act 1987.
The GDPR will see some instrumental points introduced, which we MUST consider and address.
Points to consider are:
The GDPR will apply to all. Some may say that it is the largest export exercise the EU has seen. It intends to target every company or organisation worldwide, which process data of EU citizens. This makes this legislation the first global data protection law ever!
Consent is King! The manner in which we gather or harvest data must be subject to clear and explicit consent. No longer will the beloved ‘pre-ticked’ box, declaring that we are happy for our data to be used to bombard us with the latest PPI deal or permitting the provision to ‘valued partners’, be acceptable. It is down to the organisation harvesting the data and for those processing it to prove that consent has been obtained in such a manner. This will see many existing sites requiring additional work to ensure such burden of proof is achievable.
A data subject can change their mind. Although we may have consented at the time, we can also decide it is no longer something we agree with. Withdrawing consent is another addition. Organisations must comply with data subjects wishing to withdraw consent at ANY time. This places significant importance on the ability to manage data effectively. There will be little mercy for those who ignore a direct request from a data subject.
There has been a spike In The Population of Data Protection Officers. Rest assured, it has nothing to do with the baby boom following Iceland’s success in the Euro 2016 tournament, but more the new GDPR requirement surrounding dedicated Data Protection Officers in certain circumstances.
Transparency on Data. This change will place the emphasis on the data controller to comply within a strict 1-month period. There are of course exceptions to this rule, but only in specific circumstances. This must be supplied FREE of charge and in an electronic format. There have been a number indications that best practice recommendations muted for organisation’s to consider a secure online platform where data subjects can review and comment on their data. This is something that we have considered at Boxmodel and can offer a number of options.
The data subject can be forgotten. You may recall the ruling from the European Court of Justice in 2014 that search engines were considered data processors and subjects had the right to ask that content associated to them should be forgotten. Well, this has continued through to the new GDPR, albeit, with a few more limits surrounding when it can be implemented.
What to do about breaches. Emphasis is very much placed on the organisation and specifically the data controller. Security of data is paramount and it is down to the organisation to ensure that they are fine custodians of our precious personal data. If any breaches or potential breaches, which are likely to cause harm to individuals, occur, notification must be made to the relevant authority within 72 hours. If said breach is considered that it MAY present a ‘high risk to individuals’ the organisation must report it ‘without undue delay’. There is a risk to rest assured on subjective interpretation; make sure you don’t fall into that trap! Consider your data breach response plan!
Privacy by Design – a concept at the centre of the GDPR. The objective is to promote that data protection should to be considered from the outset of any new project, process or practice. This is something that we have been doing for some time now at Boxmodel, ensuring that the impact of the incoming legislation is reduced.
What can I do now to prepare?
Make sure that your organisation and those within it are fully aware of what the new act will mean. From here, a more focussed training programme is essential to ensure that those who process data are well versed with their obligations.
It is critical to understand where your current processes may fall short, which may potentially place you and your organisation at risk. If you have a Data Capture Mechanism, you must ensure that it is adhering to the explicit opt-in requirement. This action needs to be recorded and withstand any potential future interrogation.
Consider a Process Strategy
There are many processes which will need to be implemented within the organisation. Consider how you will store, process, allow access to and account for the data held.
There are new requirements under the GDPR which need to be reflected in the notices.
We really are just touching the surface here. It is crucial that you don’t leave it to the last minute to consider this powerful and highly sensitive act. There will undoubtedly be things that you need to change or address. Indications are that once the two-year grace period has lapsed (which ceases on in May 2018), there will be little mercy to those who do not comply.
Of course, one may argue that the sheer traffic of potential prosecutions, arising from the introduction of such a vast change in legislation, will require such a financial commitment from relevant authorities that they won’t be able to police it. Don’t get caught by that, it won’t take too many convictions to see the authority well funded and don’t forget, they have also had two years to prepare! In any case, are you willing to take the risk?
We are always keen to help organisations with ensuring that they are maximising the use of technologies whilst staying compliant. If you have any questions at all, one of the team will be well placed to help.
Contact us on 0191 337 1367 or drop us a line at firstname.lastname@example.org for more information on how we can help.