The EU General Data Protection Regulation (GDPR) is the most important change in data privacy regulation in 20 years.
GDPR comes into force in the UK on 25 May 2018. Are you ready? And more importantly, are you compliant?
UK Data Protection Laws Overhauled
Some would say that updating the data protection laws is long overdue, and they’d be right. Why? Because in an age of a vast array of extensive and advancing digital technologies, our personal data is becoming more accessible (and virtual) than ever before.
The aim of the new regulation is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.
Tech Talk: The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. (Source: www.eugdpr.org).
What’s The Plan?
Essentially, the new regulations seek to give individuals more control over what happens to their personal information. It will:
- enable UK citizens to ask for personal data, or information posted when they were children, to be deleted
- give people more control over their data, require more consent for its use, and prepare Britain for Brexit
- make it simpler for people to withdraw consent for their personal data to be used
- require firms to obtain “explicit” consent when they process sensitive personal data. The changes mean it will be harder for businesses and organisations to obtain consent and easier for individuals to withdraw
- expand personal data to include IP addresses, DNA and small text files known as cookies
- let people get hold of the information organisations hold on them much more freely
- make re-identifying people from anonymised or pseudonymised data a criminal offence
How Does That Apply In The Real Word?
Here are some examples, with the third example quite possibly having the biggest and most significant impact on present processes used by businesses and organisations whether that consent is obtained via their website (or other on-line platforms), eNewsletter marking or via a paper form.
- any firm that holds your personal data, from your name to your DNA, you’ll be able to ask them to delete it
- if you worry about embarrassing social media posts lingering online for years, you will soon have the right to ask for them to be removed
- consent requires a positive opt-in. Businesses and organisations MUST NOT use pre-ticked boxes or any other method of default consent. Explicit consent requires a very clear and specific statement of consent
Top Tip: Remember to reflect the data protection changes by reviewing and updating your Privacy & Cookie Policies and/or Terms & Conditions accordingly.
What Are The Key Changes?
If you’re keen to establish what you need to do in preparation for GDPR, please find below a summary of the key changes. There are also some helpful resources at the end of this article.
The video below is particularly helpful too. Stewart Room, Global Head of Data Protection at PwC Legal, discusses the new General Data Protection Regulation and its impacts for entities and citizens:
GDPR Changes Summary
Jurisdiction – Increased Territorial Scope:
Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
GPDR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.
The conditions for consent have been strengthened, and companies will no longer be able to use long and complicated terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
- Breach Notification: it will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach
- Right To Access: the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose
- Right To Be Forgotten: Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data
- Data Portability: the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine readable format‘ and have the right to transmit that data to another controller
- Privacy By Design: the inclusion of data protection from the onset of the designing of systems, rather than being an addition, and for data controllers to hold and process only the data that’s absolutely necessary for the completion of its duties
- Data Protection Officers (DPO): internal record keeping requirements and DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences
The Price To Pay For Non-Compliance?
In the UK firms that suffer a serious data breach could be fined up to £17m or 4% of global turnover (ouch!).
The current maximum fine firms can suffer for breaking data protection laws is £500,000.
The UK’s Information Commissioner will have its powers strengthened and extended to help it police the new regime.
Compliance should involve a holistic review of risk — looking at the classic trio of people, processes and technology. It will also need to be an ongoing effort and not just a one-off review.
The new GDPR and the Digital Single Market Directive essentially mandate that security is built-in, not bolted-on as an afterthought, and that data is protected by design and by default.
In a nutshell, security is not just about complying with the rules, it’s about protecting your customers, protecting your reputation, and protecting your future.
Want To Find Out More about GDPR?
For further information, I’ve found the following websites particularly informative:
- EU GDPR Overview: www.eugdpr.org
- Information Commissioners Office – Lawful Consent Checklist: ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/
- GDPR – 12 Steps To Take Now (PDF 539KB): https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Thanks for taking the time to read my blog. Hopefully this article provides a good understanding of the key points of GDPR. If you think it will help your colleagues too, please share it.
If you’d like some help getting your website to work hard for you and your business, please don’t hesitate to get in touch.