General Data Protection Regulations
The General Data Protection Regulations (GDPR) are possibly the most significant development in the field of data protection that Europe has seen in nearly two decades.
What is GDPR?
It’s an update of existing legislation, but takes current technologies into account and the way we work with them both now and in the future.
Is not an excuse, as GDPR enforcement comes into force before any exit from the EU by the United Kingdom, so all EU laws will apply, including GDPR.
Who Will Be Affected?
It applies to EU citizen’s personal data regardless of where the controlling or processing of that data takes place. This means that countries outside of the EU (including the US and an independent UK) would have to apply GDPR for client data where the client is in the EU.
We Can Help
eNacyH believe that organisations will find the transition to the new regime easier if they are complaint with the existing regulations, such as Data Protection Act 1998, Privacy and Electronic Communications Regulations etc. The UK Government have guidelines ‘Data Protection and Your Business’
|✔||Start Now, If you haven’t already|
|✔||Plan and budget for GDPR implementation|
|✔||Think Data Protection & Privacy within all your business activities|
|✔||Consider the likely penalties for non-compliance|
|X||Assume that GDPR will not affect you or your business|
|X||Wait until 2018 to act|
|X||Believe that it will just go away – it won’t!|
Privacy by Design
Put simply, it’s the principle of considering and building in appropriate data protections during the design phase of all new projects and changes to systems and processes involving personal data.
GDPR requires that organisations, including processors should be “audit ready” at all times. It goes further in introducing a legal requirement for ‘privacy by design’ for sensitive data.
Where a new processing activity is proposed the data controller must first conduct an Impact Assessment. While a single impact assessment can cover multiple processing operations that present similar risks.
- ‘Dark Data’ : Information that is not searchable and therefore not necessarily discoverable is to be included.
Only data that is necessary to be processed including:
- Amount of Data
- Extent of Processing
- Retention Period
- Access to Data
Enhancing technical measures and procedures.
- Minimising the about of data held
- Restricting access to data.
Security of Processing
Data Controllers have an obligation to ensure that they only engage with third party data processor or cloud providers if they comply with the security requirement for processing data:
- pseudonymisation and encryption of data
- the ability to restore
The definition of personal data has been broadened to include anything that can be directly associated with an individual. GDPR broadly keeps existing definitions but adds digital footprints such as cookies and IP addresses.
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; – Article 4 of GDPR
Sensitive Personal Data
Revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. – Article 9 of GDPR
There will not be many businesses that do not hold or process personal data but it is important to understand their role and responsibilities as determined by the GDPR. The two significant roles are that of ‘controller’ and ‘processor’.
‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
A cloud service provider or third party data host will in most cases be determined as a ‘processor’. There is also a new requirement that processors know and understand that type of data they are processing.
Data Subject Rights
GDPR expands of some of the existing legislation affording data subject clearer information.
Data Subject Access Requests
An enhancement on the existing Subject Access Requests and changes including:
- No fee payable vs the existing £10
- Time to respond reduced to no later than one month after the request is made.
Right of Erasure
A new right under GDPR is to have data deleted. There are several reasons this request can be refused such as conflicting regulations and in the public interest but once legitimate reasons for denial are exhausted data must be deleted.
Right of Portability
GDPR entitles a user to have their data exported and transferred in a ‘machine readable format’.
Breaches and Penalties
One of the most important changes under GDPR is that data processors can be held directly responsible for breaches, as well as data controllers.
The legislation has also updated the right for data subjects to claim compensation for damages they suffer from such breaches.
Business Data Breaches
Breaches could lead to fines of up to 20 million euros or 4% of global annual turnover for the preceding financial year, whichever is the higher.
Other Data Breaches
For other breaches, the authorities could impose fines on companies of up to 10 million euros or 2% of global annual turnover, whichever is the higher.
Details on these pages are not designed to be the full or comprehensive list of regulatory changes, nor in any way meant to be taken as legal advice. They have been used to highlight some of the important changes that may need some attention prior to the May 2018 deadline for compliance.