The official start of the EU’s General Data Protection Regulation (GDPR) is now just nine months away. This new regulation has been four years in the making and will standardise and strengthen data protection across the EU. It will also provide individuals with a greater say in how companies can use their data.
Although Britain has begun the process of leaving the EU, UK businesses will still need to prepare for GDPR. This is because this regulation applies to anyone who processes personal data belonging to EU citizen – regardless of whether the business itself has a base in UK.
The implementation of GDPR will result in marked changes to data protection law, including how companies process data, how they obtain consent and how they secure and store that personal data. Below we have outlined 8 key changes GDPR will bring in which businesses should be aware of.
The 25th of May 2018 was when GDPR came into full force. Designed to standardise data protection measures across Europe GDPR provides individuals with greater rights and establishes a modern framework to which companies need to comply. GDPR applies to any organisation, regardless of whether they are actually based in the EU, if they process the data of EU citizens.
With the GDPR bringing in numerous changes, such as widening the definition of personal data, increasing the rights of individuals and establishing new obligations regarding personal data breaches, complying with the regulation will be no small feat. It is likely that many organisations will need to carry out data audits, review processes and privacy notices, assess their current data protection methods and explore technological solutions to help achieve compliance.
To help your organisation prepare for these upcoming changes we’ve put together a list of key points that CIOs should be aware of:
5 important things CIOs need to be aware of
1. You need to know your data
The first step in your journey to compliance with the GDPR is to know exactly what personal data you hold, where you hold it, who has access to it and how you process it. All organisations will have data across multiple systems such as file shares, Sharepoint, databases, cloud systems and social platforms like Yammer. You may not have even identified some of it yet. With a vast amount of data out there to discover, classify and report on it will be necessary to investigate technology solutions that can assist.
2. “Privacy by Design” is an obligation – not a recommendation
The ICO and other regulatory authorities have long recommended that organisations take a “Privacy by Design” approach, but the GDPR outlines this as an obligation. In the past, privacy controls may have been the last thought, but now they will need to be embedded into every system that handles data right from the very start and throughout the entire lifecycle of the project. The GDPR states that you must “implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities”, to ensure that Personally Identifiable Information (PII) is protected.
As part of this approach by default, you will now have to give consumers maximum privacy protection. They can have the ability to lower this, for example when setting up a social media profile they can reduce the default privacy settings, but the maximum settings have to be the baseline. Achieving these obligations involves enacting measures such as explicit opt-in, safeguards to protect consumer data, restricted sharing, and minimised data collection and retention.
3. You will need to undertake Data Protection Impact Assessments
In line with the “Privacy by Design” obligation, organisations will need to undertake Data Protection Impact Assessments (DPIAs) to ensure they comply with data protection obligations and meet individuals’ expectations of privacy. A DPIA is a risk management tool that allows organisations to identify and fix data protection problems in the early stages of a project before they cause damage – both to individuals and the organisation involved. When carrying a DPIA you should document:
What kind of personal information will you collect;
how will you collect, process and store that personal information;
how and why it can you share it; and
how it will you protect it from inappropriate disclosure at each step
According to the GDPR, a DPIA should be carried out where “processing operations are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purpose”.
The Information Commissioner’s Office (ICO) states that organisations must carry out a DPIA when using new technologies and when the processing is likely to result in a high risk to the rights and freedoms.
4. Breach notifications are mandatory
Not only could breaches potentially carry much larger fines once the GDPR is in place, but there are also strict requirements when it comes to reporting such a breach to your supervisory authority and to the individuals affected. If your company suffers a personal data breach that is likely to result in a risk to the rights and freedoms of individuals then you must notify the relevant supervisory authority within 72 hours of discovering the breach, including the following information:
The nature of the personal data breach including where possible:
the categories and approximate numbers of individuals concerned; and
the categories and approximate number of data records concerned
The name and contact details of your Data Protection Officer or another contact point
A description of the likely consequences of the personal data breach; and
A description of the measures taken to deal with the breach and mitigate any possible effects
A personal data breach that is likely to result in a “high risk” to the rights and freedoms of individuals, requires organisations to notify those concerned directly and “without undue delay”. One example of such a breach could be the loss of customer details which leaves individuals open to identity theft. Failure to notify when required could result in a significant fine of up to €10 million or 2% of your global turnover.
