25th May 2018 sees the indoctrination of the General Data Protection Regulation (GDPR) courtesy of the European Union. While eagerly anticipated by some organisations, for many the daunting reality of the changes GDPR brings is rapidly setting in.
There might have been a brief period of post Brexit vote uncertainty about GDPR – but it will go ahead as planned. In the world of data management, it’s time to smell the coffee.
In this blog article, we summarise the main aspects of GDPR and what it will mean for the way organisations must manage their data. In essence, GDPR requires that organisations will be far more accountable for how they utilise personal data and data subjects will have more control. And, just in case you were wondering, compliance is not optional.
At a glance, GDPR can be broken down into four key areas – we’ll look at each and what they could mean for your organisation:
Whilst the (current) Data Protection Act 1998 states the requirement for fair and lawful processing, GDPR goes further, focusing extensively on ensuring data subjects know, understand and agree to exactly what their data are being used for.
What does this mean for you? GDPR requires information on how data are used be made available in a way that is ‘concise, easily accessible and easy to understand, and in clear and plain language’ (Article 11). Hiding uses of data in pages of complex unreadable terms and conditions will not be acceptable. Reasons for collecting the types of data must be made clear.
Choice, consent and freedom to make decisions about what happens to ones own data is a key theme running through GDPR. Whilst data controllers may need to gain data subject consent for some of their processing under the current regime, the GDPR takes it to a whole new level. Key to this is the word ‘informed’.
What does this mean for you? You’ll need to be aware of data subjects’ rights (see below). Clarity will be essential. Data subjects must be able to understand who the data controller (the organisation holding the data) is, what they are going to do with the data they are collecting and how they, as an individual, can change their mind about the processing. Requiring mandatory fields of personal data will be much harder to justify.
Whilst it may seem obvious that data are afforded appropriate protection from unauthorised access, GDPR talks extensively about protecting networks and data stating ‘Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing’ (Recital 39).
What does this mean for you? It is the responsibility of the data controller to determine what is adequate for the data they hold. GDPR does not set out particular standards to be met. If assurances of security through regular assessment, testing and improvement where appropriate cannot be evidenced, data controllers can reasonably expect harsher action from regulators in the event of a data breach.
Introducing administrative fines of up to 20 million euros, or in the case of an undertaking, up to 4% of global turnover for the previous financial year (whichever is higher), the GDPR offers significant scope for causing financial pain to organisations who fail to comply. To put this into perspective, TalkTalk were fined £400,000 under the DPA, they could have been fined as much as £70m under GDPR.
What does this mean for you? Non-compliance could be very expensive and the potential for a meaningful fine means that on financial grounds alone – GDPR must be taken very seriously and there is much work to be done prior to May 2018. Regulators may introduce their own management of the application of fines but in economically challenging times we can expect examples to be made of those failing to comply. Don’t let it be you.
Data subject rights
These are of significant importance in the Regulation. They are: to be informed, to rectification, to access, to erasure, to restrict processing, to data portability, the right to object and, finally, rights in relation to automated decision making and profiling.
Abolishing charges for access to personal data, some data controllers may feel the impact of this change. Emphasis is placed in the Regulation on data subjects being able to access their own data in electronic form (where possible) through remote access to secure systems.
Encompassing all data processing within the EEA, rather than just that carried out by controllers located within its borders, the Regulation should offer assurance for individuals that businesses cannot relocate outside of the area in order to escape its clutches, should they wish to continue processing data in the area.
Don’t leave it to the last minute or chance. It’s a huge data management undertaking but, it is possible to manage and achieve compliance.
Our top three actions are:
- Conduct a gap analysis to identify the steps you need to take to comply.
- Review existing arrangements with suppliers to ensure they offer adequate protection for your data and that the legal bases on which they may carry out processing for you are valid under the new regulation.
- Review the data storage you own to ensure personal data cannot be accessed unlawfully.
Above all, don’t panic. Plan and prepare early but ensure you have the resources in place to enable your organisation to grow and adapt to ensure continued compliance.
Coming soon: The next Ascentor GDPR article will provide access to a more detailed checklist which will assist you to identify your gaps in order to comply with GDPR.
For further information
If you have found this article of interest, the Ascentor blog regularly carries articles about Information Assurance (IA) and cyber security issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter.
If you’d like to discuss the topic of GDPR and data protection in more depth or any aspect of IA and cyber security, please contact Dave James at Ascentor.
Office: 01452 881712
This is a guest blog for Ascentor, written by Arianne Kitchener LLB.