Cheryl Dyer Ballard examines the The General Data Protection Regulations, which will come into force on Friday, 25th May 2018.
Here, Cheryl examines the implications, what exactly is involved, the whys, ways and means of this landmark EU legislation, why you need to act in accordance with it by the deadline, and what it means for you as an individual.
You may have noticed in your inboxes the large amount of emails that you are receiving from companies that you have registered your details with at some time or the other. Personally, I’m ignoring quite a few of them as they’re from companies that I don’t even recognise – the reason you’re getting these emails is because of the EU’s General Data Protection Regulation otherwise known as GDPR.
But what is the GDPR?
The General Data Protection Regulation has been introduced to unify EU states’ data regulations, and, to ensure that across the EU the same practice applies, the GDPR will ensure that personal data of residents within the EU will be protected from companies that misuse personal data; the GDPR effectively will be replacing the 1998 Data Protection Act.
The new regulations are set to come into force, and although the United Kingdom is set leave the EU in the next few years, these new regulations will still be enforceable due to many UK resident businesses managing EU residents data. Businesses that are found not to be following these new regulations will face fines of 4% of their companies’ annual turnover.
It was in 1998 that the UK saw their own version of the EU’s 1995 Data Protection Directive, with the introduction of the Data Protection Act. However, these regulations are outdated and at the time, did not envisage the advances in technology, the requirements and use of personal data such as those used by Google, Twitter and Facebook. The GDPR has been put in place to police and regulate how personal data is used. The UK are not required to set up new legislation, due to the GDP being regulatory rather than directive, although the legislation will automatically apply from 25th May 2018.
Experts in Information Technology have been aware of the GDPR for some time, however, recent figures following a survey by Imperva, a Cyber Security consultancy based in California shows that very few businesses are making any preparations. Indeed, we can confirm that out of all of the customers that we contacted regarding GDPR and how it might affect their business, less than 10% responded – such is the level of disinterest in the regulation itself. Imperva have revealed that 43% of companies that they surveyed have assessed their business and the impact that GDPR will have on their companies, and have made changes to stay within the set guidelines. Many of the companies that were involved in the survey were based in the USA, many of which have dealings within the EU, and the regulations will still apply. Imperva also reported that approximately a third of the companies have made no preparations for the regulations, with an additional 28% unsure about their companies’ requirements for compliance.
If your business holds personal data, you will be required to follow the GDPR. Whether you are a profit-seeking company, a charitable organisation or a government office, the regulations will need to be adhered to. After May 25th when the GDPR comes into effect, data controllers must ensure that specific steps are taken when processing personal data. it should be done legally and for detailed purposes, and processors must ensure that once the data has been used for that purpose legitimately, that data is then destroyed and not passed on unlawfully.
What does a Data Protection Officer do exactly?
A company has to assign a person to be a data controller, or Data Protection Officer to oversee all matters related to GDPR. It is the officer or controller’s responsibility to ensure that any personal data is protected and not used for any other purpose other than the reason it was gained in the first instance. The controller is also responsible to ensure that “plain language” is used, to ensure that all information provided is clear and concise. The unnecessary evil that is “small print” will soon hopefully be a thing of the past.
Any personal data on individuals that is held by companies will have to be agreed by those individuals – tick boxes and other quick signup methods will no longer apply. Accurate records of how consent was granted must be kept, as well as detailed information about when an individual has withdrawn any previous consent…hence all the emails that may be filling your inbox requesting your consent to receive further information.
Personal information includes economic, cultural, mental health, IP addresses, names, date of birth, addresses, email addresses plus any other personal data that is stated within the Data Protection Act. Individuals will have the legal right to access any data and controlled information that is held on them, and the regulations will ensure that people can request at “reasonable intervals” to access their details. Data controllers have been given a timescale of one month by the terms of the GDPR to enable this to happen. People will have their own right to know what data is held, why the data is being stored, the timescale of storage and who will be able to access their personal data. Corrections to any data held can also be rectified at any time. Employers have a responsibility to introduce any new procedures that are put in place, as well as implementing and introducing them as soon as possible to their workforce.
What does the GDPR mean for you?
Under the GDPR, people will also have the power to request that their personal data to be deleted -the ‘right to be forgotten’. This can be at anytime if that persons requests it, or if the companies’ information is no longer relevant. Once an individual has requested that their information has to be deleted, it is then the controllers’ responsibility to ensure that this information is passed on to other organisations or businesses that they may be linked to, so that they can delete information too.
If a person wants to move their data to another company, then processors are obligated to ensure that their wishes are met within four weeks of the original request. The data is then required to be transferred in a common format so that it can be easily managed and read.
What if your data is hacked?
If a data breach has been recognised, companies will have 72 hours to report it to their data protection authority, especially if a data breach includes risking peoples’ rights and freedom. The UKs protection authority is the Information Commissioners Office. The deadline of 72 hours may mean that you may not have all the vital information; however, once contact is made, the Commissioners Officers should be given a brief outline of the affected data and approximately how many people may be affected by the breach. They will also need to know of any action that has already taken place. It is your businesses responsibility to ensure that all parties that are affected by any breach , have been informed prior to any notification to the Commissioners Office. Failing to meet this 72 hour deadline could lead to financial penalties of up to 2% of a company’s annual revenue.
By not following the primary rules and regulations when processing individuals’ data, firms could face even greater fines. In comparison, and if we take Talk Talks recent penalty by the ICO of £400,000, under the GDPR regulations the figure would exceed £58 million. Figures show that the ICO issued fines totalling £880,500 during 2016. After the 25th May, this figure will change to £69 million, equating to a 79% rise in penalties.
It is each companies’ responsibility to ensure that their records are kept up to date, and if any breach is recorded, that company has to prove they have worked tirelessly to ensure that their business has done their utmost to comply with the rules and regulations. Only then is it possible that the eventual fines may not be as high.
Although the UK is leaving EU, the UK is still obliged to comply with the GDPR. The UK government are keen to see “enhance data protection mechanisms” in place, allowing data to be shared equally between the EU and UK. Matt Hancock, the Digital Minister has welcome the new EU legislation, and believes that it will assist the UK following our departure from the EU. He also reiterated the UK’s commitment in ensuring that there are no interruptions with regards to data transfers between the UK, EU and the rest of the world.
A new Data Protection Bill is currently being worked on by the government, that will replicate and eventually replace the EU’s GDPR in preparation for the our exit from the European Union. According to the GDPR, any business, organisation or public body that conducts any form of data processing is required to employ a Data Protection Officer, and the appointed person’s information will then be given to the Data Protection Authority. It is the appointee’s responsibility to ensure that information relating to the GDPR requirements are clearly understood and detailed to their employer. This person will also be the primary point of contact with the Data Protection Authority, ensuring that the company are working in full cooperation with the authorities where relevant.
It is each organisations responsibility to ensure that they have a full understanding of what is required of them under the GDPR. They must also have a full understanding of what data they are able to store and acquire, and the legalities of holding and processing that information.
For more information about the introduction of GDPR and what you may need to do visit, the official GDPR website.