15 May 2017Are You Ready For The GDPR?
The EU General Data Protection Regulation (GDPR) is the biggest ever shake up to data protection laws, yet many businesses feel unprepared.
With the GDPR’s introduction taking place in May 2018 and the UK not leaving the EU until 2019 at the earliest, Brexit will not affect the introduction of the GDPR in the UK. This means now is the time to put the processes in place to ensure that you comply. In this article, Arthur J. Gallagher will discuss what GDPR means for businesses and what they need to do to be compliant.
The EU General Data Protection Regulation (GDPR) is replacing the previous Data Protection Act 1998, which regulates the handling of personal data. With vast changes to technology in the past 20 years, the current Act is no longer applicable to how we handle data. The new regulation will provide further scope, stricter penalties and further guidance around consent, data controllers and data subject rights.
The key changes
The aim of the new GDPR is to protect all EU citizens from breaches of privacy and data in an increasingly data-orientated world. Although the new regulation retains the key principles of the previous Act, there are some key differences for organisations to consider.
The GDPR extends to all companies established in the EU, but also to those based outside of the EU who are offering goods or services to EU citizens. All data will have to be processed in line with the GDPR by a suitable data controller, regardless of whether this processing takes places in the EU or not. Non-EU organisations that process EU citizen’s data will be required to appoint a representative in the EU. This also applies to ‘cloud’ storage systems.
Failure to correctly adhere to the GDPR can result in a fine of 4% of an organisation’s global annual turnover or €20 million, whichever is the largest sum. There is a tiered system of fines – for example failing to notify a subject about a breach could result in a 2% fine. This is a huge increase when you consider that the current highest tier of fines for unlawful data processing is £500,000.
Issues around consent
The rules surrounding data consent have been reinforced, and companies must display their terms surrounding the collection, storage and use of data in a clear and easy to understand form. It must also be as easy to withdraw consent as to give it.
The Information Commissioner has published consent guidance, which recommends that organisations which process data should review their consent mechanisms to make them more “specific, granular, clear, prominent, opt-in, documented and easily withdrawn”.
Organisations will also need to keep records to evidence consent at every step of a process and the ICO has advised that organisations should “build regular consent reviews” into organisational processes. Consent must now be “unbundled” i.e. separated out from other terms and conditions.
Data protection officers
The appointment of a Data Protection Officer (DPO) is now required by all businesses that monitor data subjects on a large scale or handle special categories of data such as criminal convictions. The DPO should be chosen on their suitability for the job, for example their knowledge of data protection laws and practices. They do not have to be a staff member, an external provider is acceptable and may in fact be preferable as they must be provided with the correct tools and processes to carry out their job and there must be no conflict of interest with their other tasks.
Data subject rights
A ‘data subject’ is anyone whose personal data is held by an organisation. The GDPR introduces a number of rules surrounding how this information must be handled.
Breach notification - Organisations are required to notify the regulator and data subjects where appropriate, within 72 hours of discovery. Data processors will also need to notify controllers without undue delay.
Right to access - Data subjects will still have the right to request a copy of their personal data, including what data is being held, where, and for what purpose. Data controllers will be required to provide a copy of this information in an intelligible format for free.
Right to be forgotten - Known as data erasure, this means that data subjects can ask to be forgotten – to have their personal data erased under some circumstances. This means organisations will not just have to erase data, but also cease circulating the data and prevent third parties from doing the same.
Data portability - Data will need to be made available to subjects in a commonly used and machine readable format, for example a PDF or Word document.
Privacy by design - Data controllers will need to ensure that an individual’s privacy rights are considered very early on in the lifecycle of a project, and that privacy is ‘built-in’ to an organisation’s processes.
What does it mean for organisations?
The above rules will be the minimum standards for handling, storing and sharing personal data in the EU from 25 May 2018. This year, organisations will be facing the gargantuan task of reviewing their existing processes and ensuring that they will remain compliant. Your organisation should be making sure that all data collected is held securely, to minimise the risk of a breach.
Many organisations will find that use of cloud storage facilities or third party providers may impact their data security, and will need to have appropriate controls in place to mitigate this risk. Encryption techniques such as data-splitting may be used to prevent data falling into the wrong hands. Key concerns could be whether your organisation is appropriately storing and handling data and has clear and transparent data collection processes and if not, what you need to do to put these processes in place. With tighter regulations around data privacy and heavier fines for breaches on the horizon, organisations should be putting the correct data regulation procedures in place sooner rather than later.
Arthur J. Gallagher: Our conclusions
It may seem like there is lots of work to be done, but getting ready for the GDPR boils down to three steps:
- Discovery – Understand your gaps against the new regulations
- Plan – Plan your remedial activities based on risk appetite
- Execute – Implement the changes needed to ensure compliance
Underpinning any work around risk it’s useful to refer back to the ISO31000 standard and to identify, assess and manage risk.
Good governance and transparency should be built into each of your processes, and this should be easily demonstrable in the event of an investigation.
While cyber-attacks are a real threat, the majority of data breaches come from employee error, such as lost data - so educating your employees by raising their awareness and understanding of the risks is paramount.
While this type of data breach is preventable, they are not predictable so a robust cyber security policy will also help to mitigate reputational and financial risk in the event of a breach. But it needs to be communicated well so that employees understand and appreciate why it must be complied with and the consequences for the organisation of non-compliance.
Plus with just 72 hours to report a breach, you should have clear processes in place so that in the event of a breach, your employees know what to do and how to report it in a timely fashion to avoid receiving a heavy penalty.
Finally, you should ensure that if a data subject wants to access or erase information held on them, that it is easy for them to make this request and that the request is carried out quickly. You should consider what format to store data in, so that in meets portability requirements and keep track of third parties handling this data for faster erasure.
The key to GDPR compliance is preparation, and your organisation should act now to make sure you don’t fall behind.