GDPR in Oxford.
The Key points of the regulation
GDPR = General Data Protection Regulation The regulation is a major update to the original Data Protection Act (DPA) of 1998. This includes updates to definitions, penalties and responsibilities.
Arrives 25th May 2018 You have until May this year to get compliant with GDPR
Huge Penalties for Non-Compliance You and your business could be fined €20,000,000, or 4% of your annual global turnover. Whichever is greater
Updates to Definitions GDPR also updates the definitions on what is considered personal data. This includes your IP address!
This is the new regulation approved by European Parliament. The General Data Protection Regulation (GDPR) aims to strengthen the data protection laws currently present and improve the security of personal data for customers in the EU. This regulation improves on laws already passed, such as the DPA (Data Protection Act) and aims to update the definitions of certain terms, e.g “Personal Data”.
The regulation was passed by the European parliament in March 2016 and is set to be put into enforcement on 25th May 2018.
Non-compliance with this regulation is expensive. Failure to meet the regulation’s requirements can cost your business €20,000,000 or 4% of your global annual turnover, whichever is greater.
This regulation aims to improve the rights of the customer and their access to the personal data stored by companies. In brief, personal data needs to be processed in a transparent manner in relation to the data subject. Storage of said personal data must be kept in a manner that allows for a data subject (natural person) identification for no longer than is necessary. For example, a one-off job where a customer’s IP Address is required would require the data controller (company) to either erase the data (IP Address) from their records, or make it unable to be used to identify the data subject.
Yes. GDPR aims to enforce more responsibility on the data controller for compliance with the new principles. You, as a business, are fully accountable for the data gathered that is capable of identifying a data subject and its storage.
This refers to the process of making any data that can identify a data subject incapable of doing so, without additional information. An example of this is encryption. Thus, in order to read the data subject’s personal information, you would require the decryption key beforehand.
As a customer, you now have more rights to your personal data. You are now able to determine how long your data is kept for, with the ‘Right to Erasure’. However, this is limited to automatic data acquisition, mostly. But, if the data acquired was done unlawfully, you are allowed to request the deletion of said data. Furthermore, you are now also eligible to transfer your personal data from one IT environment to another in a safe and secure way.
You need to maintain records of processing activities. The following information needs to be recorded*:
- Name and Details of your Organisation (where applicable, your data protection officer (DPO)).
- Purposes of the processing (of personal data).
- Description of the categories of individuals and categories of personal data.
- Details of transfer to third countries including documentation of the transfer mechanism safeguards in place.
- Retention schedules.
- Description of technical and organisational security measures
Under GDPR, you have an obligation to implement technical and organisational measure(s) that show you have considered and integrated data protection into your processing activities. This means you have to be able to show that you have implemented a security system that further protects the personal data that you are acquiring. So, an example of an organisational measure would be to adjust the way personal data is collected by the customer during the business transaction. Either an enclosed space or using a different medium to store the data on would be a consideration. For the storage of the data, if physically written down, a secure safe maybe an option to show this compliance.
Yes, under certain conditions. You must appoint a data protection officer for your company if you:
- are a public authority
- carry out large scale monitoring of individuals (e.g online behaviour tracking and analysis);
- carry out large scale processing of categories of data that are special or pertaining to criminal convictions and offences
Effect of GDPR
The Key points of the regulation
Customer ‘Right to Erasure’ As a customer, you have the right to request the removal of any personal data that can identify you
Customer Data Portability A new right to allow a person to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by data controller.
Business data processing The new regulation will put all accountability on the business. So all personal data acquisition must have appropriate levels of security. The use of pseudonymisation and encryption of personal data is recommended
Business data breach reports Upon a data breach by cyber attack, businesses are obligated to report the breach and the victim of said data breach within 72 hours of awareness
GDPR isn't a one off...
But is a learning opportunity
This new regulation is here to stay. Unless there are any major changes to it in the future, then this is a process that will need to be incorporated into your day-to-day business proceedings. However, it doesn’t need to be considered a chore. For quite a few businesses, it will only require a few amendments to proceedings. For others, however, it will require a lot more procedural changes that will have to maintained for the foreseeable future. But, GDPR does teach good habits about data security, not just for your business, but for home. So, if it helps, consider it a learning process for you and your business about better practices with data security.
Take the time to do a full security audit of your main systems which are used for processing data. Are they secure? Do they use encryption? How is the data acquired from the customer? Is the data pseudonymised? These are all questions that you should be able to answer with “Yes”. If not, then you still have time to correct that.
If there are any areas of your personal data collection process that do not comply with the new regulation, now is a better time than any to correct this! Some of the changes may simply be reworkings or addition of copy that covers you as a business owner. For example, if there is no mention of consent requested for personal data to be acquired, then adding a simple checkbox that customers need to fill out resolves this. However, that’s not all. Make sure that if the customer requests it due to erroneous records or extra data taken without consent, you are able to oblige this right.
Not sure if you comply yet? Here’s a quick checklist of criteria you need to meet in order to comply. If you are able to mark off everything in the list below, then you are compliant with the regulation.
- You collect and/or process personal data of data subjects in the EU.
- You have a process in place that collects the correct consent from the data subject prior to collecting personal data from the individual. You have also made it clear to the data subject how their personal data will be used upon collection.
- You have a process in place to alert a supervisory authority within 72 hours of a security breach discovery. However, this does not apply if it risks or violates the rights and freedom of data subjects.
- You are able to provide an electronic copy of the personal data specific to the data subject to said data subject upon request. You must also be able to provide information on what data is being processed, where it is stored and why it is being collected.
- Your appointed data controller must have the ability to destroy and erase any personal data of data subjects. He must also be able to inform and stop third parties from doing so as well. They, too, must delete their records as well.
- You are able, upon request, to provide a data subject’s personal data to them in a commonly used and machine readable format, so that the data subject is able to transfer said data from one data controller to another.
- You must be able to show, provide and maintain data security into all products you provide and processes from the first day of this regulation (though getting a head start now is definitely a good idea.)
- You must have an appointed Data Protection Officer (DPO) for all data controllers and data processors in your business
If you are able to tick off everything above. Then you’re already set. If not, then there is still time to make the changes necessary.