5. You must take a “risk-based” approach
Certain pieces of personal data can be considered more high risk (or more valuable in the eyes of a cybercriminal). As such not all data will need the same level of protection. Not only will organisations need to know their data they will also need to decide how exactly to protect it. This will depend on how you store and process it, and the level of risk it could pose to concerned individuals. When conducting a data audit you may need to move, delete, encrypt or block certain pieces of personal data. The ability to do this proactively, and keep detailed records of your decisions and activities, will be key to compliance.
Achieving compliance will require a concentrated effort across the whole organisation. Although there is some confusion on who bears responsibility for GDPR, it will likely involve multiple parties. Key people involved could include, the Data Protection Officer, the Chief Data Officer, Chief Information Officer, Chief Information Security Officer and senior leadership from departments such as HR and Marketing. It will depend on your organisation’s structure. The board will also need to understand the implications of the GDPR and why it’s necessary to make changes – which could involve financial outlay.
Even though the UK is planning to leave the EU, organisations will still need to comply with the GDPR when data passes through the EU, even if they have no influence on its direction. Furthermore, the UK plans to continue to apply the regulation by transferring into UK law through a new Data Protection Bill, so waiting to implement GDPR principles within your organisation would not be a wise move.
Once such requirement you may have come across is the appointment of a Data Protection Officer. In brief, this is an enterprise level security role designed to help processor and controllers comply with their GDPR requirements. Specifically, Articles 37-39 relate to the DPO’s role and requirements, but does your organisation actually need to appoint one to comply with the new regulation?
Which organisations need a Data Protection Officer?
For processing to be considered a core activity it should be part of the key operations to achieve the controller/processor’s objectives which “forms an inextricable part of the controller’s or processor’s activity”. This would not include support activities such as payroll or IT support, which are typically supporting functions
Organisations should take into account the following factors when considering whether their processing is “large scale”
The number of data subjects concerns;
The volume or data or the range of data items;
The durations of processing; and
The geographical extent of processing
“Regular and Systematic Processing”
This would “include all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising”, however it could also include offline activity. According to the WP29 “regular” monitoring means monitoring which is
Ongoing/occurring at particular intervals for a particular period;
Recurring or repeating at fixed times; or
Constantly or periodically taking place
If you are a public authority or your processing activities meet any of the above requirements then it will be mandatory for you to appoint a DPO in order to comply with the GDPR. However, any organisation can appoint a DPO if they wish. For those that decide to so it is important to remember that voluntary DPOs will still be subject to the same requirements and responsibilities as mandatory DPOs.
The Information Commissioner’s Office has further stated that, regardless of whether you are obliged to appoint a DPO, you must ensure that your organisation has “sufficient staff and skills to discharge your obligations under the GDPR”.
The WP29 advises that, unless it’s obvious that your organisation does not require a DPO, you should keep records of your decision-making process on how and why you have decided not to appoint one.
Roles and Responsibilities of a Data Protection Officer
Educate the company and employees on important compliance requirements
Train staff who are involved in data processing
Conduct audits to ensure compliance and address potential issues proactively
Be the point of contact for supervisory authorities and for individuals who submit requests regarding their personal data
Maintain comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities
Communicate with individuals to inform them how their data is being used, their right to have their personal data erased, and what measures the company has put in place to protect their personal information.
Who can be a Data Protection Officer?
You can outsource your requirement to a third party or you appoint a current staff member as your DPO. As long as there are no conflicts of interest with their current role.
The GDPR has not defined a particular list of qualifications or required experience. However, it does require a DPO to have “expert knowledge of data protection laws and practices”. This knowledge should be proportionate to the type of processing your organisation carries out and take into consideration the level of protection the personal data requires. Unsurprisingly, your DPO should also have a deep understanding of the GDPR.
