GDPR is the hot topic of the moment. But with an array of conflicting information making its way around national news, social media and company boardrooms it’s not that easy to understand what you need to do to ensure you are compliant with the new data protection regulations. As an IT provider, we are an integral part of the GDPR journey for our clients alongside their other business departments in the GDPR process and work with them to support their journey to compliance with regards to their IT systems so in this article we share our experience and answer What is GDPR, what do you need to know and why?
The General Data Protection Regulation
GDPR or The General Data Protection Regulation comes into force on 25 May 2018. It’s the shiny new name for the existing Data Protection Act 1998 which businesses should already be adhering to.
It is the result of the collaboration of the European Parliament, the Council of the European Union and the European Commission over the last 4 years to bring data protection legislation up to date.
The new legislation will supersede the current act with hopefully a clearer and more defined set of rules for looking after personal data. This all sounds very positive for us human beings who want information about ourselves to be respected and handled responsibly, but a potential headache for businesses.
What’s the point?
Stealing data is a lucrative business and is becoming more so. In this digital world that we now live data is constantly being transferred with arguably more opportunities for it to be breached.
The Data Protection Act is simply out of date and its reincarnation in the shape of GDPR aims to help businesses understand better how they must ensure personal data that they hold is secure as well as striving for a consistent approach across the European Union.
The importance of complying is to be reinforced with the threat of hefty fines for businesses that fail to take it seriously.
It’s key purpose, set out by the ICO is to provide;
• Greater transparency from organisations as to how they process personal data.
• Enhanced rights for citizens
• Increased accountability
Does it affect us?
We’ve heard a lot of business leaders say;
‘We’ll just wait and see what happens’
‘We’re not going to bother doing anything until we have to’
‘Seems like a lot of hype, we’ll wait until it calms down’
As with any new legislation, it’s easy to feel a bit sceptical about it. Business is busy so it’s understandable to be in no hurry to dedicate time and money to something that doesn’t feel like a priority just yet.
However, 25th May 2018 is the date that the new legislation comes into force. From this date, businesses that do not comply can be investigated and if found to be breaching the legislation will face fines of up to 4% of their annual turnover. This could have a significant impact on your business.
There’s a lot of scaremongering about but the legislation applies to all businesses, large and small, who hold some level of personal data. It is therefore the responsibility of every business to assess how they will comply with the legislation and implement a plan.
What do I need to know?
The legislation has been split into elements to help businesses understand how they need to comply with each. Understanding the requirements of each will help you plan for compliance. This could vary from a complete change of current systems to some more simple alterations to your networks to ensure data is transferred and stored securely and within the correct timeframes.
The elements of GDPR broken down into these areas;
• Breach Notification
• Right to Access
• Right to be forgotten
• Data Portability
• Privacy by Design
What is personal data?
GDPR regulations relate to personal data only so understanding how that applies to you is a good place to start. This is any information you hold about an individual.
You may think, well that’s ok, we deal with businesses not the public.
You may be B2B, however you will still deal with personal data within your personnel files and any information you store on your employees.
If you are a B2C or both you will have a great deal more to consider. Compliance will cover all aspects of your organisation including –
• Customer information
• Human Resources
• Sales and Marketing data
Under the new regulations businesses need to process personal data lawfully.
What is considered ‘lawful processing of data?
You need to process data lawfully under GDPR but what does that actually mean? As a business you have to decide and document the lawful basis by which you intend to process data.
What is consent?
Consent is being able to prove that an individual has given you permission to hold and process information about them. Gaining it is about to become a lot harder under GDPR.
The regulations dictate that you have processes in place that frequently check that an individual still gives their consent to hold their data as well as allows them to remove it if they wish.
You will need to make sure that any personal data that you currently hold complies with these regulations. If not, it will need to be updated or removed. It’s been publicised that a number of large organisations, such as Weatherspoons have restarted their marketing lists from scratch under the new regulations as it was easier than trying to check consent for the information they had.
The current guidance on consent from the ICO can be found here. This should help clarify how consent is defined and how you can make sure your processes ensure you comply.
• The right to Access
Essentially this is an individual’s right to have it confirmed that an organisation processes information about them. It also allows them to ask to see that data and find out why. You need to respond within a month to these requests. Do you know how your business could respond to an access request?
