13 Steps to prepare your business for GDPR

1. What does GDPR mean?

GDPR (General Data Protection Regulation) is a new legislation being brought in with the aim of policing, strengthening and unifying the security of peoples individual data within the EU. The Internet has forever changed the way the world communicates. More and more organizations are beginning to integrate cloud computing into their IT Infrastructure. Therefore, the core objective of GDPR is to give people more power and more control over their individual data and how it is used and stored by organizations.

At present, the UK relies upon the Data Protection Act 1998. This law will become obsolete when GDPR legislation comes in to play. Data protection laws throughout the EU will be one and the same with 27 national data protection regulations combining into one. GDPR introduces more severe penalties for data breaches and non-compliance, and gives people more power over what companies can do with their data.

GDPR will apply for all non-EU companies without any establishment in the EU, provided the processing of data has a direct impact on EU cititzens. The Regulation also applies to processing outside the EU in relation to the offering of goods or services to EU residents or the observing of their behavior.

 

2. What is the reason for GDPR?

Your data is exchanged on social media and search engines in exchange for your use of their services.

The EU wants its people to have greater control over their personal data as the current UK law (Data Protection Act 1998) came into play in days prior to the meteoric advance of online technlogies.

The internet and cloud computing gave birth to an unprecedented online landscape, resulting in new ways of using and abusing data. GDPR endeavours to police that. By bolstering data protection laws and introducing stricter vigilance, the EU aspires to improve peoples trust in the fast evolving online economy.

The EU wants to give businesses a simpler, clearer legal environment in which to operate. Data protection law will be identical throughout one single market. The EU estimates businesses will save €2.3 billion a year.

 

3. GDPR will kick in when, exactly?

GDPR will kick in across all countries in the EU from 25 May 2018. GDPR is a regulation, not a directive, which means when it is brought into play, the UK will not need to draw up new legislation. Instead, it will apply automatically. Businesses and organisations have until 25 May 2018 until the law actually applies to them, although it became official on 24 May 2016 once all countries of the EU agreed.

Most IT security professionals are prepared for GDPR but some surveys say little less than 50% are not. 

Studies conducted by Imperva reported a majority 55% of companies don't understand how GDPR will affect their business. It is critical for those organizations to make the necessary adjustments to get in line with the new legislation in order to avoid a data breach with a potential fine of crippling proportions.

A common misunderstanding among UK businesses is they no longer need to be prepared due to Brexit.

In many cases, this is not true.

Yes - the UK has voted to leave the EU but the law will still be applicable to businesses trading with European member states or holding information on citizens of the EU. If this breeds confusion or you are still unclear, it is imperative you seek further understanding. Please read further.

1/3 of businesses are not preparing for GDPR while 28% are not aware of preparations being made.

 

4. Who needs to understand GDPR?

Any organisation. Public or Private.

Any company who process data on a daily basis.

So in a nutshell - everyone really.

Anyone who’s role involves overseeing and handling data. Personnel responsible for declaring how and why personal data is managed (Controllers), and people dealing with data on a daily basis (Processors).

For a processor, there are distinct legal liabilities under GDPR. A processor must keep updated records of personal data as well as record labouring methods of how they process data. There's a greater legal liability on a processors' shoulders if responsible for a data breach. These responsibilities are new under GDPR.

The Controller is the business owner who'll be obliged to ensure contracts with processors adhere to GDPR.

GDPR will still apply if your business is based outside the EU if you handle personal data of an EU citizen.

An organisation's responsibility is to ensure staff who handle data are in line with GDPR. People processing data in a business are responsible for maintaining a record of their actions. If a staff member were to be caught in a data breach, punishments will be more severe under GDPR than under the Data Protection Act.

GDPR does not apply to exceptional activities involved in data processing conducted by Law Enforcement, National Security and processing by individuals purely for personal/household purposes.

 

5. What is a 'lawful breach'?

 'Lawful' in this context can have a variety of meanings of which not all need to apply in any given case. 

  • If the subject has consented to their data being processed
  • to comply with a contract or legal obligation
  • to protect an interest that is "essential for the life" of the subject
  • if processing the data is in the public interest;
  • If doing so is in the controller's legitimate interest - such as preventing fraud.

Only one of these justifications has to apply in order to process data.

 

6. How do I get consent under the GDPR?

Consent must be an affirmative decision by a person regarding their data, as opposed to passive acceptance existing under current data protection laws that allow for pre-ticked boxes or opt-outs.

Organisations must maintain detailed up-to-date records of consent given by individuals. An individual has the freedom of choice to withdraw their consent whenever they wish. If your existing data collection model for obtaining consent does not meet new laws falling under GDPR, you will either have to make adjustments to your existing model in order to meet GDPR laws or stop collecting data.

 

7. What counts as personal data under the GDPR?

Data records of financial, cultural or mental health natures are now part of the personally identifiable 'tree of information'. An IP address and other online identifiers like email qualify as personal data.

