GDPR is fast approaching. How prepared is your organisation?
GDPR is fast approaching and the data protection rules in Europe will face their biggest change in 20 years. With the GDPR looming, the more organised amongst us have already started making positive steps towards preparing for the 25th May 2018, when the new rules will come into force. But, don’t worry if you haven’t started yet – there is still time to get your company into shape. Here, we’ve created a refresher guide to clear up any confusion and to get you up to speed with what the GDPR might mean for your organisation.
What is the GDPR?
First things first, let’s take it back to basics. The General Data Protection Regulation (GDPR) is a new data protection framework for Europe. Its role is to standardise data rules across Europe and replace the UK’s current 1998 Data Protection Act. By introducing a series of changes to current data protection acts and duties, it will impact the way businesses store, move and manage data. The regulation is said to address the changes that the rapid development of technology has brought about on the handling of personal data. The main reasons behind the introduction of GDPR are clear: it strengthens, simplifies and unifies previously disparate data protection regimes across Europe.
The rights of individuals are at the forefront of the changes with regards to consent, their access to and maintenance of their own personal data. To put things simply, the old regime that was created in the 1990s is no longer sufficient when it comes to the huge amounts of data we collect and store today.
The GDPR will change how all organisations and businesses will handle personal data, and as a result those active in the EU have been preparing for its implementation since April 2016. Failure to comply and data breaches will result in tougher fines and harsh punishments, so it is crucial to ensure every aspect of your business is up to scratch. These new rules will be enforced in the UK by the Information Commissioner’s Office.
So before we start, we will go through some key terms which relate to GDPR – giving you the power to break down GDPR jargon to fully understand the implications for your company.
Data: Information that is stored electronically or paper-based into a filing system.
Data controllers: The person who is legally responsible for the purposes and means of processing personal data.
Data processors: The person who legally processes an organisation’s data on behalf of the data controller.
Personal data: Any information that relates to an identified or identifiable living individual.
Sensitive personal data: Personal data that reveals information about an individual’s physical or mental health, ethnic origin or political opinions and more.
Processing: Any act of obtaining, handling or recording data or to carry out a process which involves personal data. This can include organising, storing, consulting and restricting – whether this is automated or not. Processing also includes disclosing data and erasing it.
Will my organisation be affected?
GDPR applies to any organisation, public or private – anyone holding or processing data on EU citizens including companies outside of Europe. Also, if your business offers services or goods to EU citizens, then you must also abide by GDPR.
All business that work with personal data should appoint a data controller who is in charge of GDPR compliance. A data controller is responsible for stating how and why data is processed. The data processor is the body in charge of doing the actual processing. This means that anyone outsourcing the management of personal data they process needs to ensure that contractual arrangements are updated and that responsibilities and liabilities are clearly stated.
For those who don’t comply with GDPR, there will be tougher penalties than previous years. GDPR fines could be as high as 4% of your annual global revenue or €20 million, whichever is greater. Damage to businesses’ reputations would also be irreparable.
What about Brexit?
There has been some confusion surrounding the relationship between Brexit and GDPR. Unfortunately for UK businesses, Brexit has made no difference and they must still work towards compliance despite leaving the EU in 2018. The legislation in GDPR applies to all businesses operating within the EU and using EU data.
Latest thinking suggests that the UK could replace the Data Protection Act (1998) with legislation that replicates the GDPR, allowing the UK to achieve free data flow after Brexit. However, our government has stated that it may take up to three years for the European Council to decide whether the UK has sufficient data protection to match the GDPR.
In simple terms, if your organisation operates within the UK or anywhere else in Europe, you must meet the GDPR obligations when it comes into force. Remember the deadline is 25th May 2018.
Key principles of GDPR
The full regulations of GDPR consist of 99 articles that establish the rights of individuals and the obligations that organisations must meet. However, we have picked out the key parts you need to know and the most important changes for your business.
Data controllers and data processors: The GDPR sets out responsibilities for controllers and processors of data. More in depth guidelines for data controllers and processors from the ICO can be found here.
Data protection officers: Organisations are required to appoint a data protection officer (DPO) in some circumstances. The Regulation sets out specific provisions a DPO should carry out. Employers also have duties set out for them in the Regulation in respect to the DPO.
