The most radical change in 20 years for personal data protection comes force in May 2018. The new set of regulations will significantly strengthen the protection of personal information for individuals across the EU including the UK – the General Data Protection Regulations or GDPR. In part one of this series we looked the rights the GDPR will provide to individuals. In this article, we look at the obligations on organisations that hold and process personal data – and the significant levels of penalties if an organisation fails to deliver on its responsibilities.
Will my organisation be affected?
The answer is almost certainly yes. The regulations apply to entities of all sizes and shapes that hold or process personal data both inside and outside of Europe. So, whether you are a sole trader, a public company, a non-profit or a school you need to be prepared.
What does data processing mean?
In part one we looked at what is meant by “personal data”. “Processing” is what is done to the data. The GDPR takes a very broad view of what this means and covers the whole lifecycle of the data – from how and when it is collected, what is done with it to how it is finally deleted. Sending a routine email will constitute processing as it includes personal data related to the recipient. Storing, structuring and organising staff, member or customer information is processing. Reviewing an employee’s performance or providing feedback is “processing” and so will require permission.
The regulations refer to “Controllers” (they determine how and why personal data is processed) and “processors” (who act on the controller’s behalf). Controllers have to be open and honest about what they do with personal data, stick to the purpose for which it was collected, keep it current and accurate and delete when it’s no longer required. Processors have a greater legal responsibility to protect personal data under the GDPR than the DPA, in particular if they are responsible for a breach.
You must respect an individuals’ rights
As we reviewed in part one, your employees, customers and members will have new powers to request detailed information on how their data is used, stored and protected – free of charge. They’ll have the right to access, port and even request erasure of their personal details. So, you will need to ensure that you have the processes in place to deliver on these rights – and to deliver them within the prescribed timescales.
You will be accountable for the personal data you hold
Data protection legislation has included the principles of lawfulness, fairness and transparency for some time and now the GDPR goes further and adds the principles of accountability and governance. In essence, you must not only do the right thing, you must be able to show and prove that you are. This means you will need to implement privacy by design, with appropriate technical and organisational measures such as internal data protection policies, staff training, internal audits of processing activities, and reviews of internal HR policies. You will also need to maintain records of processing activities under your responsibility.
You need to make data protection business as usual
Privacy by design and default means that you must consider these issues right from the start of a project and not just tack them on as an afterthought. The Information Commissioner has always promoted this approach in the UK but it has not been a legal requirement under the Date Protection Act – but it will be under the GDPR. Data privacy by default means that an individual’s right is not to share any information – anything above this level requires the individual’s permission.
Security is paramount
A key purpose of the GDPR is to protect an individual’s personal data, so of course security of personal data and its processing features strongly in the new regulations.
Both data controllers and data processors are jointly responsible for personal data protection which means that data controllers need to know more about sub-contractors (processors, such a cloud service providers or marketing agencies) than at present. All of us use cloud services to one extent or another – perhaps for storage (such as Dropbox or Google Drive) or applications (such as email, accounting or CRM). And sometimes your staff may elect to use a third-party service without your knowledge. Whatever the case, as a data controller, you will be held accountable for the security of the data.
The regulations specify that data should be held within one of the 28 EU countries, or a country that has an agreement with the EU. You not only need to understand and approve the technical and organisational competence of the third party, you need to understand where they hold the data you are accountable for.
In addition to the above, the regulations specifically bring out pseudonymisation and encryption of personal data as ways to protect personal data. The ICO has been encouraging the encryption of personal data on mobile devices for some time, now under the GDPR it becomes more explicit.
Personal Data breaches must be notified
A personal data breach is much more than just loosing personal data and can involve the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. There has been considerable media coverage of high profile data breeches and the theft of personal data in recent times. So data breaches do happen, regardless of the size of organisation and it’s only the big ones that get the publicity.
You will have the responsibility to notify the ICO and the individuals concerned if the breech is likely to result in a risk to the rights and freedoms of individuals. Where a breach meets the notifiable criteria, you must report the breach within 72 hours which is a tough requirement as it means you need the processes and systems to be in place to detect that a breach has occurred.
Additional responsibilities and obligations
The regulations call out additional requirements when processing “Sensitive Personal Data”, when there are high risks to privacy and individual rights or carry out large scale processing of special categories of data. In these cases, organisations may need to conduct Data Privacy Impact Assessments. Both data controllers and processors will need to appoint a Data Protection Officer where the processing is carried out by a public authority, where processing requires regular and systematic monitoring of data subjects on a large scale, or where processing on a large scale of special categories of data.
Penalties with teeth
The maximum level of fine available to the ICO is currently £500,000, but the GDPR raises the level significantly. Two levels of fine will be available:
- Up to €20,000,00 or up to 4% of global turnover for infringements such as contravening the basic principles of processing, breeching a data subjects’ rights or international transfers; and
- Up to €10,000,00 or up to 2% of global turnover for infringements such as failing to obtain consent to the processing of data relating to children; failing to implement technical and organisational measures, failing to maintain records or failing to notify a breach when required to do so.
In the first two articles of this series, we’ve looked at what the GDPR means to individuals and organisations. In the next article, we will review the 12 steps the Information Commissioner recommends organisations take to prepare for the GDPR.