Ideally, a DPO should have excellent management skills and the ability to communicate with internal staff, supervisory authorities and members of the public. They must be able to handle managing data protection and compliance internally, and ensure they report any breaches or non-compliance the relevant supervisory authority.
As an employer you also have specific duties when it comes to your DPO, namely, you must ensure that:
The DPO reports to the highest management level of your organisation e.g. the board
The DPO operates independently and is not dismissed or penalised for performing their duty
Adequate resources are provided to ensure the DPO can meet their GDPR obligations
The DPO is a highly accountable role, requiring certain expertise and experience, so it’s important to hire the right person. Organisations should assume they require a DPO – unless they can clearly demonstrate otherwise. However, according to advice from the ICO and WP29 but it could be best practice to appoint one anyway. Just bear in mind they will have the same requirements and responsibilities and mandatory DPOs.
In order to comply with the GDPR, organisations must implement appropriate technical measures that ensure compliance. This is established under Article 32, which delineates the GDPR’s “security of processing standards”, and is required of both data controllers and data processors.
When implementing these measures the Regulation does state that “the state of the art and the costs of implementation” and “the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons” must be taken into account.
Due to the different ways organisations collect, store and process data, as well as the different levels of risk this present to users, there will not be one universal set of technical and organisational measures. However, the GDPR has set out some suggested methods for data protection.
Privacy by Design and Privacy by Default
Although supervisory authorities have typically advised that organisations take this approach, for the first time GDPR actually lays out “privacy by design” and “privacy by default” as specific obligations. Under this requirement, companies will need to design compliant policies and systems from the outset.
Under Article 25, a data controller is required to implement appropriate technical and organisational measures at the time of determining the means of processing and at the time of the actual processing. When determining what measures to implement, the controller should take into account “the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, as well as the likelihood and severity of risks to the individual posed by the processing of their data”.
In addition, organisations must give individuals the maximum privacy protection as a baseline. For example, explicit opt-ins, safeguards to protect consumer data, restricted sharing, and retention policies. For example, if someone creates a new social media profile, the most privacy-friendly settings will be enabled. Then it would be up to the user to reduce these if they so wished. This approach directly lowers the data security risk profile. The less data you have, the less damaging a breach will be.
An essential principle of data protection, data minimisation establishes that personal data should not be retained or further used unless it is necessary for purposes clearly stated at the time of collection. The principle applies to the entire lifecycle of personal data. This includes the amount collected, the extent of the processing and the period of storage and accessibility.
Data must be “adequate, relevant and limited to what is necessary, in relation to the purposes for which they were processed”. This means controllers need to make sure that they collect enough data to achieve their purpose but not beyond that.
Privacy Impact Assessments
These are an integral part of the “privacy by design” approach and can help you identify and reduce the privacy risks of your projects. They allow organisations to find and fix problems at the early stage of any project, reduce the associated costs and reputational damage that may otherwise accompany a data breach.
Some situations where organisations should carry out a Privacy Impact Assessment (PIA) include:
A new IT system for storing and accessing personal data
A business acquisition
A data-sharing initiative
Using existing data for a new and unexpected or more intrusive purpose
A new surveillance system
A new database that consolidates information held by separate parts of an organisation
Under Article 35 of the GDPR PIAs are mandatory for organisations with technologies and processes that are likely to result in a high risk to the rights and freedoms of data subjects. However, they are a good strategic tool for any organisation which processes, stores or transfers personal data.
Article 4(5) of the GDPR defines pseudonymisation as “the processing of data in such a way that it can no longer be attributed to a specific data subject without the use of additional information”. For a data set to be pseudonymized, organisations must keep the “additional information” separate and secure from the de-identified data.
The GDPR incentivizes data handlers to implement this method because it allows them to use personal data more liberally without infringing on individuals’ rights. This is outlined in Article 6(4)(e) which states that pseudonymised data may be processed for uses beyond the process that data was originally collected for. This is because the data only becomes identifiable when held with the “additional information”.