Accountability: The GDPR places more importance on organisations and their data controllers to demonstrate their accountability. The Regulation states that any breach of or destruction, loss, alteration, unauthorised disclosure of, or access to individuals data, must be reported to the UK’s data regulator – (ICO) – if the breach could have a damaging impact on the individual’s rights.
Data breach notification: In the occurrence of a personal data breach, data controllers must notify the breach to the Information Commissioner’s Office (ICO) no later than 72 hours after breach unless the breach is unlikely to result in a risk to the rights and freedoms of the data subject.
Lawful basis for processing data: To process data lawfully under the GDPR, businesses need to identify a ‘lawful basis’ before processing personal data and this should be documented. This differs to the current law as the GDPR has changed the data subject rights.
Data protection by design and default: Systems and processes must have data privacy built in from the beginning going forward and data should only be collected to fulfil specific purposes and discarded when no longer needed. In an age where storage is both plentiful and relatively cheap, the tendency in recent years has been to keep everything ‘just in case’ – this mind-set will need to change.
Data erasure: The ‘right to be forgotten’ AKA ‘data erasure’ is an individual right set by the GDPR. This means that EU residents have the right to request that personal data relating is erased.
Right to access: Under the GDPR data subjects have the right to access their own personal data and information. The right to access allows data subjects to be aware of and verify the lawfulness of the data processing.
Consent: A higher standard of consent is set by the GDPR. This puts the individual’s rights first by putting them in control. Under the Regulation, consent requires a positive opt-in and requires organisations to give a very clear and specific statement of consent.
The key priorities for organisations
With all this in mind the key priorities for organisations operating in the EU and processing data from EU residents over the coming 6 months will be:
- Assess whether or not to appoint a data protection officer. All public authorities and companies that practice regular and systematic monitoring of data subjects on a large scale or where the entity conducts a large-scale processing of special categories of personal data should appoint a DPO.
- Ensure that data is correctly catalogued. This includes alignment to approved retention policies, and that data that is no longer required is securely erased. Furthermore, this also comprises of data stored in the cloud and paper documents stored off-site. Paper documents may have been stored off-site for decades that have now been scanned and duplicated in online systems – while paper is difficult to hack, document storage must be compliant with the principles of GDPR.
- Consider how paper documents are dealt with. Paper documents containing personal data entering the organisation must meet the GDPR regulations as they move through various business processes. By setting up a digital mailroom, you can ensure that you have a clear and compliant audit trail for all paper documents entering the business.
- Conduct due diligence on where data is being stored. This is in relation to data that is being stored in the cloud by cloud application providers and other data processors. This could include file sharing apps used by individuals within the business as well as corporate systems such as accounting, CRM, personnel and content management platforms.
- Ensure cloud hosting provider is secure. Make sure the cloud hosting provider has the tools and technologies in place to protect data, identify and report a data breach and produce information and/or incident logs when required. Request confirmation from the cloud hosting provider that data is not leaving the EU or that is not crossing borders to non-compliant countries where there is a higher potential risk of espionage.
- Create required Records Of Processing Activities. You can begin by identifying the lawful basis for your data processing activity in the GDPR and then document it and amend your privacy notice to explain it to data subjects and the ICO.
- Update Data Protection Policy and data breach procedures. It is imperative to ensure you have the right procedures in place so your company can easily identify, report and investigate a breach of personal data.
- Review procedures for subject rights and update privacy notices and consent forms. Ensure that all procedures for subject rights are updated to the legislation set out in the GDPR. Amend privacy notices and consent forms to prepare for the changes to individual’s rights.
While the GDPR will no doubt cause a major shakeup of the data protection regime in the EU, it is also an opportunity for organisations to demonstrate best practice in data and document management and use this to enhance trust in their business and processes.
With less than 6 months before 25th May 2018, it is time to seriously start making steps towards compliance. The threat of tougher fines that could risk any organisation regardless of size, is reason enough to hit the ground running.
It is time to get the basics in place. If you need assistance in document managing, please do contact us or explore our document scanning and digitisation services here.