In just over a year’s time, on the 25th May 2018, the new EU General Data Protection Regulation, more often known simply as the “GDPR” comes into force. The GDPR is designed both to harmonise data protection throughout Europe and to modernise it, taking into account significant advances in science and technology that have taken place in recent years. In particular, the growth of the internet and the huge increase in the amount of personal data being transferred, stored and processed online (looking at you, cloud storage and social media), means that data protection legislation is long overdue for a refresh.
The first thing to get out of the way, since the “EU” part will doubtlessly be leading some to question whether or not the GDPR will be around for long, is that the UK government has confirmed that the GDPR will not be affected by Brexit. It is quite likely, then, that the Great Repeal Bill (see our previous post, here) will take care of that. Now we’ve said “Brexit”, we’ll move on.
Who Does The GDPR Affect?
In the most basic terms, if you already have obligations under the Data Protection Act 1998, you still will under the GDPR. The GDPR will apply to organisations operating within the EU and to organisations outside the EU that deal with individuals inside it.
What Does The GDPR Apply To?
As with the Data Protection Act, the GDPR applies to “personal data”. This is where one of the key modernisation points arises, for the GDPR expands its definition of personal data to personal identifiers such as IP addresses. Even personal data that has been anonymised – by using coding or pseudonyms, for example – may still count as personal data if it can be traced to a particular individual. In short, almost any kind of personal data, whether it was previously caught under the Data Protection Act or not, will likely be included under the GDPR.
The good news, however, for many businesses – especially SMEs – is that in the case of things like HR records, customer lists, contact details and so forth, the new definition will make little practical difference. That being said, for those who do a lot with online data behind the scenes, it’s certainly worth brushing up to be on the safe side.
Another key point to note is that the GDPR now applies to “data processors” as well as “data controllers”. Those processing personal data purely in a service provider capacity for a data controller will thus now also need to ensure compliance.
What Does The GDPR Say About Consent?
Organisations will need to be more proactive, and clearer with the language they use, when it comes to obtaining consent to the collection and processing of personal data. Individuals must know how their information will be used, and organisations cannot rely on silence or inactivity on the part of those individuals as consent. Not only that, but if the purpose for which you want to use someone’s data changes after getting their initial consent to use it, you must get fresh consent for the new use.
Again, in some cases, particularly for those who already pay careful attention to privacy and data protection, this will simply mean business as usual; but for others, particularly those who use customer data for marketing purposes, consent mechanisms may need to be re-thought, and clear, detailed information must be made easily accessible to customers, explaining the whats, whys, and hows of the organisation’s personal data collection and use.
How Will This Change The Way I Do Things?
Simply put, organisations need to take a more proactive approach to data protection, maintaining a much sharper awareness of privacy throughout their activities, systems, and projects. One key way in which this should be done is through the use of Privacy Impact Assessments, another new requirement introduced by the GDPR. A Privacy Impact Assessment or “PIA” should be conducted wherever a particular activity presents a risk of privacy being breached so as to minimise the risks to the individuals whose data is involved.
You may also have heard about the so-called “right to be forgotten”, especially in the context of search engines. The GDPR now brings this one to your doorstep too. If an individual requests that you delete the data you hold about them, you must do so.
Will I Need A Data Protection Officer?
If an organisation’s “core activities” involve the “regular and systemic monitoring of data subjects on a large scale” or the “processing on a large scale of special categories of data”, then it will need to appoint a Data Protection Officer.
This will apply regardless of the size of the organisation itself, so small businesses are by no means off the hook. Particularly as a result of the growth in online business, even small businesses with only a few employees may potentially be dealing with the personal details of thousands of individuals.
Among the Data Protection Officer’s responsibilities will be the carrying out of Privacy Impact Assessments, designed to identify and assess privacy risks for a given project which will involve the use of personal data (see above).
What If Something Goes Wrong?
If there is a data breach, the GDPR requires that the local data protection authority (in the UK’s case, the Information Commissioner’s Office) be informed within 72 hours of discovering it. Not only does this mean increased accountability, but for many this will also mean changes to internal systems, policies, and procedures to make it quicker and easier to spot and respond to breaches.
It’s under this heading that it’s also worth mentioning the F word. No, not that one (although you’d probably say it in the circumstances). Fines: that’s the one we mean. The GDPR is serious about increasing data protection, and penalties are no exception. Organisations that fail to comply with their obligations can face fines of up to 4% of their annual global turnover or €20 million, whichever sum is greater.
I’m Going To Be Very Busy, Aren’t I?
That depends. If your organisation is already taking data protection and compliance with the Data Protection Act seriously, the GDPR shouldn’t be anything to be afraid of. What’s more, you have a year to determine what changes need to be made and to make them, and provided you don’t mess about, that should be plenty of time.
Start by getting all relevant staff up to speed, appoint someone to oversee data protection, then evaluate your existing methods of data collection, obtaining consent, holding data, processing it, and handling individuals’ requests to see that data or have it erased. Your next step should be to determine what (if anything) needs to be improved and to get a plan in place for implementing those improvements in the time available. Remember the new responsibilities of data processors too: make sure that your suppliers and service providers are aware of their responsibilities under the GDPR and are taking the necessary steps to comply. Last but not least, don’t panic!
As ever, we want to hear your thoughts. Will the GDPR come as a shock to the system or is your business already hot on data protection? Do you think the modernisation of data protection law is overdue or do you see it as adding unwelcome burdens? Have you already started preparing? What steps would you recommend to other businesses?
Over the coming weeks and months we will be adding a range of new documents to our portfolio to help you get up to speed and up to spec with the GDPR, plus comprehensive new information on the various aspects of the GDPR with best practice guidance on how to comply. Stay tuned!