Goodbye Data Protection, Hello GDPRon 14 September 2017
Taking good care of your data is vital, especially personal data about individuals. Personal data belonging to individuals and held by organisations in the European Union (EU) are currently protected by the Data Protection (DPA) laws, which regulate what people can and cannot do with that data. That all changes on 25th May 2018.
Introducing the General Data Protection Regulation (GDPR). While it is similar to the current regulations, there are some important differences. Contrary to what some people think, Brexit makes no difference to the need to comply with GDPR by that date.
Here are some areas you should be thinking about; this is an overview of the key areas relating to GDPR, it is not a legal guide.
What is GDPR?
GDPR builds on the protection given by the current DPA rules but gives greater significance to accountability and governance. Where these were implicit under the current rules, they will now be explicit under GDPR.
The intention is to increase the protection of an individual’s personal data and to minimize breaches.
Essentially, this means you now need to have relevant and explicit governance in place. If you already follow good practice, then you probably already largely comply with the new regulations. It also means that these are not just good practice now, but are also a legal requirement in certain circumstances.
GDPR also now applies to ALL personal data about EU citizens, wherever that data is held and wherever the organisation holding it resides. Yep, so it also applies to Facebook and Google (should be interesting).
What data does it apply to?
Both the current rules of DPA and the new rules of GDPR apply to personal data. Under GDPR, the definition of personal data is more detailed and clarifies some of the uncertainties of what personal data actually is. GDPR also takes into consideration a wider range of ‘personal identifiers’, such as IP addresses, reflecting the changes technology has made in the ways and types of personal data now being collected and held about people.
GDPR applies to both electronic and non-electronic data. This is a wider scope than the current DPA rules.
Essentially, if you can extract information about an individual from your records, it probably falls under the scope of GDPR.
Sensitive personal data
The definition of ‘sensitive’ is broadly the same as under DPA rules, with some minor differences. For example, ‘sensitive data’ under GDPR covers information like genetic and biometric data, where this can be processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included as, but similar extra safeguards apply to its processing.
Other differences include
- Mandatory breach notification within 72 hours
- Right to a free electronic copy of your personal data
- Right to be forgotten if the personal data is no longer relevant to the original purpose of collection (unless in the public interest to keep it)
- Systems should be designed so that only essential and necessary data is held and accessible
- It is no longer a requirement for ‘controllers’ to report processing activities to local DPAs – instead, there is a requirement to keep specific internal records
Some of these are straightforward some are not.
Who should know about GDPR?
Although all senior members of staff should be aware of an organisation’s position, GDPR has particular requirements for ‘data ‘controllers’ and ‘processors’.
Data ‘processors’, in particular should be aware that under GDPR there is significant legal liability for any breaches.
Data ‘controllers’ too, have additional responsibilities to ensure data ‘processors’ comply with GDPR.
Should I be worried?
If you hold any personal data and do not have robust data management, then yes. How much risk you run will depend on:
- How much personal data about individuals you hold, and whether it is sensitive as defined under GDPR
- How good your current procedures are for managing consent, storage and breaches
- How clearly you have defined the responsibilities and accountabilities for processing and controlling data
You should also know that the penalties for non-compliance are up to 4% of your annual Turnover (up to 20 million Euros), and in some cases prison. Gulp!
What should I do next?
The most important action is to review your status with regard to personal data management NOW. May 2018 may seem a long way away. But if you do have work to do to be compliant, better give yourself time to do it. You do not want to be in a panic and risk non-compliance, or worse, prosecution.
- Check your DPA status. If you are fully compliant with the current regulations and have implemented good practice, then you probably will be ok with GDPR too
- Check if you hold personal data that falls into the new definition of personal data or sensitive personal data
- If you use third parties, check their compliance status and timescales, and get their help before all their other customers ask for it
- If you don’t currently conform to good practice, start putting procedures in place now
- Identify your data ‘processors’ and ‘data ‘controllers’ and make sure they understand the new rules
Preparing for GDPR - 12 steps to take now - This checklist, from the Information Commissioners Office, highlights 12 steps you can take now to prepare for the General Data Protection Regulation (GDPR) which will apply from 25 May 2018.
Glasscubes is a UK based collaboration tool solutions provider that supports a full range of cloud based options. Find out more about how they can help you manage your data safely and effectively by calling +44 (0)20 3274 2310.
Subscribe via RSSTweets by Glasscubes
Browse by Date