General Data Protection Regulation, or GDPR, will in many cases revolutionise how businesses process and handle data. Since data protection laws were created in the 1990s, they are now no longer fit for purpose.
GDPR is the EU’s answer to an ever growing problem of data volumes and how organisations are using, storing, analyzing and managing their customers, suppliers and partners data. GDPR will come into force on the 25th May 2018, but many businesses have still not allocated budget, time or resource to the new GDPR compliance guidelines. Because of the fines involved for non-compliance and the potential business benefits it could bring in terms of information management, GDPR is not something that should be ignored.
To help your business understand more about GDPR and what it needs to do in preparation, here is Wanstor’s brief guide to GDPR success.
What is GDPR?
GDPR is the EU’s new framework for data protection laws, replacing the 1995 data protection directive which UK law is based on. The EU’s GDPR website states that the legislation is designed to ‘harmonise’ data privacy laws across Europe, as well as to give greater protection and enhanced rights to individuals. Within GDPR regulations, there are significant changes for businesses who handle customer, supplier and partner information. The 25th of May 2018 is the most important date to remember with regards to GDPR – it is the date upon which this legislation goes live.
Why do we need to comply with GDPR? There are data protection laws in place.
Each member state in the EU operates under the current 1995 data protection regulation and has its own national laws. In the UK, the current data protection act of 1998 sets out how personal information can be used by companies, the government, and other organisations. GDPR changes how personal data can be used, stored and managed. The existing data protection laws in the UK will be updated based on new GDPR guidelines, which that means all businesses in the UK will have to adhere to a new set of data protection policies.
Okay, so the law is changing around data protection. How will my business be affected?
Individuals, organisations and businesses that are either controlling or processing personal data will be covered by GDPR. Both personal data and sensitive personal data are covered by GDPR.
Personal data is identified as a piece of information that can be used to identify a person. This can be a name, address, IP address, email address… you name it, and there is a strong likelyhood that it can be classified as personal data.
Sensitive personal data encompasses information such as genetic data, information about religious and political views, and sexual orientation. These definitions are pretty much the same as those within current data protection laws, and often relates to information that is collected through automated processes.
Where GDPR differentiates from current data protection laws is that data which could be interpreted as personal data may fall under the law, if it is possible that a person could be identified by information they have given which may or may not relate to them.
For businesses, this means undertaking a process of identifying all potential personal data that they hold, identifying where it is stored, ensuring that it is being managed correctly, and guaranteeing that they can delete it if requested. Although this may sound like a simple process, the reality is very different. Many businesses hold personal customer information in silos across the estate, as it is used by different departments for different purposes. So taking the time to identify all potential personal data is a challenging task which must be undertaken by the IT team and functional business units.
So, what’s different to existing data protection rules?
There are 99 articles setting out the rights of individuals and obligations placed on businesses covered by the GDPR regulation. These include allowing people to have easier access to the data that companies hold about them, a new penalty regime and a set of clear responsibilities for businesses when obtaining consent from people that they collect information about. Businesses covered by GDPR will be held more accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and relevant documents in place on how data is processed.
Under GDPR, the ‘destruction, loss, alteration, unauthorised disclosure of or access to people’s data’ has to be reported to a country’s data protection regulator (the ICO in the UK) where it could have a detrimental impact on those who relates to. This can include issues such as financial loss, confidentiality, and damage to reputation. Under GDPR regulations, the ICO will have to be informed of any data protection breach within 72 hours of a business discovering such an event. Additionally, the people who it may affect must be informed of the breach. This additional stress on the data management process is likely to test even the most robust data management strategies, and is why Wanstor are recommending that businesses take action now to assess where data is stored and to make improvements to information management strategies before the new legislation comes into being. Come the 25th May, it may prove extremely costly should businesses prove unable to locate data which they are holding that is involved in any form of breach.
For businesses with more than 250 employees, there will exist a requirement demanding documentation that justifies the need to collect and process people’s information, describes the information that is held, how long it is being kept for, and descriptions of the technical security measures being employed in order to protect this data. Additionally, companies that have ‘regular and systematic monitoring’ of individuals on a large scale or that process large volumes of sensitive personal data will be required to employ a Data Protection Officer (DPO). For many businesses covered by GDPR, this will mean hiring a new member of staff in order to comply with GDPR regulation.
