Part 2 of 3
The General Data Protection Regulation (GDPR) has been introduced by the EU in order to give consumers more control over their personal data. New consumer rights, new rights of access to personal data, and the right to object to the processing of personal data and to withdraw that consent later, are all part of its foundation. Customers can now request that their data is erased entirely (‘right to be forgotten’) or request a copy of all the information that is held by an organisation so that it can be sent to another organisation.
“The major shift with the implementation of the GDPR will be in giving people greater control over their data. This has to be a good thing,” explains Elizabeth Denham, Information Commissioner. “Today’s consumers understand that they need to share some of their personal data with organisations to get the best service. But they’re right to expect organisations to then keep that information safe, be transparent about its use and for organisations to demonstrate their accountability for their compliance.”
In respect of this, organisations will have to fundamentally change the way that they process and store data, and it really needs to be extremely accessible. To be compliant with GDPR they will need to perform a GDPR self assessment, map all their data, determine what is held and make sure that data is safe. Collating all this information quickly could be an issue if it is spread across networks, folders, individual PCs and third-party data handling services such as cloud backup, order processing and customer support.
The regulation also requires companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
“[GDPR] will fundamentally alter the scale, scope and complexity of the way personal information is processed,” said Mark Thompson, global privacy advisory lead at KPMG. “The regulation is going to require most organisations to make significant enhancements to their privacy control environment and rethink the way they collect, store, use and disclose personal information.”
Personal Data and Processing
The regulation regarding the collection and processing of personal data, whether external customers and clients, or internal employees, will affect all organisations. The principles of processing personal data outlined by the GDPR state that personal data should be:
- processed lawfully, fairly and in a transparent manner in relation to the data subject;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The responsibility of maintaining these principles falls into the hands of ‘controllers’ or ‘processors’ which are defined as:
- Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data – i.e. your business.
- Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller – such as an accounting firm, a marketing agency or an outsourced HR team.
Guidance outlined by the ICO states that: “If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR. However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.”
Consent, Accountability and Lawful Processing
Consent is probably one of the most talked about changes in regulation due to GDPR, and something that organisations will need to address. Consent must now adhere to a positive opt-in and cannot be inferred from silence, pre-ticked boxes or inactivity. The GDPR is basically raising the bar to a higher standard, as Elizabeth Denham, Information Commissioner, outlined in another of her blogs:
“Consent under the current data protection law has always required a clear, affirmative action – the GDPR clarifies that pre-ticked opt-in boxes are not indications of valid consent. The GDPR is also explicit that you’ve got to make it easy for people to exercise their right to withdraw consent. The requirement for clear and plain language when explaining consent is now strongly emphasised. And you’ve got to make sure the consent you’ve already got meets the standards of the GDPR. If not, you’ll have to refresh it.”
Organisations are not required to automatically ‘repaper’ or refresh all existing DPA consents in preparation for the GDPR, but if they rely on individuals’ consent to process their data, they need to make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.
However, consent is not the quintessential element as the rules around consent only apply if you are relying on consent as your basis to process personal data. There are actually five other ways of processing data that will be lawful for processing personal information, which may be more appropriate than consent:
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- processing is necessary for the purposes of the ‘legitimate interests’ pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The other significant addition to the regulation is the accountability principle. Although this has been a requirement of previous data laws, the GDPR has elevated its significance and now requires organisations to show how they comply with the principles – for example, maintaining internal records of processing activities, carrying out privacy impact assessments and privacy by design. These measures aim to minimise the risk of breaches and improve the governance of data.
Reporting Data Breaches
The whole reasoning behind this new legislation is to protect personal data. Data breaches have been the scourge of many companies, and the GDPR has been put in place to make companies that are irresponsible, accountable for any shortcomings.
A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. Data breaches are therefore high on the agenda regarding GDPR, and it is this regulation that organisations could potentially face heavy fines for if a major breach occurs.
“It will be mandatory to report a personal data breach under the GDPR if it’s likely to result in a risk to people’s rights and freedoms. So if it’s unlikely that there’s a risk to people’s rights and freedoms from the breach, you don’t need to report,” explained Elizabeth Denham, Information Commissioner. “Fines can be avoided if organisations are open and honest and report without undue delay, which works alongside the basic transparency principles of the GDPR.”
You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage.
A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay. Failing to notify a breach when required to do so can result in a significant fine up to €10 million or 2% of global turnover.
Download and use our GDPR Compliance Checklist and Workbook to carry out a self assessment of the data that you hold to determine what you need to put into action in order to comply with the new GDPR requirement.