All previous personal data under the Data Protection Act will still qualify as personal data under GDPR.

False personal data may also be subject to GDPR rules. This will vary depending on how difficult it is to identify the data and attribute it to an individual.

For most companies, keeping HR records, customer lists, or contact details will bare little difference as previously under DPA. A recommended best practice would be to document what personal data you currently posess, the source of that data and who you have since shared it with. You may need to organise an information audit across the organization or within particular areas of the company.

 Sensitive personal data – what is it?

GDPR refers to sensitive personal data as “special categories of personal data”. These categories are the same as those in the DPA for the most part. However, there are a few little adjustments worthy of note.

For example, there are specific divisions for the use of genetic and biometric data where data of this nature is processed to identify a particular individual for cases such as the dealing of criminal conviction cases.

 

8. When can people access the data we store on them?

People will have the right to access any information a company holds on them. They have the right to know why their data is being processed, for how long it will be stored and who sees their data. Organisations should provide secure, direct access so people can review  information stored about them.

They can demand any false data to be amended whenever required.

Organizations must respond to people asking for access to their data within one month. Transparency is mandatory for businesses from top to bottom in terms of how they collect data, their storage processes, how they use it and all must be explained clearly to people when required.

 

9. Who can ask for their data to be deleted?

If the purpose for collecting data is no longer necessary, anyone can demand their data be omitted from a company's records. This is known as the 'right to be forgotten'. Under this law, people can ask for their data to be destroyed if they no longer want their data collected or disagree with how it is being handled.

All organizations are culpable for telling other businesses (social media platforms and search engines included) to omit links to copies of that data, as well as the copies themselves.

The GDPR includes the following rights for individuals:

  • right to be informed
  • right of access to their data
  • right to rectify any false data
  • right to delete data
  • right to prevent processing of data
  • right to data transfer
  • right to object
  • right not to be profiled or subjected to automated decision making

 

10. What if they transport my data somewhere off site?

Companies must store people's information in formats such as CSV files to be easily transported to another business at no cost if demanded. The responsible organization must complete this process within a month.

 

11. What your business is at centre of a data breach?

It is the responsibility of the individual to inform their data protection authority of a data breach within 72 hours of an organisation being made aware of the breach.

It is understood 72 hours is a limited period of time and every detail of a breach may not be accessible.

The first point of contact with the Commissioners Office should outline what data it is, who has been affected, potential ramifications for those affected in the future, what measures are already in place and what the course of action for reply is.

Prior to contacting the data protection authority, it will be standard practice to inform any person affected by a data breach. A business failing to meet the 72-hour deadline would receive an imposing penalty of up to 2% of their annual worldwide revenue.

Current fines delivered by the ICO have a maximum penalty of £500,000. Fines will increase exponentially under GDPR, resulting in hard-biting fines for substantial errors concerning data protection. It is of monumental importance to ensure your business and your processing practices run parralel with GDPR.

 

12. Any other fines to worry about?

Not adhering to fundamentals for handling data like an individual's approval, ignoring personal rights to data and sending data overseas have significantly heavier consequences. Your data protection authority could fine you up to 4% of your global annual turnover should your business be at centre of such a breach.

 

13. If the UK is leaving the EU, why does it matter?

The UK is leaving the European Union - but as the UK government set off article 50 on March 29th 2017, this prompted the UK to officially leave the EU on March 29th 2019. The UK will have to adhere accordingly under GDPR regulations from May 25th 2018 until March 29th 2019. 

The UK will still be a member state of the EU on May 25th 2018 and approximately 10 months thereafter. Therefore, it would be of best interest for British businesses to familiarise themselves with GDPR and maintain high standards for protecting people's data.

As the UK will have adopted GDPR by the time Brexit takes place, any replacement form of legislation will be based on GDPR. Attempts to persuade the EU to accommodate a completely new legislation for 10 months is highly unlikely. In a presentation to a House of Lords Home Affairs sub-committee in February 2017, UK Digital Minister Matt Hancock stated, as evidence, it is the UK's focus to ensure an "uninterrupted and unhindered flow of data" between the UK and the EU.

Political moves have been made to move forward not from a stand-off stance of nonconformity, but from an agreeable position of compatibility. The UK will work conjunctively with GDPR and don't expect the EU to adhere to a temporary law. If this were the case, the potential ramifications for future relations between the UK and the EU could potentially lead to fractious results.

Therefore, the UK will operate in full accordance with GDPR. The EU will not have to change their regime in order to bring compliance with Britain. It is expected the UK will adopt equivalent legislation to the GDPR following Brexit, so UK companies who continue to use EU data can do so legally.

However, all is not certain beyond Brexit so it's critical to remain updated on everything GDPR.

 

 

Huw Tremlett

Data Management Consultant

Huw Tremlett