From the 25th May 2018, The General Data Protection Regulation (GDRP) will be in place across Europe and will apply to all companies worldwide that process the personal data of European Union Citizens.
Currently, the UK relies on the Data Protection Act 1998 which will be superseded by the new legislation. All companies who work with information relating to EU citizens must comply with this legislation.
With the GDPR coming into force in less than six months’ time, it is not too late to start responding to the significant changes. In this blog we will highlight the key facts of the GDPR to help you and your organisation understand the requirements.
Why was the GDPR Drafted?
The current legislation was enacted in 1998, just before the boom of the internet, an event which had a profound effect on the ways in which personal data could be exploited. The GDPR seeks to address these issues and enforce tougher measures to prevent non-compliance and data breaches, thus giving people more security with their data in the expanding digital economy.
Further to this, the EU want to give businesses a clearer legal environment in which to operate, making data protection law consistent and identical.
Who Does It Apply to?
Any organisation or company that processes or controls data of European Union Citizens must comply with the GDPR. This encompasses anything from profit seeking companies, to charities and governmental organisations. Businesses that are currently subject to the DPA are also likely to be subject to the GDPR.
What Information Does the GRPR Apply to?
Like the DPA, The GDPR applies to personal data, however the GDPR broadens the definition of personal data to bring new kinds of data under regulation. This can be any information from a person’s IP address to their HR records and contact details. This means that the areas of IT that were previously unaffected by the DPA, will now fall within the scope, and businesses must ensure they comply.
Pseudonymised personal data may also be subject to the GDPR, depending on how difficult it is to determine who the data belongs to.
Why Should Businesses Care About the GDPR?
There will be a substantial increase in fines for organisations that do not comply with the GDPR. Penalties as great as €20 million can be issued by the authorities should a company fail in their obligations under the new regulation.
Aside from the mammoth fines, the data protection regulation is being put in place to protect and respect the personal data of customers. It is good business practice to recognise and appreciate this aspect.
How can Businesses get Consent Under the GDPR?
One of the biggest challenges presented by the GDPR will be obtaining valid consent for capturing customer’s personal data.
Organisations will need to use clear, concise language when asking for consent to collect personal data and when outlining how they intend to use the information they have collected. The regulations are clear that consent cannot be implied, and that silence or lack of protestation will not constitute consent. In addition to this, consent must be verifiable, meaning that the days of pre-ticked-tick-box opt ins and similar models will be officially over.
Controllers must also keep a record of how and when an individual gave consent. That individual can then choose to withdraw their consent at any time, and they should be able to do that with ease.
Cookies and similar technologies which are used for non-essential tracking processes will also require prior consent. Browser and interface manufacturers will be required to bear responsibility by providing ways to allow individuals to manage this consent easily. This will be a major change in the ad-tech industry and potentially harming to their business.
The Right to be Forgotten
One of the major clauses of the GDPR is that all individuals have the right to demand the erasure of their data if it is no longer necessary to the purpose for which it was collected.
Organisations will need to ensure they have the technologies and procedures in place to delete data in response to such requests and will have to gain new consent before they alter the way they are using the data they have collected.
Data Breach Response Plan
There is an urgent need for organisations to prepare a breach notification plan in the event of something going wrong. Many organisations must appoint a DPO (Data protection officer) who will co-ordinate customer communication and the remedial activity as protocol.
Data protection officers must have an expert knowledge of data protection law and practices. Their activities will involve regular and systematic monitoring of data on a large scale.
Organisations also have a responsibility to inform the data protection authority of any data breach that risk an individual’s rights within 72 hours of becoming aware of it. Those who fail to meet this deadline can face an enormous penalty.
Will Brexit Affect British response to GDPR
The GDPR as aforementioned is an EU regulation applicable in the UK without the need for domestic UK legislation. British businesses will therefore need to start considering which parts of their operation are established in the UK and may be affected by proposed changes. They must identify personal data flows from the European Economic Area to the UK and identify which UK establishments monitor or offer goods and services to citizens in the EU.