Many of our clients have been asking if we can help them get up to speed with the new General Data Protection Regulation (GDPR) legislation, which formally comes into force on 25th May 2018.
The answer is a resounding yes! Here’s a whistle stop tour of GDPR by my colleague, David Farquharson, and a summary of the key things you need to know…
What is GDPR?
GDPR is a new privacy law which governs the collection and use of data relating to all individuals within the EU. It will give people more rights and protection around how their personal data is processed, used and shared between and by organisations. It introduces strict requirements for organisations to notify the Information Commissioner’s Office (the UK independent authority) in the event of a data breach, tougher fines for non-compliance, and gives people more say on what companies can do with their data.
But what about Brexit? The UK government has confirmed that the decision to leave the EU will not affect the commencement of the GDPR. Furthermore, GDPR doesn’t affect just EU-based organisations – any business that processes the data of EU citizens must comply with the regulations, even if that data is processed outside of the EU.
The theory is simple. Data is property. If you lent someone something important to you and hoped that they’d keep it safe, you’d be understandably annoyed if they lent it to someone else without telling you or if, for example, they left it in an unsecured, public place, like the pub.
Where an individual entrusts an organisation with their personal data, GDPR aims to ensure that methods and structures are adopted so that an individual’s personal data is:
Why VCs should care about trade mark due diligence
- only used for purposes that the individual has expressly consented to;
- not used by third parties without the individual’s express consent; and
- not stored geographically in places that do not have robust data protection laws and systems in place.
Better reporting, audit and accountability measures are being implemented to allow the authorities to police organisations and for individuals to have more ongoing control over the use of their data (such as the right to be forgotten – the right of the individual to require an organisation to delete the data it holds on them).
What are the main things that are going to change?
Your organisation will likely need to change how it collects, manages and administers data. Under the GDPR, “personal data” is defined as “any information relating to an identified or identifiable natural person”. (Article 4, GDPR) – “identifiable” is the key word here and has a low bar. If anyone can identify a natural person using “all means reasonably likely to be used” (Recital 26) the information is personal data.
Some of the key things to be thinking about are:
- Ensure that you are not unnecessarily keeping and storing data that you no longer need
- You must have positive consent from an individual to use their data: this consent must be “free; unbundled and unambiguous” (Articles 4(11) and 6(1)(a)), i.e. don’t hide a request for consent in the small print of your Ts & Cs and be clear on the purpose for which the consent is being sought
- GDPR requires you to show how you enable compliance – e.g. by documenting the decisions you take about a data processing activity. You are responsible for everyone in your supply chain, so if you have a sub-contractor processing personal data, choose them with care
- You need to consider whether or not your organisation needs a “Data Protection Officer” who will have the ultimate say, above the CEO, on any decision an organisation might make on personal data
- If you’re dealing with personal data, be aware of the rights of the individual in respect of that data, e.g. people have the right to view and/or amend data upon request, or even have it destroyed under the “right to be forgotten”
What happens if there’s a data breach?
The GDPR is bringing in much more structured rules regarding the notification of data breaches. If there is a data breach, you must:
Fundraising for your tech startup? Ask yourself these three questions
- “not later than 72 hours after having become aware of it, notify the … breach to the supervisory authority” (Article 33(1))
- When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, notify the affected individuals “without undue delay” (Article 34)
A coordinated approach, including technology, breach response policy and training and wider staff training are absolutely key. Data breaches are increasingly a business as usual event, so it’s worth considering: lost or stolen devices that are not properly encrypted/passworded, emails sent to incorrect addresses in error, the continuing rise of cybercrime and phishing emails, etc.
What is the penalty if we fail to comply?
Supervisory authorities now have powers to undertake on-site data protection audits and to issue public warnings, reprimands and orders to carry out specific remediation activities. Companies that fail to comply are liable to a penalty of up to €20m or 4% of global annual turnover (whichever is greater).
What recommended actions should we take?
- Create awareness among the relevant group heads and decision makers in the business
- Audit and document the personal data you hold – is it still appropriate to hold that data? If not, get rid of it
- Document the decisions taken as to any data processing that is carried out
- Implementation of technical and organisational methods to protect data against unauthorised or unlawful processing
- Set up clear data use and data breach policies
- Implement training for all staff and put detailed confidentiality provisions in employees’ and consultants’ contracts
- Work with IT departments to set up such structures on (a) the online organisation of data; (b) regular internal audits to ensure that data being stored is still relevant and necessary; and (c) which departments can access data (particularly very sensitive data) will be required
We know that sounds like a lot but don’t panic. The new legislation is an opportunity for you to review how you currently process data and make sure you’ve got plans in place to make any changes necessary to be ready for May 2018. Compliance is an ongoing, dynamic process but through good planning; structure and teamwork, you’ll be fine.