The EU General Data Protection Regulation or GDPR for short is the most important change in data privacy regulation in the last 20 years. This change is set to drastically switch how businesses in the EU (and external businesses that deal with data of EU citizens) look at data in general.
The deadline for complying with these new laws is May 25th, 2018 which is the date when GDPR will start harmonising data privacy laws across the European Union and forever change how companies collect, store, delete, alter and otherwise process the personal data of EU citizens.
The official document is a lengthy one that may confuse even the most experienced data specialists. That’s why we’ve made sure to emphasise the most important points in this article to make sure you’re ready for the era of GDPR which is upon us.
Who Will GDPR Affect?
The GDPR replaces the previous Data Protection Directive from 1995 and other than the new laws it lays out it expands them by making sure it is applied by all companies, regardless of the company’s location, who are controlling the personal data of data subjects in the EU.
GDPR is also aimed at companies that have more than 250 employees but it is also applicable to companies that have fewer than 250 employees but their data processing impacts the rights and freedoms of data subjects or includes sensitive personal data. This generally means GDPR affects almost all companies which can be seen in this survey that states 92% of US companies are considering GDPR as a top data protection priority.
To factually understand who specifically GDPR affects it is important to know what is the difference between a data controller and a data processor.
The data controller is a company or person that determines the purposes for which, and the way in which personal data is processed and they are the ones highly affected by GDPR which means they are subject to a number of requirements under the EU law. Data controllers have their own data processors.
Data processor is a company or person that processes personal data on behalf of the data controller. It is important to know that this excludes all the data controllers employees. A good example of a data processor is a data analytics provider because it is a separate business that controls the data of their users (data controllers). Data processors are also affected by GDPR but not as much as data controllers since a lot of regulations are already set in motion by the so called ‘data processing agreements’.
The same organization can be both the data processor and the data controller and two separate organizations can be the processors of the same data.
GDPR covers both personal and sensitive personal data. Personal data translates to a piece of information that can be used to identify a person (examples: name, address, IP address etc.). Sensitive personal data encompasses religious and political views, sexual orientation, genetic data and more.
What Will Change
Many of the GDPR’s main concepts and principles are included or are similar to the ones in the DPA (Data Protection Act) which means that if companies are already complying with the DPA laws they have a very solid foundation to build upon.
The main driver of how awareness of data security in companies will change is the short timelines that are being put into place. GDPR requires companies to send a notification to each of the countries representatives within 3 days of a data breach with the accompanying full report that contains the correct data of citizens that were impacted by that breach. Previously, it would take at least 2 months to get to the bottom of a typical breach.
Companies also need to allow their data to be portable which means that their users or clients can have their data erased or moved to another company.
Security teams are going to be drastically influenced by GDPR since there will be a need to reengineer new processes. These new processes are in most cases going to have to include DPOs (data processing officers). DPO will be responsible for everything related to data and this person will be the main point of contact between the company and country officials.
In a recent survey by Ovum it is very apparent businesses are getting seriously concerned about the data privacy regulatory landscape. Here are some of the most important findings:
- Two-thirds of businesses expect to have to change in their global business strategies to accommodate new data privacy regulations
- Over half of businesses think they will be fined due to the pending General Data Protection Regulation (GDPR) in Europe
- More than 70% of businesses expect budgets to rise to meet new data sovereignty regulations
- The U.S. is the least trusted country for respecting privacy rights, lagging behind China and Russia
One of the most worrying factors of GDPR is the increase in the level of monetary penalties. This, coupled with the Ovum report, means that these fines are not to be taken lightly.
Smaller offences will result in fines up to €10 million or 2% of a firm’s global turnover (whichever is greater). Companies with more serious consequences will be fined up to €20 million or 4% of a firm’s global turnover (again, whichever is greater).
An article by The Register states that 2016’s ICO fines in UK would have been 79 times higher under the GDPR. Meaning 2016’s £880,500 in fines would have been GDPRs equivalent of £69 million.
How to Prepare
The Information Commissioners Office (ICO) has prepared a guide with 12 steps every company should take to comply with the GDPR laws. Here’s a shorter version:
The decision makers and key people in any organization should be aware that the law is changing to the GDPR. This will help evade last minute preparations before May 25th, 2018.
2) Information you hold
Every piece of personal data held by a company should be documented. This includes its location, where it came from and who you share it with and why.
3) Communicating privacy information
All privacy notices should be reviewed. When collecting personal data a company should provide notice to the people it comes in contact with, and privacy notices requirements will change under GDPR.
4) Individuals’ rights
Companies should check their procedures to ensure that they cover all the rights individuals have, the GDPR includes the following rights:
- The right to be informed
- The right to access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subjected to automated decision making including profiling
5) Subject access requests
Companies should update their procedures on handling access requests. If an organization handles a large number of access requests they should consider the logistical implications of having to deal with requests more quickly.
6) Lawful basis for handling personal data
Companies should identify their lawful basis for their processing activities in the GDPR, document it and update their privacy notice to explain it.
Companies should record how they seek, record and manage consent and whether they need to make any changes. Read this detailed guidance to learn more about consent.
Companies should start thinking about whether they need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
9) Data breaches
Companies should make sure they have the right procedures in place to detect, report and investigate a personal data breach in time. Failure to report a data breach in time will result in a fine.
10) Data protection by design and data protection impact assessments
Previously it was just a good practice to adopt a privacy by design approach and to carry out a Privacy Impact Assessment (PIA) as a part of it. In GDPR, however, privacy by design is now becoming a legal requirement and is referred to as Data Protection Impact Assessments or DPIAs for short.
11) Data protection officers (DPOs)
Most companies should hire a DPO as a someone that takes responsibility for data protection compliance. Companies must hire a DPO if they’re:
- A public authority
- An organization that carries out the regular and systematic monitoring of individuals on a large scale
- An organization that carries out the large scale processing of special categories of data, such as health records, or information about criminal convictions
If an organization operates in more than one EU member state it should be determined what is their lead data protection supervisory authority and this should be documented.
GDPR is coming soon and the impact of this change will be big. In this time of change there’s a lot going on – currently there’s information that a lot of companies in digital media are trying to switch responsibility from one to another – clients want agencies to assume risks, agencies insist publishers assume them, and publishers do the same to tech vendors.
The businesses that are most liable for fines are the data controllers as they are the source of consumer data. Some examples of data controllers are publishers and advertisers that operate websites.
If you’re having issues with getting ready for the GDPR or you would like someone to do it for you our team at GlobalDots speacializes in data security and GDPR compliance – feel free to contact us and request a free consultation!