However, it is important to note that pseudonymisation is not a cast-iron guarantee of data protection. It does not mean organisations using this method would not need to report a data breach to their supervisory authority.
The effectiveness of pseudonymisation hinges on its ability to protect individuals from “re-identification”. This depends on a number of things including;
the techniques used for pseudonymisation;
the location of the additional identifiable elements in relation to the pseudonymised data; and
the likelihood that non-identifiable elements could uniquely identify a specific individual
Unfortunately, the GDPR is quite vague on the level of data protection pseudonymisation provides itself. Only in Recital 26 does it mention that data handlers should take into account whether re-identification is “reasonably likely”.
There no official guidelines as to what constitutes “reasonably likely”, the GDPR merely advises that data handlers take into account “all objective factors”. For example, “the costs of and the amount of time required for identification, the available technology at the time of the processing and technological developments.”
What should organisations do?
The bottom line is that organisations should embed privacy into every process, procedure and system which handles data. Under GDPR organisations need a proactive approach to data privacy and protection. It should be an important part of the planning process and throughout the entire lifecycle.
There are many security measures that businesses can implement. Ideally, you should be looking at solutions that cover multiple angles. Relying solely on encryption or pseudonymisation won’t cut it.
On the 25th of May 2018, the General Data Protection Regulation (GDPR) officially came into force. The new regulation from the EU, which was four years in the making, aimed to standardise and strengthen data protection across the EU, giving citizens greater control over how companies use their personal data.
With the maximum fine for failing to comply with GDPR being 20 million Euros or 4% of yearly global turnover, it’s imperative that a business complies with the regulations if they want to remain extant.
Although Britain has triggered Article 50, marking the official start of Brexit, businesses in the UK still need to comply with GDPR. The regulations apply to any organisation who processes the personal data of EU citizens, even if the organisation itself is not in the EU.
Despite organisations being given a two-year transition period to prepare for the start of the GDPR, and the legislation having come into effect many businesses have made no effort to become compliant.
As GDPR builds on the regulations outlined by the 1998 Data Protection Act. Many businesses may mistakenly believe that if they were DPA compliant they will be GDPR compliant. But there are several major differences between the two.
Below we’ve outlined some quick tips for compliance. We recommend that organisations ensure that have achieved compliance if they want to avoid the heavy fines that can result.
9 tips for GDPR compliance
1. Appoint a Data Protection Officer (DPO)
Somebody within the firm must hold the role of Data Protection Officer. They don’t have to be a full-time employee and they can be outsourced to a third party, but it’s mandatory that all organisations that process or store customer data have one under GDPR.
2. Know how you can use data
You will likely store personal client data on file and throughout different IT systems. Under GDPR it’s imperative that you understand what personal data you have and how you process it. You may have had initial consent from the client but this does not necessarily mean that you have consent for processing that data in a different manner. You may need to obtain renewed consent, and you will certainly need to review your forms and documents of consent to ensure they are robust enough to cover you.
There’s a big focus on data held about children within GDPR. You need to know how you verify the ages of individuals and how you will get parent/guardian consent for the processing of childrens’ data.
5. Ensure your data processors are up to speed
It’s worth taking the time to assess every service provider and the individuals who process personal data for you. It’s important they fully understand the changes that have come along and that they are taking responsibility for them. Training would likely be beneficial and it’s also important to continually monitor, report and audit. You can undertake regular PIA (Privacy Impact Assessments) to review processes and to deal with any required remedial action.
6. Understand your client’s rights
The client has increased rights beyond the 1998 Data Protection Act around the data you hold on them, such as in areas as the rights to erasure, the right to be informed, the right to restrict processing, etc.
The right to data portability is completely new so it’s worth taking another look at the clients’ rights then going over each of these before to ensure your policies and procedures are compliant.
Assessing how you delete data and how you present it on demand, i.e. what document format are also worth considering.
