Introduction
This is one of the most powerful legal change with far reaching consequences and affects all businesses in European Union. Brexit will not change this legal compliance needs.
The General Data Protection Regulation (GDPR) will come into effect on the 25th of May 2018 in the European Union (EU). GDPR will take precedence over any national laws.
GDPR proposed by the European Commission will strengthen and unify data protection for individuals within the European Union (EU), whilst addressing the export of personal data outside the EU. GDPR is one of the biggest shake-ups ever seen affecting how data relating to an individual should be handled—and potentially it affects not just companies but any individual, corporation, public authority, agency or other body that processes the personal data of individuals who are based in the EU. This includes suppliers and other third parties a company might utilise to process personal data. GDPR will also affect companies outside the EU that offers services to individuals in the EU. GDPR will have many implications for every department of many business worldwide. Many businesses will need to employ data protection officers.
The Basics
The GDPR framework set out minimum requirement that need to be followed for all personal data. Personal data is any information relating to an individual for example physical appearance or bio metric data. Most companies collect data daily and sometimes do not realise they are doing so. Examples of collecting data are website tracking cookies or individuals records on customer relationship management which is used for marketing.
GDPR Overall
Here are the key areas of the GDPR, with reference to the EU Directive 95/46 data protection directive.
Individual Rights
The current EU data protection legislation (Directive 95/46) gives individuals rights over their personal data and describes what information individuals have to be provided with by businesses, including information about what that business was going to do with that personal data. Often this was done via privacy statements or notifications provided on a website.
Individuals must be informed of the following rights:
- To complain to supervisory authorities known as ICO.
- To be able to withdraw their consent to processing of their personal data.
- To access their personal data and have it rectified or erased by the business.
- To be informed of the existence of any automated personal data processing.
- To object to certain types of processing.
- To be informed of how long their data will be held for.
- To be provided with details of any Data Protection Officer.
Consent
When collecting data based on the consent of individuals, pre-ticked consent boxes on websites, or silence/inactivity on behalf of the individual after reviewing a privacy statement, will not constitute consent. Business can’t use an individual’s single consent at one stage in their business dealings as consent for other kinds of personal data processing. Separate consents are required for different personal data processing operations.
Individuals must be informed that they can withdraw consent at any time and it should be an easy process for them to withdraw consent.
If you have obtained existing consents by individuals these should be revisited to make sure they comply with GDPR. If there are conflicts it is important to get new consent or cease processing that data.
Right to move or transfer data
Individuals now have the right to move, copy or transfer their personal data from one place to another, even to a competitor. As such, the personal data needs to be in a structured, commonly-used and machine-readable format so it can easily be utilised and shared.
Proof of compliance
Businesses need to prove that they are complying to GDPR under GDPR requirement for accountability and are complying for record keeping requirements. records should be maintained that detail processing activities, subject access requests, breaches, how consents are obtained, and Privacy Impact Assessments.
Privacy from start to finish
Technical and organisational measures need to be in place throughout the lifetime of the personal data to match the privacy expectations of the individual. This is referred to as “Privacy by Design”, meaning that privacy considerations must be built into every aspect of that processing. Implementing Privacy by Design and Privacy by Default will involve continuous training, undertaking regular audits, minimising the data collected, restricting access to personal data to a need to know basis, and implementing appropriate technical and organisational security measures such as pseudonymisation and encryption.
Mandatory breach reporting
In the event of a breach, companies must tell supervisory authorities—such as the ICO in the UK—within 72 hours. If the breach poses a high risk to the individuals concerned, companies must also notify the affected individuals without undue delay.
Data Protection Officer
Under the new GDPR regulation companies will need to appoint a Data Protection officer. The DPO needs to have expert knowledge of data protection law, although doesn’t necessarily need to be an employee and could instead be employed on a service contact to fulfil the role. Details of the DPO will need to be communicated to the supervisory authority, such as the ICO in the UK.
Penalties
The penalties for non-compliance of GDPR could be up to 4% of annual global turnover, or €20m, whichever is greater. You might be fined even if there is no actual loss of data. One thing to note is that there are no exclusions or exceptions for small businesses.
If you need any more information, please do not hesitate to contact Sterling Finance on 0161 339 4989 or email info@sterlingfinance.net.
