Is your business ready for GDPR?!
General Data Protection RegulationS
Introduction
The General Data Protection Regulation (GDPR) comes into force in the UK on 25th May 2018 and replaces the Data Protection Act 1998. The GDPR protects the rights of all EU citizens. Crucially it no longer matters where the data is collected or where it is stored and used – the rights and protections apply if the data collected relates to EU citizens. This distinction closes a significant loophole whereby US Internet companies could avoid complying (or comply to a limited degree) by stating the data was collected or held outside the EU.
The GDPR relates to both employee data and customer data.
Employees
Employers – must follow the GDPR when collecting or storing any employee data.
Customers
Customers – the GDPR also covers all customer data collected by a business and means that all companies must give customers details of how their data will be used. Most importantly, customers need to specifically (and clearly) opt-in to data collection and use. For websites, this means very clear tick-boxes requiring opt-in, plus the tick box cannot be pre-ticked.
Individual Rights
The GDPR includes the following individual rights.
The right to be informed – how your data is to be collected and how it will be processed and used.
The right of access – you are entitled to confirm that your data is being processed. You also have the right to see your data.
The right to rectification – you are entitled to have any inaccurate or incomplete personal data corrected. Where possible any third parties that have access to such data should be informed of any subsequent correction or addition.
The right to erase – also known as the “right to be forgotten”. You are entitled to have your data erased and to prevent any further processing where:
- The use of your data is no longer necessary
- Where you withdraw your consent
- Where you object to the processing and no overriding legitimate interest exists
- Your data was unlawfully processed
- Your data has to be erased to comply with a legal obligation or court order
The right to restrict processing – you have the right to block further data processing in the following circumstances:
- Where you contest the accuracy of the data
- Where you have objected to processing, but a legitimate public interest exists
- Where processing was unlawful, but you have requested restriction, not erasure
- Where the organisation collecting the data no longer needs the data, but you require it to establish, exercise or defend a legal claim, (this can include an employment-related claim)
In these situations, the organisation should continue to hold your data, but cease to process it further.
The right to data portability – you have the right to request that electronic personal data provided by you be given back to you in an open format (and free of charge). This allows your data to be readily transferred back to you or a third party. This can only be personal data related to you, and not any data related to another party or employee. This will be significant for switching your utility suppliers, banks, insurance companies etc. It is designed to make switching easier and to open up more competition between existing and new suppliers.
The right to object – you have the right to object to any personal data used:
- In direct marketing, including profiling
- Any processing for scientific or historical research and statistical analysis
Rights related to automated decision-making and profiling – you have the right not to be subject to a decision based upon an automated process where that decision has a significant (including legal) effect on you. In this situation you are entitled to human intervention in the decision, to express your views and receive an explanation of the decision and have the right to challenge the decision. There are exceptions to this are where the process is necessary:
- Where authorised by law, for example, to prevent fraud or tax evasion
- You have already given your explicit consent under Article 9 (2) of the GDPR
GDPR Data Protection Principles
Under Article 5 of the GDPR organisations must comply with the following principles to ensure your data will be:
- Processed for limited purposes and not in any way incompatible with those
- Adequate, relevant and will not be excessive
- Accurate
- Not kept for longer than necessary
- Processed in accordance with your rights
- Secure
- Not transferred to countries without adequate data protection
Your Explicit Consent
Under Article 6 (a) of the GDPR organisations must obtain your explicit consent to collect and use your data. This means an end to pre-ticked boxes on forms, and the trick requiring opting-in for some data and opting-out for other data. Basically, no more tick-box games.
Data Breaches & Reporting
Where an organisation suspects that a data breach has occurred, they have a duty to report the breach to the Information Commissioner’s Office (ICO) (the data protection regulator) within 72 hours of discovery of the breach. This is a significant addition under the GDPR.
Further, the organisation has a duty to report a breach to you if the breach is likely to result in a risk to your rights and freedoms, and where not acted upon is likely to have a significant detrimental effect on you, for example the data accessed could result in identity theft, loss of confidentiality or other significant loss. This is to stop organisations reporting to the regulator, but then delaying (or avoiding) to tell the people impacted. For example, when Yahoo delayed telling users of breaches in Yahoo Mail.
Data Protection Impact Assessments (DPIAs)
Organisations will in the future need to carry out Data Protection Impact Assessments (DPIAs) where they intend to use new technologies, platforms or software and the processing of the data is likely to result in a potentially high risk to the rights and freedoms of individuals. This is to cover situations such as Google scanning for open Wi-Fi hotspots when collecting data for Google Streetview. Under the GDPR they would need to consider this and avoid doing it.
Data Protection Officers
An organisation will also need to have named Data Protection Officers. These are going to be senior or board level posts. This will give you an idea of how seriously organisations have to take data collection and security.
Conclusion
Data is the new currency of the modern world – just look at how much money Google, Facebook and others make from collecting, aggregating and selling our data to advertisers.
For organisations, the main risk remains data security breaches and the costly fines (up to 20 million Euros or 4% or annual global turnover – whichever is higher), and the reputation damage that go with them.
Now that this has been elevated to board-level responsibility the people at the top can no longer blame IT departments or others – the buck will stop at the top.
Expect to see organisations spending significant sums in protecting your data – this is where the real risk lies, not in collecting your data – it is the storage and protection of your data where the real risk lies.