7. Review consent and fair processing policies
The GDPR goes beyond legacy requirements around information that must be provided to data subjects when requesting consent to process personal data. The processes and protection already in place are no longer applicable under GDPR. Firms should ensure they are using simple language when asking for consent to collect personal data. They also need to be completely clear about how you will use the data, don’t make any assumptions. Silence from a client is not consent. Any issues around the areas of consent will certainly lead to issues and potentially large fines.
8. Prepare for a data breach
Even with GDPR in full swing, many firms have no truly usable documented policies and procedures in place for how they will respond to a security breach. A firm needs to know exactly how they will deal with a breach, as making decisions when it’s all falling apart around you can make a bad situation even worse.
9. Use technology for automation
Many firms will typically have systems in place to assist in performing compliance and risk checks and the same or a similar system can be used to ensure GDPR compliance. It’s worthwhile speaking to the vendors you’re using about how they can assist you in the automatic management (as much as possible) of your compliance regulations around GDPR. After all, the more you can automate, the less risk there is for something to drop through the net.
The General Data Protection Regulation (GDPR) is a piece of EU legislation introduced on the 25th of May, 2018. It changed the way companies are allowed to collect and process data about citizens within the EU, providing more rights to the consumer and introducing stricter penalties for businesses who fail to comply.
Do companies outside the EU need to comply with GDPR?
Any company that processes data of any EU citizens needs to comply with GDPR, even if the company is located outside of the EU. This means that UK businesses will still need to comply post-Brexit and companies in the Americas, Asia, Africa, Australia and even Antarctica will need to comply with GDPR if they process the data of any EU citizen.
Why did the EU introduce GDPR?
The GDPR has been four years in the making, and one of the main reasons for its introduction is the changing ways companies are using personal data. Many companies such as Facebook, Google and other social networks swap access to people’s data for use of their services.
GDPR acted as a modernisation of the 1998 Data Protection Act which didn’t account for the new ways companies were utilising personal data. Another driver behind GDPR was to give businesses a simpler, clearer legal environment to operate in.
Who does GDPR apply to?
This new legislation will apply to both “controllers” and “processors” of personal data. A “controller” states how and why personal data is processed. Whereas a “processor” is the one who processes the data. It is the responsibility of the controller to make sure that their processor abides by data protection law. However, the processors themselves have a responsibility to maintain records of their processing activity.
What do businesses need to be aware of regarding GDPR?
The GDPR expands the definition of personal data considerably, in line with the types of data organisations collect about individuals.
Organisations must ensure that they process personal data lawfully, transparently and for a specified purpose. Consent from an individual must come in the form of an active opt-in, and there must be a record of how and when an individual gave consent. That individual can withdraw their consent at any time, at which point you must delete the data.
Individuals have the right to ask for access to their data at “reasonable intervals”, and the controller must respond to this request within one month. Controllers can no longer charge individuals for this request unless it becomes excessive or repetitive.
They also have “the right to be forgotten”. Individuals can demand that their data is deleted if it is no longer necessary for the original purpose it was collected. Furthermore, individuals can also demand the erasure of their data if they withdraw consent for data collection or if they object to processing activities.
Controllers must store the personal data in a common format, such as a CSV file, which is easily transferred to another organisation – at the request of the individual. If an individual makes such a request under this rule the controller has one month to comply.
If you fail to obtain proper consent, ignore individuals’ rights over their personal data, transfer data to another country or ignore any of the other principles for processing data then your data protection authority could issue a penalty of up to €20 million or 4% of your global annual turnover, whichever is higher.
There are also financial penalties for those who fail to report a data breach within the specified time period. If upon discovering a data breach, you do not notify your data protection authority within 72 hours then you could face a fine of up to 2% of your global annual revenue or €10 million, whichever is higher.
Currently, the maximum fine for a data breach, under the Data Protection Act, is £500,000. Although, to date, the highest penalty issued has been £400,000 – which was levied on TalkTalk following their breach in 2016. However, if that breach had occurred under GDPR legislation. That fine would have increased to £59 million – a considerable jump!