The GDPR regulations will be one of the most sweeping and potentially disruptive changes to business operations in a generation. The way in which an organisation handles information must adapt dramatically to comply with these new rules. This means conducting a review of the whole information flow to show regard for an individuals right to privacy. This starts from the point of swapping business cards, to closing a customer account and everything in between. The following is a guide to assist you in devising policies to deal with these changes.
1. What is GDPR
GDPR refers to the General Data Protection Regulations based on European rules that update the “data protection directive”. The aim is to bring together all of the current directives governing access to an individual’s private information into one place. The new statutes will be binding on all member states and will have greater power than all previous directives as they are now legislation. It aims to bring about consistency for all organisations who possess or transfer data within the EU or want to trade within its territory.
The GDPR concerns itself with:
1. The right of access
2. The right to rectification
3. The right to erasure
4. The right to restrict processing
5. The right to data portability
6. The right to object
7. The right to be informed
8. Rights in relation to automated decision making and profiling
9. Restrictions on the transfer of personal data outside the European Union
The process is still not final as there are around 50 articles pending ratification. However, those already compliant with the current Data Protection legislation are more than half way there.
2. If we are going to leave the EU does it still apply to us
The current government have indicated they will adopt the proposals regardless of Britian leaving the EU. It is considered good practice and we would need to comply if we want trade within the zone anyway.
3. What classifies as a data breach and what do I need to do if it occurs
Unauthorised access leading to the destruction, theft, alteration, unauthorised disclosure of, or access to, personal data. This means a breach is more than just losing personal data but any act that is likely to result in a risk to the rights and freedoms of the individual (i.e. access to a private data allows that person to be vulnerable to identity theft.)
The measure of the act will focus on dealing with breaches as opposed to acts of individual breaches. Therefore, adequate recovery procedures should be in place in order to minimise the impact of a breach. These procedures need to be tested and understood throughout the organisation. Basically a data ‘fire drill’ that is thoroughly tested.
Standard policy is to investigate the cause of each breach, notify those affected and how future incidents can be prevented.
4. When and who do I have to notify
A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.
Supervisory Authority:
You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals (for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality etc.)
Individual:
Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you must notify those concerned directly. A ‘high risk’ means the threshold for notifying individuals is higher than for notifying the relevant supervisory authority.
5. Are there penalties for a breach
Once it becomes law, non-compliance will be a criminal offence subject to administrative fines up to €10m or 2% of global turnover – whichever is greater.
6. When does it come in to effect
In the UK from Friday 25 May 2018
7. What are my responsibilities
The Act applies throughout the period when you are processing personal data. Eg. This duty will continue even if a company is dissolved and still has stored information.
You should have the personal data in your possession for no longer than required for its original intended purpose.
Part of your procedure should include a review period and you need to endeavour keeping the minimal amount of information required. This extends to all 3rd parties you have shared the information with.
8. What sort of data is covered
Any information that can be accessed, read or manipulated including information recorded on paper as well as digital records.
This includes any uniquely identifiable references such as IP addresses, payroll number and/or customer IDs.
Pseudonymisation:
A new definition, which refers to the technique of processing personal data in such a way that it can no longer be attributed to a specific “data subject” without the use of additional information for example replacing an individual’s name with a unique number.
9. What is considered to be Sensitive Personal Data
Special Priority is given to what is considered to be “Sensitive” information that includes:
• Racial background.
• Political affiliations.
• Religious beliefs.
• Trade union membership.
• Physical or mental condition.
• Sexual activity or orientation.
• Any alleged or actual criminal offence.
Profiling or any form of automated processing intended to evaluate certain personal attributes of an individual, with particular regard to predicting their behaviour: i.e. shopping habits.
This could encompass at work performance; economic situation; their state of health; personal choices; reliability; behaviour; location; or movements.
Ensure processing is fair and transparent by providing meaningful information that is fit for the original intended purpose and considers each outcome and distinct consequences.
10. What are data “controllers” and “processors”
The regulation draws a distinction between a ‘data controller’ and a ‘data processor’ to recognise the difference between the management of information and those carry out the function.
Data Controller:
Whomever determines the purpose and how the data should be processed is considered to be a “Controller”decide how and why such data is processed determines the purposes. Usually this is an organisation or persons in a management position. Data controllers remain responsible for ensuring their processing complies with the Act.
Data Processor:
An organisation or persons who are responsible for data entry, maintenance of any information system or use the information in some way or form. (i.e. The developer who designs online forms, staff whom conduct data entry or cloud service provider).
11. How is the data I have affected
The data controller defines why and how data has been collected. If you have personal data then “a description of any recipient or recipients to whom the you intend or may wish to disclose the data as well as the purpose and intent for collecting that personal data”.
• You should not hold personal data “just in case” you might need it in future.
• There should reasonable steps put in place to ensure the accuracy of the information and it is kept up-to-date.
• It is suggested that data is segmented into different categories as it becomes easier to manage.
• Policies should put in place to determine appropriate retention periods.
