The text of the General Data Protection Regulation was agreed as far back as 2015, and the regulation becomes law on 25 May 2018, from when the details in this GDPR summary apply. From this date, any business or organisation which is required to comply with the GDPR, and fails to do so, could be subject to the imposition of fines and other sanctions. The level of fine imposed will be decided by the relevant Data Protection Authority (DPA). Although, there is expected to be discussion between DPAs, in order to ensure a level of consistency across the EU.
This level of consistency is an important reason for the creation of the GDPR. It has also been created to provide more control over the use of their personal data, for EU citizens.
What does the GDPR mean for businesses and organisations?
As we mentioned earlier, failure to comply with the stipulations of the GDPR could mean that a business or organisation is faced with a significant fine. The maximum level of fine which can be imposed is 20 million Euros, or 4% of annual turnover, whichever is greater. It’s unlikely that this level of fine will be imposed very often, if at all, but high level fines are possible, if businesses fail to meet GDPR requirements.
It’s also important to note that the GDPR does not just apply to businesses or organisations which are based within the EU. Any business which is involved in the processing of the personal data of EU citizens will need to comply with the regulation, no matter where in the world it’s based. Of course, it’s possible for businesses or organisations to ensure GDPR compliance only in respect of data processing involving EU citizens. But realistically, operating different processes and procedures for different sets of customers presents issues with logistics. This is why most businesses will most likely choose to ensure that they satisfy GDPR requirement in respect of all customers.
Do you need a Data Protection Officer in your business or organisation?
One of the important details to consider, as part of this GDPR summary, is whether or not a business or organisation is required to put a Data Protection Officer (DPO) in place. The GDPR stipulates that any business which is involved in the processing of personal data which includes regular and systematic monitoring of data subjects, or the processing of sensitive personal data on a large scale, needs to have a DPO in place.
These requirements are not as a restrictive as those that were first suggested. However, it’s worth noting that member states of the EU have the ability to impose their own requirements, when it comes to DPOs. It’s also worth noting that having a DPO in place can be a good thing. They should have the experience and expertise to help your business or organisation to ensure that it complies with the GDPR. The GDPR does not stipulate what qualifications a DPO should have, but it does stipulate that they should have in-depth knowledge of the GDPR, and know how to implement effective data protection processes and procedures. If you are placing someone in this role in your business or organisation, you need to ensure that they have this required knowledge.
Reporting data breaches
Another requirement, which you are likely to see mentioned in any GDPR summary, is the reporting of a data breach. Businesses or organisations must report data breaches to the relevant DPA within 72 hours, unless the breach will not result in a risk to the rights and freedoms of the data subjects involved. It’s important to note that the 72 hours starts as soon as the business or organisation could reasonably be considered to be aware of the fact that a data breach has occurred.
Businesses or organisations are also required to report the breach to data subjects, without undue delay. The method of reporting depends on the risk level involved. For instance if the risk has been mitigated against by the controller, or if the data that has been breached is encrypted, it may only be necessary for the business or organisation to make a general public announcement regarding the breach.
The subject of consent in a GDPR summary
When it comes to looking at the content of the GDPR, consent is an important aspect to consider. The first thing that it’s important to say is that it is not always necessary to have consent in order to process personal data; there are other legally legitimate reasons for doing so. But, if you are basing your data processing on having consent in place, there are certain things that you need to ensure:
- Consent is explicit and informed.
- The data is only used in respect of the reason for which consent was provided.
- Consent is not provided as part of other information, such as lengthy terms and conditions.
- The data subject has taken an action in order to provide consent. This means that the use of pre-checked tick boxes is not a legal means of obtaining consent.
Do not forget that if you are using consent as the enabler, when it comes to processing personal data, you need to be able to prove that you have consent, and how and when it was provided. This means that you need to keep a record of all of this information.
You also need to make it easy for a data subject to withdraw consent at any time. For instance, if someone has provided you with consent to send them a regular newsletter from your business or organisation, you need to ensure that they are able to opt out of receiving the newsletter at any time, easily and quickly. Once they have opted out, you should no longer continue to hold or process any of the personal data they have provided, unless you have another legitimate reason for doing so.
The right to be forgotten
You may have heard that data subjects have the right to be forgotten, under the GDPR. This means that anyone can ask you to delete personal information that your business or organisation holds. This does not necessarily mean that you have to delete the information. You may have a legitimate reason for continuing to process it; such as ongoing legal action or the fact that the information is required as part of a contract between you, as a data controller, and the data subject.
If you do not have a legitimate reason for continuing to process the data, you should delete it as requested. You should also delete any data that you are no longer using for its original purpose, unless you have another legitimate reason for continuing to hold the data. This is a good thing, as the less personal data you process, the lower the amount of risk should you ever experience a data breach.
What are Data Protection Impact Assessments?
An important part of complying with the GDPR is recognising high risk data and processing. This is when the type of data which is being processed, or the processing itself, presents a high risk to the rights and freedoms of the data subjects involved. Data Protection Impact Assessments (DPIAs) are used to help establish the level of risk, and the impact, involved. When high levels of risk are identified, it’s necessary for the business or organisation to mitigate against the risk. If there does not seem to be any possible mitigation, the business or organisation must seek advice from the DPA before the data is processed.
The right of data portability
The right of data portability is a new right which has been granted to EU citizens as a result of the GDPR. It means that data subjects have the right to receive a copy of all of their personal data that is held by a business or organisation, in an electronic and machine readable format. This means that the customers of your business or organisation can then send this personal data to anyone they choose, including your competitors.
Dealing with subject access requests
Subject access requests (SARs) already exist. But, the rules for dealing with them are a little different, under the GDPR. A business or organisation must respond to a SAR within forty days. The timescale for a more complete response can be extended by up to two months if the SAR is especially complex. Businesses and organisations are also no longer permitted to charge for dealing with a SAR, unless the request is unfounded or excessive.
Hopefully, you have found this GDPR summary useful, in helping your business or organisation prepare for the arrival of the GDPR. Compliance with the regulation is vital, so if you have any doubts about any aspects, it’s a good idea to take a look at the information provided by the relevant DPA, for more in-depth advice and support.