The General Data Protection Regulation (GDPR) has been long discussed but will finally come into force in just a year’s time, on 25th May 2018. Replacing the current Data Protection Act, the GDPR introduces a series of far-reaching changes to the way in which organisations are allowed to store, move and manage data.
The main reasons behind the introduction of the GDPR are clear: it strengthens, simplifies and unifies previously disparate data protection regimes across Europe and extends the rights of individuals with regards to consents, their access to and maintenance of their own personal data.
Despite Brexit, organisations in the UK will nevertheless be obliged to adopt the GDPR. Not only will the GDPR take effect before the UK leaves the EU, but any non-EU organisation doing business with EU customers or processing their data needs to comply or face significant fines of up to 4% of annual global turnover or €20 million, whichever is greater.
A key principle of the regulation is ‘data protection by design and by default’. Systems and processes must have data privacy built in from the start and data should only be collected to fulfil specific purposes and discarded when no longer needed. In an age where storage is both plentiful and relatively cheap, the tendency in recent years has been to keep everything ‘just in case’, so this mindset will need to change.
Another big change is that Data Processors, who manage data on behalf of companies, will share responsibility with Data Controllers, the owners of the data. Anyone outsourcing the management of the personal data they process needs to ensure that contractual arrangements are updated and that responsibilities and liabilities are clearly stated.
As part of this, controllers need to be aware of new restrictions of moving data across borders to non-EU countries and ensure that they are working with processors who are also compliant.
The right to erasure (‘to be forgotten’) is a part of the GDPR which could create a lot of work for organisations that do not have an accurate picture of which personal data they are storing about customers, employees, prospects etc. Data that is deemed personal includes any measure that could be used to identify them, including genetic information. Individuals can ask an organisation what data they hold, request erasure without undue delay in certain situations and ask for proof that it has been securely erased.
[easy-tweet tweet=”Data subjects need to be notified where there is a high risk to them following a breach” hashtags=”Data,GDPR”]
From the 25th May 2018, companies that fail to protect data and experience breaches will need to report incidents to their data protection agency within 72 hours of Data Controllers becoming aware of it. Data subjects will need to be notified where there is a high risk to them following a breach.
With all of this in mind, the key priorities for organisations in the coming 12 months will be to:
- Assess whether or not they need to appoint a Data Protection Officer (DPO). All public authorities and companies that practice ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data’ should appoint a DPO.
- Ensure that data is correctly catalogued, including alignment to approved retention policies, and that data that is no longer required is securely erased. This includes data stored in the cloud and paper documents stored off-site. Organisations may have paper documents stored off-site for decades that have been scanned and duplicated in online systems – while paper is difficult to hack, document storage must be compliant with the principles of the GDPR.
- Consider how paper documents containing personal data entering the organisation are dealt with as they move through various business processes. By setting up a digital mailroom, organisations can ensure that they have a clear and compliant audit trail for all paper documents entering the business.
- Conduct due diligence on where data is being stored in the cloud by cloud application providers and other Data Processors. This could include file sharing apps used by individuals within the business as well as corporate systems such as accounting, CRM, personnel and content management platforms.
- Make sure the cloud hosting provider has the tools and technologies in place to protect data, identify and report a data breach and produce information and/or incident logs when required.
- Request confirmation from the cloud hosting provider that data is not leaving the EU or that it is not crossing borders to non-compliant countries where there is a higher potential risk of espionage.
- Create required Records Of Processing Activities
- Update Data Protection Policy and data breach procedures
- Review procedures for subject rights and update privacy notices and consent forms
While the GDPR is a major shakeup of the data protection regime in the EU, it is also an opportunity for organisations to introduce the best possible practice in data and document management and use this to enhance trust in their business and processes. While this represents one incentive for taking urgent action, the threat of fines that could potentially put an organisation out of business is another equally pertinent one. Time is running out to get the basics in place.