Key facts on changes to the data protection law
The General Data Protection Regulation (GDPR) is a new EU law that comes into effect on May 25th 2018 and replaces (in the UK) the Data Protection Act. It is probably the most significant data security law in the world and will affect all companies worldwide that process personal data. In fact, failing to comply with the GDPR will risk a fine of up to 10 million Euros or 2% of turnover and if that failure leads to a ‘personal data breach’ that fine could be increased up to 20 million Euros or 4% of turnover.
So what is it?
Introduced to keep pace with the modern digital landscape, the GDPR is more extensive in scope and application than the current Data Protection Act (DPA) and extends the rights of individuals, requiring businesses to develop clear policies and procedures to protect personal data.
The EU has substantially expanded the definition of personal data under the GDPR. To reflect the types of data that organisations now collect about people, online identifiers such as IP addresses now qualify as personal data. Other types of data are now also considered personally identifiable, for example, information such as: economic status, cultural heritage and mental health details. Additionally, anything that counted as personal data under the Data Protection Act also qualifies as personal data under the GDPR.
Below is a summary of the main requirements of the GDPR:
- If your business is not in the EU, you will still have to comply with the Regulation
- The definition of personal data is broader, bringing more data into the regulated perimeter
- Consent will be necessary for processing children’s data
- The rules for obtaining valid consent have been changed and you will need to comply
- The appointment of a Data Protection Officer (DPO) will be mandatory for certain companies
- Mandatory data Protection Impact Assessments (PIAs) have been introduced
- There are new requirements for data breach notifications
- Data subjects have the right to be forgotten
- There are new restrictions on international data transfers
- Data processors share responsibility for protecting personal data
- There are new requirements for data portability
- Processes must be built on the principle of privacy by design
- The GDPR is a one-stop shop – allowing any European data protection authority to take action against organisations, regardless of where they are based in the world.
What can you do to prepare?
There are key areas that organisations need to focus on to ensure that they will be compliant with GDPR by next spring and the CIO outlines the following steps in order to help you to prepare:
- Make sure all staff are aware that the law is changing and the impact it will have on the business.
- Document what personal data you hold, where it came from and who you share it with – carry out an information audit.
- Review current privacy notices for communicating privacy information and put a plan in place for making necessary changes in time for the GDPR implementation.
- Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
- Update your procedures and plan how you will handle access requests within the new timescales and provide any additional information.
- Identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
- Review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
- Make sure you have the right procedures in place to detect, report and investigate a personal data breach.
- Familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
- You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance (Data Protection Officer's) arrangements. You should consider whether you are required to formally designate a DPO.
- Start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity
- If your organisation operates in more than one EU member state (i.e. you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
What will Net Technical Solutions be doing?
Aside from checking our own compliance against the GDPR, Net Technical will also be helping its customers to become compliant. We have teamed up with local Data Security specialists Think Marble, to offer a range of services around GDPR, Cyber Essentials, Penetration Testing and Security Awareness.
The first step towards GDPR compliance from an IT perspective is to earn accreditation through the government Cyber Essentials scheme and we will shortly be sending out some further information relating to this. In the meantime, if you would like any further information on the steps Net Technical Solutions is taking to become GDPR compliant, or how we can help your company do the same, please contact your Account Manager today.