The General Data Protection Regulations (GDPR) – Not just a European version of the UK Data Protection Act (although it has many of the characteristics), the GDPR represents a major shakeup of data protection and has passed into UK law. This will be enacted on the 25th May 2018 and this much-needed update takes into account the digital age and the higher risks ordinary people face when companies play fast and loose with their data.
But this is for big organisations right? – Wrong! There are many ‘Alternative Facts’ circulating in relation to who this regulation applies to. Early drafts of the GDPR mentioned exclusion for organisations with less than 250 employees but this did not make it to the final draft! The litmus test for any organisation, big or small is, do you process (including just storing or using) information that can be used to identify a ‘natural’ living person, and do you have a lawful basis to process that information? Taken to an extreme, do you have just a CV or two sitting on your laptop which you might just retain or share with other parties for commercial purposes? If so, this is for you, so maybe take the time to read on
The scope of the GDPR is much wider than the Data Protection Act (DPA). Personally Identifiable Information (PII) ranges from name and address details, to geolocation data, email address, IP address and biometric and genetic data. In short, anything that can be used to identify a natural living person is PII. As an aside, data collected for personal, non-commercial use is not subject of these regulations. Whilst the DPA was concerned with data subjects within the UK, the GDPR protects the data of EU citizens regardless of whether the company is EU based or not; so, Brexit is irrelevant. Data controllers and data processors can be jointly held responsible for data breaches and incur fines. Whilst on the subject of fines, and to keep your interest, the fines for contravention of the regulations are tiered. The top tier offences carry a fine of 20m Euros or 4% of the previous year’s annual turnover!
Security looms large in the new regulations, with encryption and pseudonymisation (it is a word apparently!) being encouraged. Integrity, confidentiality and availability being key as well as technical and organisational measures being design in to ensure compliance.
A significant change is the requirement for people to ‘opt in’ by default when consenting to their data being harvested and processed, which is a 180° change from the current options to ‘tick here if you do not wish to receive communications’. In order to use personal data for marketing or profiling purposes, explicit consent will be required, i.e. an agreement to a specific written focused statement. All other consent will require some affirmative action that the data subject has to perform to indicate that consent has been given – oh and don’t forget to record that consent!!
There are also changes to the consent given by children, the GDPR identifies the age limit for consent as 16 years old, although the UK has derogated this to 13 years. So, generally, data subjects have much greater rights with significant changes to the consent rules and greater legal obligations on data controllers (you who hold and make decisions about what happens to that data) and data processors to protect data.
International transfers provide an interesting challenge if you intend to have data processed outside of the EU. Some countries have already been adjudged to have adequate procedures in place that are equivalent to the GDPR, but many others have not. You will need a lawful basis, an appropriate safeguard or a derogation and permission from the data commissioner’s office to undertake this.
There are three key roles identified within the legislation; Data Controller (a person or organisation that determines the purpose for which, and the manner in which, any personal data are, or are to be processed), Data Processor (a person or organisation who processes the data on behalf of the data controller) and Data Protection Officer (responsible for monitoring compliance, providing information and liaising with the supervisory authority, and operates independently (full-time role or consultant based)).
Data Protection Officers are mandated in some circumstances; however, most SME’s will be able to engage a GDPR expert on a consultant basis.
In the final analysis, the Data Protection Act had a narrower focus, didn’t really cater for the digital age and had relatively soft penalties. This all changes with GDPR, this is a game changer, but small business shouldn’t panic about a huge increase in bureaucracy or restrictions although I suggest you shouldn’t leave it to chance. To see just how the new law may affect your organisation, get some professional advice and get ready!