GDPR - Final summary thoughts
Guest blog by Felix Ong | 5 June 2018
The EU's General Data Protection Regulation (GDPR) is the culmination of seven years (the initial version of GDPR was drafted in 2007 before being finally approved by the EU in 2016) of efforts to update data protection for the 21st century, in which people regularly grant permissions to use their personal information for a variety of reasons in exchange for 'free' services.
In the UK, GDPR replaces the Data Protection Act 1998, when the legislation has been passed by the UK Parliament, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduced hefty penalties for organisations that fail to comply with the rules, and for those that suffer data breaches.
The GDPR standardises data protection law across all 28 EU countries and imposes strict new rules on controlling and processing personally identifiable information (PII). It also extends the protection of personal data and data protection rights by giving control back to EU residents. The GDPR will be enforced from May 25, 2018.
Key areas of the GDPR
According to the EUGDPR.org, there are a couple of new changes under the GDPR that are different from the previous UK directives. The first point is related to the increased territorial scope. It will apply to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to the offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-EU businesses, which process the data of EU citizens, will also have to appoint a representative in the EU.
The other key area is on the financial penalties. Under GDPR, organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater). The controllers and processors (eg ‘cloud’ computing companies) can also be affected by the financial penalties. There is also a requirement for processors to register with the Information Commissioner's Office (ICO) which is a significant GDPR change for them.
Lastly the conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent.
The rights of the data subjects have also been enhanced. Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to 'result in a risk for the rights and freedoms of individuals'. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, 'without undue delay' after first becoming aware of a data breach. Failure to report a data breach may also result in a monetary sanction.
The data subjects also have the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This is known as a subject access request, which previously organisations had 40 days to comply now they have a month.
There is another right known as the Data Erasure. It refers to the right to be forgotten. The data subject has the right to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent.
GDPR introduces data portability. This refers to the right for a data subject to receive the personal data concerning them, which they have previously provided in a 'commonly use and machine readable format' and have the right to transmit that data to another controller.
Another important topic is privacy by design which has become a legal requirement within GDPR. Privacy by design needs to be started from the onset of designing systems, rather than an addition.
The duties of the data protection officers (DPO) have also been further clarified. The DPO appointment will be mandatory for public authorities and controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale. The GDPR sets the expectations for the DPO as per below:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices.
- May be a staff member or an external service provider.
- Contact details must be provided to the relevant DPA.
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge.
- Must report directly to the highest level of management.
- Must not carry out any other tasks that could results in a conflict of interest.
Governance aspects of GDPR from the organisations’ point of view
According to Forbes, there are a couple of pointers that organisations can use to serve as a starting point to comply with GDPR. The organisation should seek to employ a data protection officer, if necessary. The current state of the data protection rules and policies in particular on the consent should also be reviewed. In addition, I would also suggest that the organisation asks internal audit for an assessment of compliance.
Organisations can attempt to reach out to their local regulatory body ie the ICO or to a trusted consultant for additional advice. Organisations can also initiate a data mapping exercise to understand the data they acquire, hold and process and the legal basis for that. Privacy needs to be designed into systems and processes and respect for data subject rights needs to be stepped up. Policies and procedures for handling any security breach needs to be in place. A company-wide staff awareness programme on GDPR should also be initiated so that the staff are aware of the policies and procedures.
For any third-party suppliers that are categorised as “processors”, it is important to understand their data protection policies and whether these processors comply with the GDPR.
Organisations should also explore technology tools to encrypt the PII data and address other aspects of GDPR (eg data deletion and data portability of PII data).