The General Data Protection Regulation (GDPR) is coming into force in the EU from May 2018.
GDPR is about protecting the privacy of an individual’s personal data. It’s been introduced to bring different rules across EU countries into a single set and to make sure companies respect and take care of the personal data that they hold on their customers and prospects.
There are five key elements of GDPR that are most important and most relevant for you now:
On paper GDPR brings fines of up to €20,000,000 or 4% of Global Turnover of a business, whichever is the higher. However, it’s going to take some significant non-compliance, intentional poor behaviour and slack attitude towards security to get hit with the highest level (plus compensation on top) but if the intent was to get companies to sit up and take notice, then it’s working.
You will need to consider GDPR for each part of your business that processes personal data and assess the risks to the individuals whose data you process. You’ll also need to consider the commercial, financial and reputational risk to your company. It doesn’t mean you must go into full lock down mode but you will need to take GDPR seriously and adopt appropriate actions.
These principles underpin the GDPR legislation. In very quick summary, personal data must be:
- processed lawfully, fairly and in a transparent manner;
- collected for specified, explicit and legitimate purposes;
- adequate, relevant and limited to what is necessary;
- accurate and up to date;
- kept for no longer than necessary;
- and processed with appropriate security against access or loss.
It would be difficult to argue with the reasonableness of these principles and the challenge now lies in adopting the processes and controls to ensure that these principles are upheld.
One of the key aspects of GDPR is that it demands that companies not only comply with the rules but are able to demonstrate how they comply.
This means that you may need more policies and statements, and you will have to ensure that your senior team and staff are adequately trained. At the highest level this means undertaking Privacy Impact Assessments (specific assessment processes defined in GDPR) to determine what the risks are and what you need to do to mitigate them. It also means you’ll need to do much more record keeping and ensure your IT security and processes are up to date and appropriately strong.
The principles covered earlier include the requirement to ensure data is processed lawfully and this is achieved by one of six Lawful Bases stated in the GDPR. Three cover public interest, legal necessity or vital interests of the subject but the ones relevant to most companies are consent, contractual necessity and legitimate interest.
There has been a lot of focus on “consent”, along with a lot of myth and misunderstanding. The Information Commissioner’s Office (ICO) in the UK have been providing much greater clarity here, confirming that GDPR Consent is not mandatory for processing data. It is just one Lawful Basis that you can rely upon. And it is potentially the most difficult to successfully achieve. The threshold for consent has been significantly raised under GDPR and there are many ways that it can be invalidated. It also confers additional rights on the individual and consequently it could lead to higher levels of fines for non-compliance than if it was not relied upon in the first place. The ICO suggest Legitimate Interest is the better option for most companies.
This is where the key issues are going to arise and where the biggest fines are likely to be applied. The rules around reporting of data breaches (along with the requirements to take technical and organisational measures to avoid them in the first place) have been significantly raised. The new legislation demands that you must report any significant data breach to the local supervisory authority within 72 hours of first becoming aware of it. That’s a very short amount of time to assess what has occurred. Furthermore, there is a requirement to notify personal data breaches to the affected data subject without undue delay. The key is to do everything to ensure that any risk of a data breach is minimised and prepare for the event well beforehand so that you’re drilled and ready to act.
These five points provide a sound base to gain an understanding of GDPR and the practical implications. It’s worth taking the time to investigate more to ensure you’re prepared well before the enforcement date of May 25th, 2018.
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
The Invenias solution
At Invenias, we know how much our customers rely on us to ensure data protection is at the heart of the design, build and operation of our platform. Our most recent initiatives support the latest developments in data privacy and GDPR with dedicated features and functionality to assist with compliance. For additional information and resources relating to the GDPR, visit invenias.com/gdpr or email firstname.lastname@example.org.