• The right to be forgotten
Just as it sounds, it is the individual’s right to have any personal data an organisation holds about them deleted. It essentially deals with circumstances where an individual no longer gives consent to an organisation to have their details, for example a retailer that they no longer wanted to receive marketing from. Further reading on this area is advisable as for some businesses, it will require considerable thought and planning as to how they intend to delete data and be able to prove that it has been destroyed. Do you know how your business could respond to an erasure request?
• The right to data portability
An individual can request the data you hold about them at any time. This right enables them to reuse the data about them that is held by organisations. If an individual asks for their data, you need to be able to respond within 1 month (unless the request is complex). It needs to be in a commonly used format that they can transfer to you or another organisation they have appointed. Do you know how your business would transfer and individual’s data as per their request?
Do we need to have a Data Protection Officer?
The current GDPR guidance states that you only need to emply a DPO if you are a public authority or a business with more than 250 employees, however there are some guidelines in the ICO Article 29 Working party document that are worth reading to check where you stand on this.
For the majority of small businesses employing a DPO isn’t something you’re going to need to worry about, well unless you want to and you’ve got the salary budget, but best to check rather than assume.
Do we currently comply with the regulations?
So, having read a broad outline of GDPR do you believe you currently comply?
You know your business best. If an individual contacted you and asked how you store their data, could you tell them? And if they requested it, could you provide them with it in a suitable format.
And in the worse case scenario, an individual withdraws their consent and asks for their data to be removed from your systems, could you carry out their request and prove it within the given timeframe?
How are we going to become compliant?
If your answer to the above is no and you don’t currently meet the requirements of the regulations, you need to decide how you intend to comply. This is the standard by which you will be measured should you be investigated for non-compliance. It is the standards you should have documented within your organisation and by which everyone in the business should adhere to.
The majority of businesses will use consent as the lawful basis for processing personal data they intend to comply with, however there are other conditions for processing that you can comply with but this needs to be clear, justified and documented.
You can read more about lawful processing here.
Who is responsible for GDPR in our organisation?
It’s sounds a bit trite to say everyone but it really is the case. In order to be totally compliant, it is crucial that everyone gets ‘on board’ through all departments. Feeding down from director level, IT, Sales, Marketing and HR will all play a part in the compliance journey.
Human Resources departments will obviously play a vital role in making sure employee data is stored and processed lawfully. IT managers whether internal or external will need to work with all areas of businesses to ensure that suitable systems and processes are in place to transfer data securely as well as strategies in place for the removal of data when required.
B2C organisations will need to pay special attention to their marketing strategies and how they hold customer data.
What are the implications if we don’t comply?
If you don’t implement systems to ensure the security of the personal data you process, you could leave your business open to a breach. If personal data is stolen, this could impact your business both financially and in terms of your reputation.
As with The Data Protection Act 1995, regulators will still be able to impose fines for non-compliance but they are now heftier. The current maximum is £500,000 but now those who fail to comply will face fines up to a maximum of £20m or 4% of annual global turnover, whichever is higher.
Elizabeth Denham, UK Information Commissioner explains that issuing fines will be the last resort but they are there to reflect how important it is to keep personal data secure.
‘Heavy fines for serious breaches reflect just how important personal data is in a 21stcentury world.’
In addition to fines, there is the potential for the floodgates to open for lawsuits where individuals will be able to sue organisations if they feel there has been a breach of their data.
What should we do if we have a data breach?
If you discover a data breach, under GDPR it is your responsibility to inform ICO Information Commissioners Office within 72 hours of becoming aware of it.
You will need to tell them
• What data has been breached
• How many people are affected
• The potential consequences to those individuals as a result of the breach
• What your response to the breach has been so far
Plan of Action
- You need to document how you plan to comply by GDPR.
- If you will process data under a lawful basis other than consent you need to make sure this is documented and clear.
- There will be data protection impact assessments available from the ICO to help you establish the areas you need to address.
- The ICO are still working on the final guidance for consent. Many businesses are choosing to wait until this is published. This is due to be published in December 2017.
- The general advice is Don’t wait. Use the ICO’s draft guidance on consent document to get started.
- It will only cover final guidance on consent so you will need to assess lawful bases that you plan to comply with if relevant anyway. There is no benefit in waiting.
- Make sure you have compliant, sensible and secure policies in place.
‘’But there’s no need to wait for that guidance. You know your organisation best and should be able to identify your purposes for processing personal information.’’
What can we do now?
- Audit and review current procedures
- You need to be able to show that you can detect, report, and investigate a data breach within 72hrs
- Identify biggest impact areas
- Speak with your IT Provider so you understand how your systems process, store and can delete data.