The General Data Protection Regulation (GDPR) is a regulation by which the European Parliament, the European Council and the European Commission intend to strengthen and unify data protection for individuals within the European Union. It also addresses export of personal data outside the EU. The primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. When the GDPR takes affect it will replace the data protection directive from 1995.
The regulation was adopted on 27 April 2016. It enters into application 25 May 2018 after a two-year transition period and, unlike a directive, it does not require any enabling legislation to be passed by national government.
The Principles of GDPR
The principles are similar to those in the DPA, with added detail at certain points and a new accountability requirement. The GDPR does not have principles relating to individuals’ rights or overseas transfers of personal data – these are specifically addressed in separate articles.
Key Principles that GDPR sets out to enforce and businesses will need to prepare for by May 2018
• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling
The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance.
Companies are expected to put into place comprehensive but proportionate governance measures. Good practice tools such as privacy impact assessments and privacy by design are now legally required in certain circumstances.
Ultimately, these measures should minimise the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organisations, although many organisations will already have good governance measures in place.
Breach of regulations and fines imposed
The GDPR will introduce a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected. A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. There are limitations and circumstances of what counts as a “reportable breach”.
A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period and allows you to provide information in phases.
If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.
Consequences of a Breach
The GDPR establishes a tiered approach to penalties for breach to impose fines for some infringements of up to the higher of 4% of annual worldwide turnover and EUR 20 million (e.g. breach of requirements relating to international transfers or the basic principles for processing, such as conditions for consent). Other specified infringements would attract a fine of up to the higher of 2% of annual worldwide turnover and EUR 10m. Consideration will be made when imposing fines such as the nature, gravity and duration of the infringement. Compared to current DPA fines of maximum £300k historically these figures certainly attract the attention of the Board. Due to the global nature of the fines, even if a company’s breach occurs in one of its EU locations, the entire business will be fined, not just the EU arm of an operation.
The GDPR catches data controllers and processors outside the EU whose processing activities relate to the offering of goods or services (even if for free) to, or monitoring the behaviour (within the EU) of EU data subjects. Many will need to appoint a representative in the EU. This means in practice that a company outside the EU which is targeting consumers in the EU will be subject to the GDPR. This is not the case currently. Even after Brexit therefore UK will still fall under the regulation.
Example Resources we can supply to comply with GDPR
Data Protection Officers: In certain circumstances data controllers and processors must designate a Data Protection Officer (the DPO) as part of their accountability programme
Business Analysts, Project Managers, Programme Managers:
These will be required to conduct fit gap analysis and exploratory investigation into current business models versus likely GDPR requirements and to then deliver against the findings.
Cyber Security, Information Security, Data Analyst, Reporting Analysts, Systems Analysts: Data is most likely held on servers, whether physical, virtual or in the cloud – either by the controlling company or the processing company. The robustness, security, storage and reporting abilities of systems in place will need amending to allow for GDPR compliance for the Principles listed above. The GDPR remit is a combination of business governance and systems implementations and reporting structures. Data Portability will be a key element for any given IT system.
The opportunity for the market: Instead of being frightened by the possible fines our more prepared clients and industry leaders are seeing this as an opportunity that with a pragmatic approach, there can be a positive review of current processes and systems that will enable upgrades and improvements such as Privacy by Design, e.g. when designing new systems Privacy and Data Protection is intrinsic not a bolt on or afterthought.
Church International’s capability: We are supplying GDPR expertise into our Clients and have built up a good network of GDPR Resources to assist businesses to comply with GDPR. We are also working in partnership with leading Cyber Security and Data Protection experts Neira Jones – https://www.linkedin.com/in/neirajones/ and Darren Roberts – https://www.linkedin.com/in/darrenroberts/ to deliver a series of Breakfast Seminars at Eight Bank. These round table discussions are designed to help you understand the pitfalls of and get some practical advice on preparing for GDPR and knowledge share with your peer group on this important topic
If you are looking at the implications of GDPR across your organisation and how the regulations will affect specific markets you can contact me on 01622 620713, email me at firstname.lastname@example.org or https://www.linkedin.com/in/simonlongchurchint/
Click on a social media icon below to share and make a comment