What is the GDPR?
On 25 May 2018, the European Parliament, the Council of the European Union and the European Commission will implement the General Data Protection Regulation 2016 (“GDPR”) across all countries in the EU (the UK Government has confirmed this will include the UK). GDPR will also apply to any organisations operating outside of the EU which offer goods or services to individuals inside of the EU.
GDPR is intended to establish one single set of rules across Europe which will make it simpler and cheaper for organisations to do business in all EU countries.
GDPR introduces further protection for individuals and additional compliance obligations for organisations that collect and store data with increased fines as punishment for failure to comply.
GDPR applies to all “personal information” kept by an organisation in relation to its staff or clients.
What will change?
- EU businesses will have a “one stop shop” to report to– they will only have to deal with a single supervisory authority (Information Commissioner’s Office (ICO)) and not a separate one for each Member State
- GDPR’s definition of “personal information” is more detailed and makes it clear that information such as an online identifier (e.g. an IP address) is considered personal data and this includes both automated and manual filing systems
- Higher standards of consent will be required – organisations relying on consent (where an organisation has no lawful basis for collecting and processing personal data) will need to demonstrate that consent has been freely given by the individual and to keep a record
- A breach must be reported to the relevant regulator (“ICO”) within 72 hours of becoming aware of the breach, if it risks the rights and freedoms of the individuals
- Maximum penalties of 4% annual global turnover or €20 million (whichever is higher) for failure to comply / any breach of the regulation
- A requirement to appoint a Data Protection Officer (“DPO”) for organisations processing large amounts of personal data as their core business
- Organisations will have to carry out Data Protection Impact Assessments if their activities are likely to result in a high risk for the rights and freedoms of individuals
- New rights around data portability and prevention from profiling, an individual has the right to be forgotten
- Controllers are prohibited from setting defaults to disclose all data
- Data processing will need to be carried out for the original purpose that the data was obtained for
- Data processors will need to show that they comply and maintain all records
- Parental consent for children’s information to be collected will apply to under 16’s, however, the age can be lowered to under 13’s in a Member State
How to prepare your organisation for the GDPR
Awareness: Raise awareness in the organisation on GDPR, making sure all decision makers and key members of your organisation are trained and understand the reasoning behind the new legislation, their responsibilities and consequences of breaches. Establish an accountability framework and a culture of monitoring, reviewing and assessing your data.
Review Information you hold: Review the personal information you currently hold and document where it came from and who you share it with, GDPR will require organisations to keep a record of all data collected and processed. Consider the legal legitimate grounds for keeping each piece of data.
Individual rights: Provide as much information as possible to individuals about how their data is being used and check to see that all procedures cover the following rights of individuals:
- To be informed
- Of access
- To rectification
- To erasure
- To restrict processing
- To data portability
- To object
- Not to be subject to automated decision making including profiling
Review your communication: Ensure privacy policies, notices, terms and conditions and any data processor agreements are GDPR compliant, all information should be plain and clear.
Review data security measures: Review and as needed update the process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the data processed.
Privacy by Design – know when to complete a DPIA: It will be mandatory to carry out Data Protection Impact Assessments in situations where data processing is highly likely to result in high risk to individuals, e.g. where a new computer system or database is introduced. This involves identifying and minimising the privacy risks of new projects.
Appoint a DPO: Designate someone to take responsibility for data protection compliance and who can give advice and act as a point of contact between the organisation and the ICO. The DPO must ensure all breaches are reported to the ICO.
Cross-border data transfers: Ensure that any international data transfers (including intra-group transfers) have a legitimate basis for transferring to other jurisdictions that do not have as adequate data protection regulations as exist in the UK.
Should you have any queries or wish to discuss the implications of the new beneficial ownership requirements please contact us at firstname.lastname@example.org.