The big news in privacy and data protection last year was the passing into European Union law of the General Data Protection Regulation 2016. The clock is ticking and we now have less than a year before it becomes active and, given the wide reaching scope of it, many organizations are likely to need all of that time to prepare for it.
We thought we’d try to answer a few of the likely questions about the GDPR in an easily-digestible form. But please note – we’re not lawyers. This is our interpretation of the regulation intended as an introduction. If you really need to know the full implications for you or your organization you will need to consult a suitably-qualified person (Phew, glad we got that out of the way :-)).
So here goes…
Although it’s an EU law, it actually applies to anyone that holds or processes personal data about EU citizens, so if you thought you don’t need to know about it because you’re outside the EU, not (necessarily) so. It places responsibilities on both controllers (the ones collecting the data) and processors (who may process the data on the controller’s behalf).
It’s all about “personal data” which is basically data about living people from which they can be identified. Anything from name and address through to religion or marital status. If the individual can’t be identified, either directly or indirectly, then it doesn’t apply so one of the things to consider is whether the data you hold need to be as specific as they are currently.
The new law holds the same basic principles as existing law but goes further in some areas. The rules for obtaining consent to collect and hold personal data are stricter, you may need to appoint a Data Protection Officer, you’re expected to consider privacy from the very start of new projects, most data breaches must now be notified (and the fines have gone up) and you will need to be more careful about the countries you transfer the personal data you hold to.
Quite a few, eight in fact. These are:
Some of these will involve you reacting to a request from a data subject within a specified period of time (in many cases one month) so you’ll need to be ready.
In the main, yes. You will need to tell the Supervisory Authority in your country within 72 hours of becoming aware of a breach that is “likely to result in a risk to the rights and freedoms of individuals” and , depending on what’s happened, you may need to tell the data subjects affected as soon as possible too.
There is a range of fines increasing up to 4% of annual worldwide turnover or 20 million Euros (whichever is the higher). This is a lot more than previously and the actual amount will depend on the seriousness of the infringement.
Yes if you are a public authority, you do large scale monitoring or you process particularly sensitive types of data on a large scale. Your DPO will need to have an appropriate level of knowledge but can either in-house or outsourced.
When creating new systems or making big changes to existing ones, you will be expected to “design in” privacy controls from the very start. This will involve thinking about what data you need to hold (i.e. don’t hold more than you really need) and how you need to hold it (i.e. do individuals need to be identifiable). You’ll also need to conduct privacy impact assessments.
In many respects a PIA shares much common ground with a risk assessment and treatment process as required by the ISO/IEC 27001 standard. It involves assessing the risks to individuals of holding and processing their data and identifying ways to address these risks using controls.
You now have less than a year to prepare (until 25 May 2018) so the first step will be to understand what the GDPR means for your organization and then to create a plan to work towards compliance. This will almost certainly involve reviewing the personal data you hold and how it is collected (e.g. consent issues), getting procedures in place to handle the types of requests you may receive (e.g. rectification and erasure requests) and checking that any data transfers you do to other countries will still be allowable under the new rules. Will you need a Data Protection Officer?
You’ll also need to fully embrace the concept of privacy by design and ensure that your information security incident management procedures take account of the need to inform the relevant authority and possibly data subjects within the required timescales.
GDPR takes the protection of personal data to the next level and has sharp teeth in the form of heavy fines for infringements. It isn’t going away and the worst thing you could do is waste the two years’ notice by not preparing. It moves information security up the agenda and makes a decision to implement standards such as ISO/IEC 27001 look even more sensible.