An Introduction to the GDPR
The GDPR Series - Entry 1 of 6
Welcome to the first of our 6 part series on GDPR. With so much emphasis on the new regulation and the May 25th deadline drawing closer, we wanted to offer you some assistance in addressing the key questions around the new requirements. As you know, acceptcards are experts in payments... but not so much in data protection regulations, with this in mind we've invited our friends from Legacy IT Consultants Ltd to write this guest series on our behalf. Enjoy...
The General Data Protection Regulation (GDPR) is an EU regulation that seeks to strengthen and unify data protection for all EU residents. It is the most radical change to data protection since the Data Protection Directive and the Data Protection Act (DPA) that date back to the 1990s. GDPR enhances existing regulations and introduce new obligations and rights which will result in some key changes. It gives far-reaching rights to individuals (i.e. the data subject) in terms of their data, and it imposes significant penalties of up to 20 million Euros or 4% of their annual global turnover, for any breach. As a comparison, under the DPA the maximum monetary penalty that can be imposed is £500,000.
It is already written into UK law, and it becomes enforceable on 25th May 2018. It will still apply even after Brexit, as it applies to non-EU countries that control and process the data of EU citizens.
GDPR effectively supersedes the DPA. If you are currently impacted by the existing DPA it is almost certain that you will be impacted by GDPR. If you are not impacted by the DPA, there is still a strong possibility that you will be impacted by GDPR.
The regulator in the UK is the Information Commissioner’s Office (ICO), and their website should be visited regularly for anyone moving towards GDPR compliance.
They also have a helpline dedicated to GDPR for SMEs. The number is 0303 123 1113, from where you select option 4. They are not going to talk you through your GDPR project line by line, but they can offer helpful advice and guidance in areas where there is ambiguity or doubt.
At present there is no certification or accreditation that will mark you as GDPR compliant. However, it is the responsibility of each and every organisation to ensure that they are at least on a journey towards compliance and compiling an Evidence Library is a key activity in demonstrating your intent. The Evidence Library should contain anything and everything that you have done on your GDPR project. This includes privacy impact assessments, data protection impact assessments, updated policies and processes, key staff requisitions, system changes, training and awareness campaigns, GDPR project artefacts, and attendance at GDPR summits, webinars and conferences.
It is anticipated that over the coming months accreditation schemes and codes of conduct will be introduced. Adherence to these schemes may have several advantages:-
- Give individuals the confidence to share their data with an organisation
- Provide mitigation against potential enforcement action
- Establish best practice in a specific area of processing
- When selecting third parties an organisation can take into account their level of certification before electing to do business with them
Pillars of The GDPR
The GDPR is built around:-
- Coherent rules
- Simplified procedures
- Co-ordinated actions
- User involvement
- More effective information
- Stronger enforcement powers
Your organisation will either be a Data Controller or a Data Processor. These terms exist and are broadly similar under the DPA. Generally, the controller stipulates how and why personal data is stored and processed, the processor executes these stipulations. Contracts between controllers and processors must be GDPR compliant, and it is the controller’s responsibility to enforce this compliance. Although a Data Processor acts on behalf of a Data Controller, they have an obligation to maintain records of personal data and processing activities, and they have significantly more liability in the case of a breach.
Scope of The Data
The GDPR applies to both electronic and manual filing systems, including chronological files of manual records that contain personal data.
It covers customer records, HR records, contact details, etc.
The GDPR defines personal data is any information relating to an individual, and covers private, professional and public identities. It can be a name, a photograph, an email address, bank details, names on social media (eg Twitter name), social media and forum posts, medical information, computer IP address, etc. However, much of this does not apply to law enforcement or national security – this is covered by a separate directive. Sensitive personal data is by its definition more sensitive than the category of personal data. It may contain information about an individual’s race, ethnic origin, political affiliation, trade union membership, genetics, biometrics, health, sex life or sexual orientation. Data Transfer Outside The EU The GDPR explicitly seeks to unify data protection across the EU. To further strengthen this there is a restriction on the transfer of data outside the EU. Transfers may be made to a third country where the Commission has decided that the third country ensures an adequate level of data protection. Organisations must consider whether appropriate safeguards are in place before engaging in any processing activities that involve the transfer of data outside the EU. The rights of the individual must remain enforceable and effective legal remedies for individuals must be available following the transfer. Data Breaches A data breach is described as the inappropriate destruction, loss, alteration unauthorised disclosure of, or unauthorised access to personal data.
The ICO must be informed of a breach where it is likely to result in a high risk to the rights and freedoms of individuals.
The detrimental effect to an individual could involve reputational damage, financial loss and economic disadvantage.
If the risk to the individual is high then you must also notify those whose data has been breached as soon as possible.
Breaches should be fully documented (transparent) and a full impact analysis should be completed as part of the review and investigation.
A notifiable breach must be notified to the ICO within 72 hours of becoming aware of the breach.
Failure to notify a breach can result in a fine of up to 10 million Euros or 2% of annual global turnover, whichever is the greater.
Breach notification should include:-
- Categories of personal data involved
- Categories of data records
- The number of individuals affected
- The number of records affected
- Name and contact details of the Data Protection Officer or their equivalent
- Details of the potential consequences
- Details of the measures taken or proposed to address the breach
Organisations should have measures in place to deal with data breaches. These include:-
- A robust breach policy
- An education campaign to ensure that staff are aware of their responsibilities
- Organisational and technical measures to detect breaches as soon as they occur
The ICO will take into account a number of factors in the case of a breach. These may include:-
- Has the organisation contacted data processors / other data controllers to prevent further damage?
- Has the data controller implemented technical measures such as privacy by design / default?
- Has the organisation implemented the appropriate level of security?
- Are data protection routines / policies known and applied at the appropriate managerial level?
- Has the organisation had any previous infringements?
- Has the organisation co-operated with the ICO?
The ICO will also consider various factors when determining the appropriate penalty:-
- What are the categories of data affected?
- Are special categories of personal data involved?
- Is the data directly or indirectly identifiable?
- Does it involve data that could cause immediate damage or distress?
- Is it directly available or is it encrypted?
- Who notified the authority?
- Has the organisation signed up to an approved code of conduct (if one exists)?
Over the next few weeks we will delve into different aspects of the GDPR including accountability, basis for processing, rights of the individual, impact assessments and the Data Protection Officer and compliance.
For more information, advice or assistance on the GDPR please visit the Legacy IT website here or email us at firstname.lastname@example.org
Author: Mike Madden - Legacy It Consultants Ltd