There will be a requirement that businesses obtain consent for the processing of data in certain situations. When a business is relying on consent to lawfully use a person’s information, they will need to explain clearly that said consent is being given, and there will need to be a ‘positive’ opt-in.
Access to data
As well as placing new obligations on businesses collecting personal data, GDPR also gives individuals greater power to access information that is held about them. At present, a Subject Access Request (SAR) allows businesses and public bodies to charge £10 when releasing personal data requested by any individual. Under GDPR, this will be scrapped, and requests for personal information can be made free of charge. When someone makes a request for personal data held by a business, that business will be required by law to divulge this information within one month of said request. Everyone will have the right to obtain confirmation that a business holds personal information about them and to access this information. Additionally, GDPR gives a person rights around the automated processing of data. The ICO states that individuals ‘have the right not to be subject to a decision’ if it is automatic and it produces a significant effect on their person. There are exceptions to this, but generally, individuals must be provided with an explanation of a decision that has been taken about them.
The new regulation also gives individuals the power to have their personal data erased. This includes where it is no longer necessary for the purpose it was collected for, if consent is withdrawn, there is no legitimate interest or if it was unlawfully processed or collected in error.
What if we get it wrong?
One of the most topical elements of GDPR will be the Regulators ability to penalise businesses that fail to comply. If a business does not process an individual’s data correctly, this will result in a financial penalty. If it requires and does not employ a Data Protection Officer, it can again be subjected to a fine. The advent of a security breach may also present a costly issue to businesses.
These monetary penalties will be decided upon by the ICO; the legislation states that smaller offences could result in fines of up to €10 million, or two per cent of a firm’s global turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million, or four per cent, of a firm’s global turnover (whichever is greater). Obviously the potential fines are significant, and significantly higher than the existing penalties of £500,000 the ICO is capable of issuing at this point in time.
There is speculation that the ICO will look to make examples at an early stage of businesses which fail to comply with GDPR – Wanstor understands, however, that this may not be case. Standard procedure for dealing with data breaches will be employed by the ICO. In reality, this may mean a letter of warning followed by a small fine for the first offence (depending on the severity of the breach), with larger penalties reserved for cases where gross negligence is indicated.
So how should I prepare my business for GDPR?
When implemented, GDPR will have an impact on all UK businesses. At Wanstor, we suggest the following action now, if this has not already been implemented:
• Undertake a GDPR compliance audit or assessment with your IT partner
• Develop a GDPR compliance roadmap with activity milestones in place
• If your business has more than 250 employees, you will need to recruit a Data Protection Officer
• Identify where new procedures need to be introduced across different business functions
• Recruit a GDPR project team with representatives from IT, Finance, Legal, HR, Marketing, Sales and Operations
• Ensure that data authentication and encryption is up to date
• Schedule training with employees where new GDPR processes will affect job specifications
• Make sure that time is allocated to test new data management policies and processes
• Meet with suppliers and partners to ensure that they are GDPR compliant and do not present any threat in the form of a data breach
• Ensure that clear procedures are in place around the processing and deletion of data
• ‘Right to be forgotten’ requests must be administered within the new GDPR guidelines
Developing the right approach to the rules
In the coming months, businesses can expect an abundance of official guidance from national bodies such as the Information Commissioner’s Office. This will clarify and dictate the detail of what specific industry sectors must do to prepare for GDPR. This does not mean that businesses cannot take the initiative and begin preparing now.
At Wanstor we believe businesses need to evaluate the personal data they hold immediately. In order to do this, a data audit should be undertaken with an IT partner who has a deep understanding of data and information management. Once the this audit is complete, IT teams should categorise the data so that they are clear where sensitive personal data is stored, and where other, less important data resides within the business. We recommend that once the data audit and categorisation is complete, a Data Map is drawn up to help both IT teams along with business stakeholders understand the different sources, patterns and storage areas of data throughout the company – and, most importantly, who owns this data and is responsible for the management thereof.
Once the data understanding exercise is complete, the GDPR project team should then take time to schedule and undertake regular risk assessments, and to ensure that these are executed regularly. This will help with understanding the level of threat imposed on the company when processing data. At Wanstor, we believe that a proactive, risk-averse approach to GDPR is the way forward. This approach will ensure that senior management recognises the dangers associated with the loss, misuse, theft or compromise of customer data.
In summary, IT teams should lead the GDPR project for business. They should take responsibility for making sure that their business, suppliers and partners have effective technical and organisational measures in place so as to ensure the security of data processing.