What You Need to Know about the New EU General Data Protection Regulation?

The new General Data Protection Regulation (GDPR) is a piece of legislation that will seriously affect every organisation in different ways, yet more than half of European companies are not aware of the new Regulation coming into force in May 2018.

What is the GDPR all about?

The GDPR is a Regulation aiming to strengthen, standardise and unify the rules concerning data protection and data processing. The Regulation will be directly applicable throughout the EU from 25 May 2018, without requiring implementation by the EU Member States through national law. The Regulation aims to:

• harmonise the current legal framework, which is fragmented across Member States;
• return control over personal data back to the users; and
• introduce new Data Protection Officers to supervise the storage and processing of personal data.

Does it affect me?

Most likely, yes. You may not be aware of that, but almost every modern app, website an online service involves personal data processing. This is why under current data protection laws everyone responsible for using data has to follow strict rules called ‘data protection principles’.

Come May 2018, this may not be good enough.

If you use personal data in any capacity — by storing it, transferring it, analysing it or even simply holding it to carry out an online transaction — you will be dealing with data processing.

What is the new Data Protection Officer (DPO) and do I need one?

The GDPR requires companies to nominate a data protection officer (“DPO”) under certain circumstances. Thus even a relatively small start-up may need to nominate a DPO if their core activities involve “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data” (as per article 37 of the GDPR).

There is no legal requirement for a DPO to hold any official qualifications but they are expected to have reasonable knowledge and experience to fulfil their duties.

The DPO will need to ensure that the data is stored properly and that the business complies with the data protection rules and regulations.

What do I have to tell my customers?

The GDPR requires that companies give certain information to individuals about the processing of their personal data. Examples of this type of information include the identity of the company processing their data, and the contact details of the relevant DPO, where applicable.

In addition, customers will need to be informed of the legal basis for such processing. Individuals will have much greater say in determining how their data may be lawfully used, with active rights to change consent based processing and rights to object to processing based on “implied” rights (i.e. legitimate interests). You’ll have to allow for the consent to be withdrawn at any point, and the security and privacy settings to be set to the high level by default. Your users will also be able to request that all their data be erased from your databases and services.

You will also have to tell your users about any data security breach, as well as inform the regulator about it.

The rules on transferring data to other organisations, or outside Europe are stringent and require the controller to take full responsibility for proper and secure handling supported by effective due diligence and contractual measures.

The changes introduced by the GDPR will ultimately require a substantial review of privacy policies and statements, which will include any contracts that you might have with sub-contractors who process personal data on your behalf (such as cloud service providers).

What do I need to know?

Start documenting your data processing practices. Start defining the categories of data, the purpose of the data and who has responsibility for the data.

Everything from a simple loyalty card app to a multi-layered customer profiling systems will have to closely trace what is happening with every piece of data.

Even if you are not obligated to nominate a DPO at present, it might still make sense to nominate a member of your staff internally as soon as possible, as doing so will help to focus implementation and drive accountability.

Start thinking about potential risk areas. The GDPR implements the so-called risk-based approach, which means that the greater the risks posed to the privacy rights of individuals, the more safeguards and transparency will be needed.

Now, many apps simply take the required user data and process it in a variety of different algorithms, putting chunks of data into a number of databases (e.g. for sales, user profiling, purchasing behaviour, statistics or usage history).

All organisations will be expected to promote privacy and data protection compliance from the start when creating new products and services. Privacy impact assessments must be carried out as a matter of routine, especially when considering new arrangements that may involve handling sensitive data fields, or large volumes of personal data.

What if I’ve got any questions?

We’re here to help! The new Regulation will require major changes and substantial data protection review. It will affect almost all businesses in the UK and across Europe, with some global ramifications for international companies based here.

We understand that this may be a daunting process and that is why you should start preparing for the GDPR early. Our team can assist you in preparing for the Regulation. We can carry out a privacy impact assessment for your organisation, help you develop effective organisational controls and governance structures and draft all the necessary data processing documentation required by the GDPR enabling you to achieve compliance with the GDPR.

 

The Legal Stop

David Cameron: Intelligence Agencies Work within Law

According to PM David Cameron intelligence agencies operate within the law.

There are allegations that certain agencies have gathered and shared phone records and internet data.

It is still not confirmed or denied if GCHQ had been given access to a US spy programme called Prism but America’s National Security Agency and the FBI are expected to get access to the systems of Google, Facebook, Skype, Microsoft and some other of the world’s top internet companies. They all said they would not give the US government access to their servers.

Mr. Cameron stated that UK’s intelligence agencies kept people safe as at the same time operated within the law. The Legal Stop also keeps their clients safe and helps them find a wide variety of business documents, corporate documents, employment documents and HR documents.

In the words of Conservative MP Sir Malcolm Rifkind due to the British law such agencies need to get ministerial authority so that they get the opportunity to look at the content of the emails of British citizens.

An increase of 137% was registered for the intelligent reports GCHQ did in the 12 months to May 2012.

However, the minister with responsibility for GCHQ announced that UK citizens had nothing to worry about.

Shadow foreign secretary Douglas Alexander told Today: “These agencies do vital work for us week in and week out. But it’s also vital that the public have confidence that they are operating in a framework of legality.”

Conservative MP Dominic Raab shared his opinion that the happening changes influenced seriously the view of the people so public confidence would erode.

The Fourth Amendment to the US Constitution protects the content of people’s phone conversations.

Government officials may scoop up information on duration and timing of certain calls.

Mr. Obama announced surveillance programmes would protect the US from terrorist attacks