There is a lot of buzz at the moment around GDPR (General Data Protection Regulation). Perhaps because not many people fully understand this new legislation, but also because it seems to have wide-reaching ramifications for businesses.
What is GDPR?
GDPR could, for some companies, entirely change how they process and control data. However, Elizabeth Denham, the UK’s information commissioner, emphasises that businesses should not listen to scaremongering: “The GDPR is a step change for data protection,” she says. “It’s still an evolution, not a revolution”. For businesses already complying with existing data protection laws the new regulation is only a “step change”.
Our current data protection legislation was written in the 1990’s – just think of how much change has happened with the upsurge of the internet, smartphones and social media. GDPR will change how personal data can be used by businesses and will be overseen by the ICO (Information Commissioner’s Office).
What’s new?
- Reach: companies across EU will have to comply but also their subsidiaries outside the EU.
- Accountability: companies no longer have to register with ICO but the onus is on each business to show that they keep data secure, accurate and up to date; include data protection as part of decision-making; and processes implemented and checked regularly. ‘High risk’ processing (sensitive data or high risk of loss) will require a Privacy Impact Assessment.
- Data breach notifications: businesses must notify the ICO within 72 hours when a breach has occurred which is likely to result in risk to rights and freedoms.
- Data Processors: will also have a direct obligation to implement technical and organisational measures; report breaches to the Data Controller (which may be your client); keep records of processing activities. Businesses may wish to consider Cyber Insurance since most office insurance policies will not cover loss of data.
- New rights for people to access the information companies hold about them. These include the right to see the information the company holds, have their information transferred to another company at no cost and to be deleted.
- Consent: people must freely give consent (not tied to a reward) in a specific, informed, unambiguous way and must be able to withdraw any time.
- Increased enforcement powers: there will be maximum fines for Controller or Processor of up to 4% annual worldwide turnover or €20M (whichever is greater) for serious and persistent data breaches.
When does GDPR take effect?
GDPR regulations will not be implemented until 25th May 2018, however, companies need to be compliant by that date and for many there will be lots of work needed, so now is the time to plan!
How should we prepare?
Start preparing for GDPR by taking these initial steps:
- Document and review processes and data flows – consider encryption
- Update data policies, handbook and notices – consider Cyber Insurance
- Staff training
- Review and update contracts
- Review and update security measures
- Carry out data protection audits / risk assessments and test
- Sign up to codes of conduct / certifications
Resources:
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
http://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compliance-summary-fines-2018
BrookStreet des Roches and Riverbank IT seminar, visit Riverbank’s website for more info: https://www.riverbank.co.uk/gdpr/
