With data breaches and their consequences in the news on a seemingly weekly basis these days the whole subject of data protection has been given a much higher priority by UK businesses
Regardless of the outcome of the referendum about whether to remain in the EU, by 2018 new data protection regulations will come into force for the UK, and for all companies worldwide that process the data of EU citizens. What else do you need to know about the long awaited The General Data Protection Regulation (GDPR)?
Here are some key points to remember...
More Things Count As Personal Data
GDPR will cover a much wider area in terms of what counts as personal data.
Under these new regulations, any data that could identify an individual such as genetic, mental, cultural, economic or social information will count as personal data.
Obtaining Valid Consent For Information Use Could Be A Challenge
Under the new regulations your organisation MUST be able to PROVE clear and affirmative consent to process personal data. This means that your organisation must remember to explain clearly, and exactly what personal data they are collecting and how it will be processed and used. Your organisation will therefore need to make sure that this step is built into every occurrence of personal data collection without fail and that the proof is stored and can be accessed quickly if necessary.
Many Organisations Must Appoint a Data Protection Officer (DPO)
If you are a public authority processing personal information or if your main activity involves the regular and systematic monitoring of data subjects on a large scale, or if your main work involves the processing on a large scale of special categories of data you will need to appoint a DPO.
This person will of course need to be very familiar with all aspects compliance with existing UK and the new EU regulations. This could therefore have an impact on staffing and resources (for training).
Privacy Impact Assessments (PIAs) Are Mandatory
Under the GDPR Data Controllers must conduct PIAs where privacy breach risks are high so that the risks to data subjects are minimised. This means that to minimise risks to data, subjects PIAs will be needed.
There Will Be a Common Data Breach Notification Requirement of 72 hours
Your organisation will need to have the capability and systems in place to enable it to monitor for, identify and notify the ICO of a data breach within 72 hours of discovering it.
All Data Subjects Will Have ‘The Right To Be Forgotten”
Your organisation must not hold data about a person for longer than is necessary, must not change the use of the data from the purpose for which it was originally collected (when consent was given for that specific purpose), and must delete any data about a subject at the request of that data subject. This gives subjects the right to opt out completely i.e. ‘the right to be forgotten’.
Liability Goes Beyond Data Controllers
Under GDPR it won’t just be the DC who is held liable for data processing issues.
Liability and responsibility will extend to all organisations that touch personal data.
Privacy Must Be Designed and Built-In To The System
Your software, your systems and processes must be designed around compliance with the principles of data protection every step of the way.
The Regulations Apply Wherever You Are In The World
Under GDPR, any European data protection authority is able to take action against organisations regardless of which country they are based in.
What Does This Mean For Your Business?
GDPR will mean that companies like yours will need to take a fresh look at how they deal with personal data.
Hardly any data will not fall under GDPR which means you will need to take GDPR seriously and become very familiar with it and its implications. GDPR will mean for example that: