T-minus seven months to GDPR (General Data Protection Regulation) and it’s set to be the biggest rocket up the derriere of data privacy in twenty years. So what does it mean to businesses, organisations, and you as a customer? What do you need to know and do by the deadline? And how do you know if you comply with the new laws?
The exact date is 25 May 2018 and after that, companies that don’t comply with the directive could face heavy fines. But what is data anyway and will GDPR still apply in the UK after Brexit? Data is classed as anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address, and if you hold data on people within the EU you will need to comply with GDPR, regardless of Brexit and whether the UK retains GDPR post-event. The point of GDPR is to better protect the data of people within the EU. However, it is expected that the UK will implement similar legislation so it’s probably wise to plan ahead on that basis.
So what are the key changes that you need to know –
Increased Territorial Scope – the directive will apply to all companies processing personal data of people residing in the European Union, regardless of the company’s location. It will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing actually takes place in the EU. It also applies to processing the personal data of people in the EU by a controller or processor, not in the EU.
Penalties – organisations which breach GDPR can be fined up to 4% of their annual income, or up to €20M. This might be not for having clear customer consent to process their data. Lesser fines start from 2%.
Consent – long, undecipherable terms and conditions, designed purposely not to be read, will no longer count as consent. The new directive states that conditions must be intelligible, easy-to-read, easily accessible, and use plain and simple language. It must also explain simply how to withdraw consent.
Your rights as a data subject (i.e., an actual person) –
Breach notification – if your data is breached in such a way that will “result in a risk for the rights and freedoms of individuals”, you will be notified. This should be done within 72 hours of first becoming aware of the breach.
Right to access – this allows for data subjects to find out where their data is being used and for what purposes. This will be made available free of charge in an electronic format.
Right to be forgotten – this allows you to have your data permanently erased and to have data processors halt the use and dissemination of your data.
Data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine-readable format’ and have the right to transmit that data to another controller.
Privacy by design – in short, this calls for data processors to place higher importance on data privacy when designing their systems, rather than viewing data as an afterthought. Controllers must only hold and process data absolutely necessary for the completion of duties (data minimisation), as well as limiting access to personal data to only those that need it.
Data Protection Officers
An organisation only needs to appoint a DPO if they are (a) public authorities, (b) organisations that engage in large-scale systematic monitoring, or (c) organisations that engage in large-scale processing of sensitive personal data. If your business falls under one of these categories, notifying your local DPA of your data activities is set to become simpler. It will not be necessary to submit notifications/registrations to each local DPA of data processing activities. Instead, there will be internal record keeping requirements.
If you’re teetering on a GDPR event horizon, don’t get sucked into a black hole. If you have any concerns or questions, see the light and contact the owls. We’ll keep you flying in data orbit.