From 25 May 2018, organizations in the UK will have to meet new regulations surrounding their use and storage of personal data.
Earlier this year, the European Parliament passed the final vote on the new GDPR, which will be a “complete overhaul of EU data protection rules”. The reform will replace and update the current data protection directive dating back to 1995, or in the UK, the 1998 Data Protection Act (DPA).
The GDPR legislation is intended to protect the rights of European citizens, allowing them to determine how and when their personal information is used and to whom it is revealed to. It also presents a number of different obligations for businesses who handle the personal data from EU customers.
According to Ovum, 52% of organizations already believe it will result in fines for their business and 68% feel that it will dramatically increase the costs of doing business in Europe. However, the Information Commissioner’s Office (ICO) believe organizations should start planning now. Rick Powles, Regional Vice President, EMEA, Druva said: “Preparing for this shift can help ensure that everyone’s data is protected across the business.”
What does this mean for business?
Any company who has customers within the EU will have to handle their data in a manner that complies with the GDPR. Although many of the main concepts within the new legislation are much the same as the current DPA, there are a few changes and it’s important for businesses to appreciate the impact these changes are likely to have.
According to the ICO, businesses may need to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. They said: “In a large or complex business this could have significant budgetary, IT, personnel, governance and communication implications.”
The GDPR requires businesses to demonstrate how they have complied with the principles, no matter where the company is based or how they store their data. The GDPR will also require all organizations who collect personal data from EU citizens to prove “clear and affirmative” consent to process that data.
Prior to the GDPR, there had been no legislation regarding breach notification, except for electronic communications service providers. However, the new regulations introduce a mandatory breach notification. According to Two Birds, “there are new limitations on the use of consent and the processing of children’s data” and “specific restrictions on the ability to rely on “legitimate interests” as a basis for processing and some clarification as to when it may be used.”
Who does it apply to?
If your business is currently subject to the DPA, it’s likely that it will be subject to the GDPR, especially if you are operating internationally. It applies to processing carried out by company’s within the EU but also organizations outside the EU which offer goods or services to EU citizens.
The GDPR applies to both ‘controllers’, those who say how and why personal data is processed and ‘processors’, those who act on the controller’s behalf.
According to the ICO, the GDPR has specific legal obligations for processors to follow, as they will be required to maintain records of personal data and processing activities. These new requirements mean the processor will have more legal liability should the business be subject to a breach.
If you are a controller however, you will still be obliged to ensure your contracts with processors comply with the GDPR and be responsible for demonstrating the business complies with the principles.
What information does it apply to?
Similar to the DPA, the GDPR applies to ‘personal data’ and ‘sensitive personal data’. However, both of these categories have some minor changes in the new framework.
The GDPR defines personal information in more detail to demonstrate how wide changes in technology has altered the way businesses now collect data and information about people. Under the GDPR, information such as an online identifier, for example IP addresses or cookies, are now classed as personal data.
It also applies to data that is stored in manual filing systems or automated personal data, as well as personal data that has been pseudonymized, or key-coded, depending on how difficult or easy it is to attribute the pseudonym to the customer.
Sensitive personal data
Sensitive data is outlined as “special categories of personal data” and includes similar categories as the current DPA such as racial or ethnic origin of the data subject, political opinions, religious beliefs and physical or mental health to name just a few.
However, changes include genetic and biometric data, where processed to uniquely identify someone.
The GDPR includes a new accountability principle, which isn’t addressed in the DPA. This principle requires organizations to demonstrate they comply with the principles. The ICO says this may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
The ICO said that businesses must also:
- Maintain relevant documentation on processing activities.
- Where appropriate, appoint a data protection officer.
- Implement measures that meet the principles of data protection by design and data protection by default, including data minimization; pseudonymization and transparency.
- Allow individuals to monitor processing.
- Create and improve security features on an ongoing basis.
- Use data protection impact assessments where appropriate.
Key areas to consider
For the processing of data to be lawful under the GDPR, organizations must identify a legal basis before they can process personal data, says the ICO. Under the DPA, these are referred to as the “conditions for processing”.
However, the ICO says this becomes more of an issue “because your legal basis for processing has an effect on individuals’ rights. For example, if you rely on someone’s consent to process their data, they will generally have stronger rights to have their data deleted.”
The GDPR has reference to both ‘consent’ and ‘explicit consent’ which both require freely given, specific, informed and an unambiguous indication of the person’s wishes. Under GDPR, silence, pre-ticked boxes or inactivity does not constitute consent. Individuals have the right to withdraw their consent at any time, but if you already have consent from individuals under the current DPA, you will not need to obtain fresh consent if the standard of that consent meets the new requirements.
At a time where organizations increasing use IT and cloud systems to store customer data, it’s never been more important to get data protection right in your company. Although many organizations across Europe will already have legal processes in place to store personal information, the introduction of the GDPR and the penalties for non-compliance it brings, will have a huge impact on companies who fail to prepare and adapt to the changes.