The text of the General Data Protection Regulation (GDPR) was agreed as far back as 2015 and the regulation becomes law on 25 May 2018. From this date, any business or organization which is required to comply with the GDPR and fails to do so could be subject to fines and other sanctions. The level of fines imposed will be decided by the relevant Data Protection Authority (DPA). There is expected to be discussion between DPA in order to ensure a level of consistency across the EU.
This level of consistency is an important reason for the creation of the GDPR. It has also been created to give those located within the EU more control over the use of their personal data.
What does the GDPR mean for businesses and organizations?
As we mentioned earlier, failure to comply with the stipulations of the GDPR could mean that a business or organization is faced with significant fines. The maximum level of fine which can be imposed is €20 million, or 4% of annual global turnover, whichever is greater. It is unlikely that this level of fine will be imposed very often, if at all, but high level fines are possible if businesses fail to meet the GDPR requirements.
It is also important to note that the GDPR does not just apply to businesses or organizations which are based within the EU. Any business which is involved in the processing of the personal data of individuals within EU will need to comply with the regulation, no matter where in the world the organization is based. Of course, it is possible for businesses or organizations to ensure GDPR compliance only in respect of processing data originating from within EU but realistically, operating different processes and procedures for different sets of customers presents issues with logistics. This is why some businesses may choose to ensure that they apply GDPR requirements to the data of all of their customers.
Do you need a Data Protection Officer in your business or organization?
One of the important details to consider as part of this GDPR summary is whether or not a business or organization is required to hire a Data Protection Officer (DPO). The GDPR stipulates that any business with above 250 employees and smaller organizations which are involved in the processing of personal data which includes regular and systematic monitoring of data subjects, or the processing of sensitive personal data on a large scale, need to have a DPO in place.
These requirements are not as restrictive as those that were first suggested. However, it is worth noting that member states of the EU have the ability to impose their own requirements when it comes to DPOs. It is also worth noting that having a DPO in place can be a good thing. They should have the experience and expertise to help your business or organization to ensure that it complies with the GDPR. The GDPR does not stipulate what qualifications a DPO should have, but it does stipulate that they should have in-depth knowledge of the GDPR and know how to implement effective data protection processes and procedures. If you are placing someone in this role in your business or organization, you need to ensure that they have this required knowledge.
Reporting data breaches
Another requirement which is essential to include in any GDPR summary is how to report a data breach. Businesses or organizations must report data breaches to the relevant DPA within 72 hours of discovery unless the breach will not result in a risk to the rights and freedoms of the data subjects involved. It is important to note that the 72 hours starts as soon as the business or organization could reasonably be considered to be aware of the fact that a data breach has occurred.
Businesses or organizations are also required to report the breach to data subjects without undue delay. The method of reporting depends on the risk level involved. For instance, if the risk has been mitigated against by the controller or if the data that has been breached is encrypted, it may only be necessary for the business or organization to make a general public announcement regarding the breach.
The subject of consent in a GDPR summary
When it comes to looking at the content of the GDPR, consent is an important aspect to consider. The first thing that is important to say is that it is not always necessary to have consent in order to process personal data; there are other legally legitimate reasons for doing so. If you are basing your data processing on having consent in place, there are certain things that you need to ensure:
- Consent is explicit and informed.
- The data is only used in respect of the reason for which consent was provided.
- Consent is not provided as part of agreeing to other information, such as lengthy terms and conditions.
- The data subject has taken an action in order to provide consent. This means that the use of pre-checked tick boxes is not a legal means of obtaining consent.
Do not forget that if you are using consent as the justification for processing personal data, you need to be able to prove that you have consent and how and when it was provided. This means that you need to keep a record of all of this information.
You also need to make it easy for a data subject to withdraw consent at any time. For instance, if someone has provided you with consent to send them a regular newsletter from your business or organization, you need to ensure that they are able to opt out of receiving the newsletter at any time, easily and quickly. Once they have opted out, you should no longer continue to hold or process any of the personal data they have provided, unless you have another legitimate reason for doing so.
The right to be forgotten
You may have heard that data subjects have the right to be forgotten under the GDPR. This means that anyone can ask you to delete personal information that your business or organization holds. This does not necessarily mean that you have to delete the information. You may have a legitimate reason for continuing to process it; such as ongoing legal action or the fact that the information is required as part of a contract between you, as a data controller, and the data subject, or another legal reason.
If you do not have a legitimate reason for continuing to process the data, you should delete it as requested. You should also delete any data that you are no longer using for its original purpose, unless you have another legitimate reason for continuing to hold the data. This is a good thing, as the less personal data you process, the lower the amount of risk should you ever experience a data breach.
What are Data Protection Impact Assessments?
An important part of complying with the GDPR is recognizing high risk data and processing activities. This is when the type of data which is being processed, or the processing itself, presents a high risk to the rights and freedoms of the data subjects involved. Data Protection Impact Assessments (DPIAs) are used to help establish the level of risk and the impact involved. When high levels of risk are identified, it is necessary for the business or organization to mitigate against the risk. If there does not seem to be any possible mitigation, the business or organization must seek advice from the DPA before the data is processed.
The right of data portability
The right of data portability is a new right which has been granted to data subjects within the EU as a result of the GDPR. It means that data subjects have the right to receive a copy of all of their personal data that is held by a business or organization in an electronic and machine readable format. This means that the customers of your business or organization can then send this personal data to anyone they choose, including your competitors. Indeed, companies can be requested to send the information directly to competitors and they must comply.
Dealing with subject access requests
Subject access requests (SARs) already exist but the rules for dealing with them are a little different under the GDPR. A business or organization must respond to a SAR within one month. The timescale for a more complete response can be extended by up to two months if the SAR is especially complex. Businesses and organizations are also no longer permitted to charge for dealing with a SAR, unless the request is unfounded or excessive.
Hopefully, you have found this GDPR summary useful in helping your business or organization prepare for the arrival of the GDPR. Compliance with the regulation is vital, so if you have any doubts about any aspects, it is a good idea to take a look at the information provided by the relevant DPA for more in-depth advice and support.