General Data Protection Regulation – Ask our Expert
The General Data Protection Regulation (GDPR), which comes into effect on the 25th of May 2018, is a new set of obligations from the European Parliament for businesses on issues related to the data protection rights of all European Union (EU) residents. The new regulations cover breaches and breach notification, consent, and the right to be forgotten, to name just a few.
Companies based in the EU already adhere to legislation in each member state that is consistent with GDPR’s predecessor, the Data Protection Directive (DPD) of 1995, however significant changes with GDPR can result in hefty fines if found uncompliant. Overall, the new protections for EU nationals have been created to set a more harmonic degree of unification throughout the whole of the Union.
Technology Sales at Midshire®, Stuart Carruthers has provided answers to some frequently asked questions about GDPR ahead of the ‘GDPR Clinic’ tour, which takes place over a two week period from the end of May:
1. So what counts as a breach?
Under both GDPR and its predecessor, ‘personal data’ means ‘any information relating to an identified or identifiable natural person’, (or the ‘Data Subject,’ so the person the data belongs to). The new law also gives a lengthy definition of what a personal data breach actually means, defining it as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.’ Now, the fact that this new definition is so long means that businesses cannot afford to have unclear internal policies on data protection, as the new definition has vastly increased the scope of data protection law.
2. How will Brexit affect GDPR?
In a nutshell, not at all. When GDPR comes into effect on the 25th May 2018, the UK will still be a part of the EU and will remain in it for almost a year until leaving the Union on the 29th March 2019. I think that the uncertainty of Brexit has caused many businesses to take their foot off the gas when it comes to EU Parliamentary law, but really businesses should be striving to keep up-to-date with the latest policies.
The UK government has also shown its intent on fully integrating GDPR policies in the UK, even after Brexit. It is likely that the main reason for this is for a smooth negotiation process on Britain leaving the EU, and a continued free flow of data between EU member states and the UK. The free-flow of data is particularly important today, because it is crucial for data to be shared between countries for security purposes.
Additionally, it would be ideal for the UK to remain a force and beacon for other countries to look to when it comes to the data protection of its citizens by setting a high standard for such protections.
3. What do I need to do if a breach occurs?
In the unfortunate event of a breach of personal data, the Data Controller (the organisation that collects a person’s data) must report the breach to the supervisory authority in the member state where the company’s main activity resides. The supervisory authority is a newly formed administrative body that will be founded in each member state to manage the data protection of that country’s citizens. The breach must be reported within 72 hours, and if it’s late then reasons should be provided.
The data subject must also be informed straight away. Interestingly, if the data has been manipulated, for example if the data is unrecognisable and will not be traceable back to the data subject, then the data subject doesn’t have to be informed, but the breach still has to be reported to the relevant supervisory authority.
4. What will happen if I’m found to be uncompliant?
Remarkably steep fines. The new sanctions that can be imposed on uncompliant businesses include:
• A written warning in instances of first and non-intentional non-compliance.
• Regular and thorough data protection audits.
• Most repeat breaches will result in fine up to €10,000,000 or up to 2% of annual worldwide turnover, whichever is greater.
• Breaches that the European Court has deemed more serious, for example breaches in consent or international data transfers, would result in a fine up to €20,000,000 or up to 4% of annual worldwide turnover, whichever is greater.
So it really is in a business’ interest to be prepared for the May 25th 2018.
5. What should I be doing now?
Raising awareness. The deadline for GDPR is ever approaching, so your first action should be to raise awareness of GDPR internally, making sure that your employees fully understand what and how a data breach can happen, and the fines that could occur. You should also make a comprehensive document of what data you hold, how it is gathered and how it is stored.
An important aspect of GDPR is consent, so reviewing how you are obtaining and recording consent from individuals should be a priority, discussing whether any changes need to be made. Consent from minors is also important here, you should start thinking about verifying the age of individuals and whether you need to get consent from a parent or guardian for the processing of the minor’s data.
You should also ensure that you have the right procedures in place to detect, report and investigate personal data breaches. GDPR now states that all businesses should appoint a data protection officer within their organisation to take responsibility for data protection compliance. If a business works internationally, then these companies should determine which supervisory authority they will be operating under.
For more information on GDPR, read Midshire’s blog here: https://goo.gl/Jkgbww