After four years of negotiation and discussion, the GDPR (General Data Protection Regulation) is set to come into force on 25 May 2018 after its approval by the European Parliament on 14 April 2016.
The GDPR is a new European privacy regulation that aims to balance individual and business rights through transparency and accountability as well as harmonise data privacy laws across Europe.
The GDPR will replace Data Protection Directive 95/46/EC, which was implemented at the national level in 1995. This new regulation will apply to all Members of the European Union simultaneously – including the United Kingdom, despite its pending departure from the EU.
The GDPR will apply to organisations established or operating within the European Union that process or collect personal data, as well as companies outside of the EU which offer goods and services to individuals in the EU or which monitor the behaviour of individuals within the EU.
The Regulation applies to personal data. Personal data is defined within the GDPR as “any information relating to an identified or identifiable natural person”. An identifiable natural person is defined as “a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, such as National Insurance number, address, email address, or to one or more factors specific to the … identity of that natural person.”
Corporate data (which is not a legal term, but which might include information about a company, rather than a person, for example) is not covered by the GDPR.
The GDPR will not apply, however, to certain activities such as processing for national security purposes and processing by individuals for personal/household activities.
Major changes introduced by the GDPR
The GDPR will bring about number of major changes in data processing – here are some of the most important that companies need to know about:
Consent – the conditions for consent have been strengthened, meaning companies will no longer be able to make use of long illegible terms and conditions or pre-ticked and opt-out boxes. Instead, consent must be distinguishable from other matters, with an easily accessible form and the language must be clear and plain.
Data Breach notice – if a company suffers a cyberattack or an employee loses or misuses data, they will need to notify the affected individuals and the data protection authorities within 72 hours.
Right to access – individuals have now the right to know if their personal data are being used, where and for what purpose. This means that companies must provide a copy of the personal data on request free of charge.
Right to erasure – also known as ‘the right to be forgotten’, the right to erasure gives individuals the right to have personal data erased and to prevent processing in specific circumstances. Examples include where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed, or where the individual withdraws consent.
Data Portability – individuals now have the right to receive their personal data from a collector, and to transmit that data to another data controller.
What penalties can companies face if they fail to comply with the GDPR?
Failing to comply with the GDPR policies will result in companies facing increased penalties under a tiered system, up to a maximum of €20,000,000 or 4% of total worldwide annual turnover, whichever is greater.
However, Elizabeth Denham, the Information Commisioner, said in August last year that the norm will not be to impose high fines on companies but to set examples of how to comply with the GDPR, observing “This law is not about fines. It’s about putting the consumer and citizen first. We can’t lose sight of that. Thinking that the GDPR is about crippling financial punishment misses the point.”
“It’s true we’ll have the power to impose fines much bigger than the £500,000 limit the Data Protection Act allows us. But the ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under GDPR. We have always preferred the carrot to the stick,” Denham added.
How to get ready for the GDPR
According to the ICO (the Information Commissioner’s Office, the UK’s independent body established to uphold information rights), there are 12 steps every business must take in order to get ready for the GDPR:
- Create awareness – companies need to make sure that employees understand what GDPR means, what their implications are and the importance of compliance.
- Assess information held – this means businesses must provide information on what personal data they hold, where it came from and who they share it with. In some cases, companies will need to undertake a data protection audit to achieve compliance.
- Communicating privacy information – this is related to the way companies provide to people information about how they process their personal data. It needs to be reviewed and any necessary changes must be made in time.
- Individual’s rights – Customers have the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object and rights in relation to automated decision making and profiling. This means companies must check all their procedures to ensure they cover all these individual’s rights.
- Access requests – companies must update their procedures when it comes to handling requests for information from customers.
- Lawful basis for processing personal data – the action of processing personal data must be lawful. But what does lawful mean? It means it needs to be permitted under the GDPR. Companies need to identify the lawful basis for their processing activity under the GDPR, document it and update their privacy notices to explain it.
- Consent – Companies must review how they seek, record and manage consent and assess whether they need to make any changes to their legal notifications and user interfaces.
- Children – The GDPR will introduce special protection for children’s personal data, which means that companies will need to put systems in place to verify individuals’ ages and also to obtain parental consent for any data processing activity.
- Data breaches – In the event of a data breach, companies must have the right procedures to detect it, report it and investigate it.
- Data Protection by Design and Data Protection Impact Assessments – Although this approach is not a requirement of the GDPR, it’s highly recommended to implement data protection impact assessments, which can help to identify the most effective way to comply with data protection obligations and meet individuals’ expectations of privacy, from the outset.
- Data Protection Officers – Public authorities, organisations that carry out the large scale processing of special categories of data and companies that carry out the regular and systematic monitoring of individuals on a large scale must appoint someone to take responsibility for data protection compliance.
- International – Organisations established in more than one EU member state must determine their lead data protection supervisory authority. In this case, companies must map out where they make their most significant decisions about their processing activities.
Aware of the importance of complying with the GDPR and the potential costs of non-compliance, members of staff at Ambassador London have spent a great deal of time gaining a deeper insight into this new law, ahead of its immediate commencement on 25 May 2018.
With this experience, we are able to provide clients with useful information about GDPR compliance as well as help them audit their data processing strategy, ensuring companies will be compliant with their data protection obligations.