Are you ready?
The EU General Data Protection Regulations (GDPR) come into effect 25 May 2018. The new rules raise the bar for collecting, storing and processing data on EU residents. Moreover, the penalties for non-compliance are severe.
What is the Scope of GDPR?
Before diving into the specifics of GDPR, we should first review the scope: whom GDPR protects and who is responsible for implementing GDPR.
Who is affected by GDPR?
GDPR covers every EU resident; extending protection to 508 million people in 28 EU countries. That’s 24% of the global economy.
However, the scope of GDPR is much more significant. GDPR responsibility extends to any organisation or person worldwide who collects, stores, manages or processes data on any EU resident.
What does that mean for you? If you are reading this and hold any information about an EU resident you are subject to all 56,321 words of GDPR. Requirements, remedies and penalties.
What Data does GDPR Cover?
GDPR covers pretty much any data (or data combined with other information) that can identify an EU resident.
Examples of Data Covered under GDPR:
- Website cookies
- Personal information
- Birth Dates
- Biometric Data
- Health Data
- Cultural Information
- Demographic Data
The list above is representative and not exhaustive.
8 Rights of EU Residents under GDPR
GDPR conveys the following benefits to EU residents. While we include a summary of each, application of each right requires analysis of specific data.
1. Right to Be Informed
Individuals have the right to fully understand how personal data are collected, stored, managed, protected and processed.
2. Right to Access Personal Data
Individuals have the right to review their data—and any supplemental data—and understand how their data are stored and used.
3. Right to Reject Automated Decision Making
Individuals have the right to request manual processing for any decisions made with their data.
4. Right to Correct Personal Data
Individuals have the right to update, supplement or correct incomplete or inaccurate data.
5. Right to have Personal Data Deleted
When no compelling reason exists to retain such data, individuals may request the deletion of personal and supplemental data.
6. Right to Restrict Processing
Individuals may request that their data not be used for specific purposes.
7. Right to Stop Processing
Where data retention is required individuals may request that their data not be processed in any manner.
8. Right to Data Portability
Individuals may request transfer of their data to another organisation or person for storage or processing.
So what does all that mean?
You should create a comprehensive plan for the collection, storage, management and processing of personally identifiable data. From first contact (website visit, appointment scheduling, etc.) to the deletion of a person’s information, you are responsible for complying with GDPR – or face substantial penalties.
10 Operational Impacts of GDPR
GDPR provisions heightens your responsibilities related to the collection, storage, management and processing of personally identifiable data and expand the scope of what is considered personal data. From technical measures to organisational awareness to reporting timelines and responsiveness to individual’s requests, your business faces far greater responsibility and exposure.
1. Data security and breach notification responsibilities
You are required to notify the relevant data protection authority within 72 hours after discovery of a breach. If there is a high risk to individual’s rights, you must report the incident to the data subject in a ‘timely manner’.
2. Requirement for companies to have a Data Protection Officer
Certain private sector organisations must appoint a Data Protection Officer (DPO) irrespective of their size or how they are processing personal data.
3. Responsibility to obtain consent before collecting data
You must obtain informed consent ‘in clean and plain language’ before collecting data.
4. Responsibility to comply with right to object to profiling
You must comply promptly with an individual’s requests regarding their data. Including the objection to profiling.
5. Responsibility to comply with the right to be forgotten
You must comply ‘in a timely manner’ to an individual’s requests regarding their data. Including the right of data deletion (if permissible).
6. Responsibilities for controllers and processors
You are liable (and can be fined) for failures of their contracted data controllers and processors to protect data under GDPR.
7. Responsibilities under cross-border data transfer
Transfers are prohibited unless made to an Adequate Jurisdiction, or the data exporter has implemented a legal data transfer mechanism (or exemption).
8. Responsibility to pseudonymize personal data where possible
The use of pseudonymized data is strongly encouraged. Pseudonymization is neither anonymous or identifiable data but requires separately held information for identification of an individual.
9. Responsibility to support data portability
You must provide a machine-readable copy of an individual’s data in ‘a timely manner’. Moreover, you may even be required to transmit data directly to a competitor.
10. Codes of conduct & procedures
You must ensure sufficient policies and procedures are in place, as well as adequate contracts for third-party data handlers, to ensure compliance with GDPR.
Consider something as seemingly innocuous as a web form to download an eBook.
You should ensure that any information collected is truly required and collect as little information as possible to complete the request. Additionally, consider informing the user how their data will be stored, managed and processed – and offer users the opportunity to limit any such processing.
(The form in this example was found on a live UK website in November 2017. The details have been changed to shield the source.)
The consequences of failing to comply with GDPR
GDPR expands an individuals rights regarding their data and codifies the right of data subjects to file class action lawsuits.
Additionally, GDPR can levy fines up to €20million or 4% of global turnover – whichever is greater – for each failure to comply with GPDR.
For example, in 2016, 35 data breaches in the UK resulted in combined fines of £3,200,000. Had those data breaches been subject to GDPR the penalties could have exceeded £624,000,000 (€700M).
8 Steps for GDPR Compliance
Preparing for GDPR requires an investment of time and capital and on-going vigilance in data management. An outline of a method to achieve GDPR compliance is below.
1. Raise internal awareness
Begin discussing GDPR and make employees aware of potential changes to data processing.
2. Conduct data mapping
Assess current data collection, retention, storage and processing procedures and policies.
3. Prioritize shortfalls
Evaluate compliance shortfalls and create a prioritised list of items to correct.
4. Conduct gap analysis
Evaluate current data processes against GDPR and document shortcomings and necessary policy changes.
5. Create a remediation plan
Update existing and implement new policies and procedures to bring data handling into compliance.
6. Conduct remedial actions
Implement necessary procedural and technological changes including deleting unneeded data.
7. Conduct training
Conduct training with anyone who comes in contact with data, or manages contractors who manage or process personal data.
8. Continuously monitor
Continuously monitor data collection, storage and processing to ensure continued compliance.
Compliance with GDPR can seem very daunting. However, with expert insight, a thoughtful and thorough review, and a careful plan, your business can meet the requirements of the General Data Protection Regulations Act.
DLP recognises the substantial impact GDPR will have on businesses in the UK. Our team is trained and ready to help you meet the demands of the GDPR.
Should you have any questions about GDPR feel free to contact our helpline 24 hours a day.
Schedule a free GDPR consultation
Only Name and Email address are required. Additional information will help us assign the appropriate DLP Advisor for your consultation. Your information will be sent to our DLP Advisors and used only to contact you regarding your request. Your data will be stored in our secure CRM system and not shared with any third parties.