• Regular audits, current and future value of the information; or deleting it prematurely.
• Organise your security to fit the nature may result from a security breach.
12. What about staff training to encourage best practice
Build a culture of security and awareness so all staff are aware of their responsibilities for protecting personal data. This includes:
• Procedures to identify callers so data is not shared by deception.
• Reasonable steps to ensure the reliability of staff.
• Quality of doors and locks, alarms, security lighting or CCTV, supervise visitors, dispose of paper waste, and keep portable equipment secure.
• Staff who work from home.
13. What happens when I get a request from an individual
An individual can provide a “subject access request” that should be responded to within 40 calendar days upon receipt. They have a right to the following:
Right To Be Forgotten:
Individuals have the right to have their data ‘erased’ in certain specified situations – in essence where the processing fails to satisfy the requirements of the GDPR.
Right To Prevent Processing:
In some situations, this right gives an individual an alternative to requiring data to be erased; in others, it allows the individual to require data to be held in limbo whilst other challenges are resolved.
Individuals have a right to:
• Access to a copy of all information held (either directly or via an appointed agent or 3rd party).
• Object to processing of that information.
• Object to decisions being taken by automated means
• Inaccurate personal data rectified (within one month), blocked, erased or destroyed (even from backups).
• Claim compensation for damages (only be enforced through the courts).
• Supply data in an intelligible form, transparent and easily accessible format.
• Prevent their personal data being processed for direct marketing.
Data Portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.
You must provide the personal data in a structured, commonly used and machine readable form. Open formats include CSV files. Machine readable means that the information is structured so that software can extract specific elements of the data. This enables other organisations to use the data.
The information must be provided free of charge.
If the personal data concerns more than one individual, you must consider whether providing the information would prejudice the rights of any other individual.
Your rights:
• Apply an administrative fee based on the administrative cost (maximum £10 per request).
• Restrict the processing of any disputed data until you have verified it’s accuracy (no need to delete, modify etc.)
• Refuse if freedom of expression, legal obligation for the performance of a public interest task or exercise of official authority.
• There is no limit to the number of requests an individual can make but some discretion when dealing with requests that are made at unreasonable intervals.
14. What is a “Data Protection Officer” and do I need one
Any organisation is able to appoint a Data Protection Officer (DPO). Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.
The GDPR does not specify the precise credentials a DPO is expected to have. It does require that they should have professional experience and knowledge of data protection law.
You must appoint a DPO if you:
• Are a public authority (except for courts acting in their judicial capacity);
• Carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
• Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
You may appoint a single DPO to act for a group of companies or for a group of public authorities, taking into account their structure and size.
Responsibilities
• To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
• To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
• To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
Powers and rights of a DPO:
• The DPO reports to the highest management level of your organisation – ie board level.
• The DPO operates independently and is not dismissed or penalised for performing their task.
• Adequate resources are provided to enable DPOs to meet their GDPR obligations.
15. What do I need to do to comply
Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
• Data Protection Impact Assessments (DPIAs, also known as Privacy Impact Assessments or PIAs) are tools which can help organisations identify the most effective way to comply.
• Codes of Conduct may be created by trade associations or representative bodies.
16. Are there exemptions
There may be exemptions but only where the restriction respects the individual’s fundamental rights and freedoms and is a necessary and proportionate measure to safeguard for example national security, defence, prevention of crime, protection of judicial proceedings, law enforcement etc.
17. What are some of the implications of GDPR
• Contacts held within CRM systems maybe redundant as no “explicit consent”.
• Auditors may not sign off on accounts or make a comment. Affect company’s credit rating. Affect public sector bids as they will enforce it.
• E.g. CV’s kept too long. Must show a reason to retain.
• No spamming or illicit phone calls. Work under a pseudonym covered including employee number. Biometrics include manual records. Affects duplication. This will create a nation of informants as public encouraged to practice their rights.
• Cannot use pre-used check list.
• Buying lists for marketing may not comply as no consent.
• Mining for AI. Emails tags and store emails. Business justification. Voice calls.
18. What about 3rd party relationships
The GDPR will impose both direct compliance obligations on data processors as well as specific contractual requirements for the data controller to include in their data processing agreement. Third party vendor agreements for compliance with the GDPR should be put in place.
19. What about where data is transferred beyond the EU
The GDPR permits personal data transfers to a third country or international organisation subject to compliance with set conditions, including conditions for onward transfer. Similar to the framework set forth in the Directive, the GDPR allows for data transfers to countries whose legal regime is deemed by the European Commission to provide for an “adequate” level of personal data protection. In the absence of an adequacy decision, however, transfers are also allowed outside non-EU states under certain circumstances, such as by use of standard contractual clauses or binding corporate rules (BCRs).
20. What about the rights of the child
A child has a right to information if they are deemed mature enough to understand what is involved. (No age limit has been defined). The consequences of divulging that information to parents or guardians must also be considered (in case of abuse etc.). There is concern regarding online privacy and profiling.