The new General Data Protection Regulation (GDPR) is a piece of legislation that will seriously affect every organisation in different ways, yet more than half of European companies are not aware of the new Regulation coming into force in May 2018.
What is the GDPR all about?
The GDPR is a Regulation aiming to strengthen, standardise and unify the rules concerning data protection and data processing. The Regulation will be directly applicable throughout the EU from 25 May 2018, without requiring implementation by the EU Member States through national law. The Regulation aims to:
• harmonise the current legal framework, which is fragmented across Member States;
• return control over personal data back to the users; and
• introduce new Data Protection Officers to supervise the storage and processing of personal data.
Does it affect me?
Most likely, yes. You may not be aware of that, but almost every modern app, website an online service involves personal data processing. This is why under current data protection laws everyone responsible for using data has to follow strict rules called ‘data protection principles’.
Come May 2018, this may not be good enough.
If you use personal data in any capacity — by storing it, transferring it, analysing it or even simply holding it to carry out an online transaction — you will be dealing with data processing.
What is the new Data Protection Officer (DPO) and do I need one?
The GDPR requires companies to nominate a data protection officer (“DPO”) under certain circumstances. Thus even a relatively small start-up may need to nominate a DPO if their core activities involve “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data” (as per article 37 of the GDPR).
There is no legal requirement for a DPO to hold any official qualifications but they are expected to have reasonable knowledge and experience to fulfil their duties.
The DPO will need to ensure that the data is stored properly and that the business complies with the data protection rules and regulations.
What do I have to tell my customers?
The GDPR requires that companies give certain information to individuals about the processing of their personal data. Examples of this type of information include the identity of the company processing their data, and the contact details of the relevant DPO, where applicable.
In addition, customers will need to be informed of the legal basis for such processing. Individuals will have much greater say in determining how their data may be lawfully used, with active rights to change consent based processing and rights to object to processing based on “implied” rights (i.e. legitimate interests). You’ll have to allow for the consent to be withdrawn at any point, and the security and privacy settings to be set to the high level by default. Your users will also be able to request that all their data be erased from your databases and services.
You will also have to tell your users about any data security breach, as well as inform the regulator about it.
The rules on transferring data to other organisations, or outside Europe are stringent and require the controller to take full responsibility for proper and secure handling supported by effective due diligence and contractual measures.
The changes introduced by the GDPR will ultimately require a substantial review of privacy policies and statements, which will include any contracts that you might have with sub-contractors who process personal data on your behalf (such as cloud service providers).
What do I need to know?
Start documenting your data processing practices. Start defining the categories of data, the purpose of the data and who has responsibility for the data.
Everything from a simple loyalty card app to a multi-layered customer profiling systems will have to closely trace what is happening with every piece of data.
Even if you are not obligated to nominate a DPO at present, it might still make sense to nominate a member of your staff internally as soon as possible, as doing so will help to focus implementation and drive accountability.
Start thinking about potential risk areas. The GDPR implements the so-called risk-based approach, which means that the greater the risks posed to the privacy rights of individuals, the more safeguards and transparency will be needed.
Now, many apps simply take the required user data and process it in a variety of different algorithms, putting chunks of data into a number of databases (e.g. for sales, user profiling, purchasing behaviour, statistics or usage history).
All organisations will be expected to promote privacy and data protection compliance from the start when creating new products and services. Privacy impact assessments must be carried out as a matter of routine, especially when considering new arrangements that may involve handling sensitive data fields, or large volumes of personal data.
What if I’ve got any questions?
We’re here to help! The new Regulation will require major changes and substantial data protection review. It will affect almost all businesses in the UK and across Europe, with some global ramifications for international companies based here.
We understand that this may be a daunting process and that is why you should start preparing for the GDPR early. Our team can assist you in preparing for the Regulation. We can carry out a privacy impact assessment for your organisation, help you develop effective organisational controls and governance structures and draft all the necessary data processing documentation required by the GDPR enabling you to achieve compliance with the GDPR.