The EU General Data Protection Regulation (the GDPR) deadline is fast approaching. Organisations have until 25 May to take whatever steps are necessary to bring their data practices into line. Following on from our last post, we wanted to dive into a bit more detail about the Regulation for anyone still unclear on what the GDPR is, who it applies to, and what action they may need to take.
What is the GDPR?
The GDPR replaces all existing national data protection legislation – in the UK’s case, the Data Protection Act (1998). The goals of the regulation are to make legislation fit for the Big Data era and harmonise data protection across the EU. The former places more responsibility on organisations, but the latter ultimately simplifies those responsibilities.
Who does the GDPR apply to?
The GPDR applies to any individual or organisation controlling or processing the personal data of EU data subjects (i.e. residents of EU nations). That includes individuals and organisations based outside of the EU which operate within it. As such, it will continue to apply to the UK following Brexit. New legislation is making its way through Parliament to bring the UK into line. In the past, many national data protection laws have had exceptions for smaller organisations. Under the GDPR, the only leniency is a lower documentation requirement for organisations with fewer than 250 employees.
What are the major changes?
Think of the GDPR as the Data Protection Act (DPA) ++. The principles are essentially the same, they’ve just been followed through a few more steps. As the Information Commissioner’s Office (ICO) – the UK supervisory body for data protection – says, if you were in compliance with the DPA, the chances are you’re largely in compliance with the GDPR already.
The two guiding principles of the new regulation are:
Self-ownership of personal data
Data subjects own their personal data. Wherever an individual or organisation has access to it, or uses it for processing, it is essentially being rented from the data subject. A number of new rights follow from this principle.
Personal data should only be collected where necessary and used solely for that purpose. Much of what’s new in the regulation is informed by this principle.
These two fundamental principles are designed to put the brakes on many practices ushered in by the era of Big Data, and to prepare us for the expansion of the Internet of Things (IoT).
What action needs to be taken?
In practical terms, those two principles place a lot more responsibility on individuals and organisations who hold and use personal data.
The major steps required from most organisations are:
Determine the legal basis of all data processing
There are six applicable legal bases: consent, contract, legal obligation, vital interests, public task and legitimate interest. Which basis you use affects the rights available to data subjects.
Adhere to a higher standard of consent
Implement data retention schedules
The principle of data minimisation means that data should not be held any longer than necessary to fulfil the purpose it was collected for. This means most data should be erased after a reasonable period of time (depending on legal basis).
The major exceptions are when there is a legal obligation to retain the data – such as our obligation to keep financial data for auditing purposes – and if the data is pseudonymised (so that a person can no longer be identified), in which case it can be kept for statistical purposes.
Ensure processes are in place to enact data subjects’ rights
The GDPR legislates a number of new rights, which your organisation must be able to enforce. These include the Right to Erasure (aka the Right to be Forgotten), the Right to Portability, and the Right to Object.
Broadly speaking, this means you must be able to delete all copies of personal data from your system, provide personal data in a commonly accessible format, and cease data processing while keeping the data, respectively.
Ensure cybersecurity is up to standard
Data subjects’ rights are clearly at risk if your organisation is hacked. That means you must ensure your cybersecurity is up to reasonable standards relative to the sensitivity of information that you hold. Technology moves fast, so there are no hard and fast rules here, but there is some general guidance on what security is appropriate.
Ensure a process is in place to report breaches to the ICO
If you do suffer a data breach, the GDPR stipulates that you must report it to your country’s supervisory body (for the UK, that’s the ICO) within 72 hours. Breaches are recognised as nearly inevitable, so reporting is not for the purpose of punishment, rather, it is to determine next steps. However, if you can’t demonstrate that you did everything you reasonably could have to prevent the breach, you may be penalised.
Of course, the Regulation covers a lot more ground than this. The ICO has produced detailed guidance covering every aspect, and even has a telephone helpline for small businesses. View the full guidance here.
The essential thrust is to ensure that you have a valid reason for any and all data collection and processing you do, you do not stray beyond that reason, you are open and transparent about the data processing, and that data subjects are able to remove themselves from said processing unless to do so would be to infringe a legal obligation.
What are the penalties for non-compliance?
Maximum penalties are steep. The most serious offences carry a fine of up to €20 million or 4% of global turnover, whichever is higher. Less serious offences can go up to €10 million or 2% of global turnover, whichever is higher.
However, the ICO has gone on record to say that they have always preferred the “carrot to the stick”, working with organisations to improve their practices, rather than doling out fines. And they plan to continue this policy by being more lenient on companies that have shown an awareness of GDPR and a willingness to comply, stating that sometimes a “stern letter” will be enough.