In preparation for the General Data Protection Regulation (GDPR) content and services that Greenstone will be providing through our SupplierPortal solution, we will be providing an educational series around GDPR.
Our GDPR series will be made up of four parts:
- Part 1: GDPR - an introduction and 9 things you should be doing to prepare
- Part 2: The supply chain impact of GDPR and how it should be addressed.
- Part 3: Using software to address GDPR compliance.
- Part 4: Webinar – a practical approach to tackling the GDPR: relevant data, efficient processes, and certification
The EU's General Data Protection Regulation (GDPR) is the result of four years of work by the EU to bring data protection legislation in line with new, previously unforeseen, ways that data is now used. This new regulation will replace the current UK Data Protection Act 1998 which was enacted following the 1995 EU Data Protection Directive. GDPR will require no national legislation and will come into effect on 25th May 2018.
Due to the expanded territorial reach of the regulation and the additional obligations it places on different actors within the data chain, organisations should already be preparing as the impact will be immediate.
The new regulation has a considerable amount of crossover with the UK Data Protection Act 1998. However, while the main concepts and principles remain the same, new elements and various enhancements have been added to keep pace with rapid technological advancement, which have dramatically increased the ability to collect and share data.
What exactly is new?
GDPR expands on previous regulation and introduces some new concepts, the following outlines the key areas that you should be aware of.
Possibly the largest change to the regulatory environment of data protection is the extended jurisdiction of GDPR. The regulation now covers companies processing the data of subjects residing in the EU, irrespective of the company’s location.
It therefore covers data controllers and processors outside the EU whose processing activities relate to the offering of goods or services to EU citizens, irrespective of whether payment is required, or the monitoring of the behaviour of these citizens whilst within the EU. This means that any company outside the EU which is targeting consumers within the EU will now be subject to GDPR.
Data Protection Officers:
GDPR requires increased internal record keeping of data processing activities, which in many cases will supersede the current requirement to notify local Data Protection Boards (DPAs) of processing activities.
As a result, some data controllers and processors must designate a Data Protection Officer (DPO). This appointment is mandated where processing is carried out by a public authority, where core activities comprise of processing operations which require regular and systematic monitoring of data subjects on a large scale, and where core activities require processing of special categories of data on a large scale.
Accountability and privacy:
GDPR places an obligation for accountability on data controllers to demonstrate compliance. This includes the requirement to maintain documentation, conduct data protection impact assessments, and implement data protection by design.
GDPR also places direct obligations on processors for the first time, with a greater emphasis on documentation to demonstrate accountability. Going forward processors will be required to maintain records of their activities on behalf of each controller, in compliance with the GDPR’s accountability principle. The new regulation adds greater weight to company responsibility, and requires that you show how you meet this compliance.
The concept of privacy by design is now part of a legal requirement within GDPR which means that data protection needs to be intrinsically included in the designing of systems, but also that the controller needs to take appropriate organisational and technical measures to meet the requirements of the Regulation and to protect the rights of data subjects.
Rights of individuals:
A key aim of the regulation is to strengthen the rights of individuals, or data subjects. This includes the right for individuals to require information about data being processed about themselves, access to data, and correction of data when it is incorrect. If an individual does receive personal data concerning them then, they have the right to transmit the data to another controller.
In addition individuals have the right to be forgotten, or in other words have the data controller erase their personal data, to stop the distribution of this data, and to prevent third parties processing this data.
Finally under the GDPR, data breaches must be reported within 72 hours, and data processors are required to notify the data controllers of any breach, ‘without undue delay’.
One of the areas that is likely to worry and consequently impact many organisations is around the issue of consent to use a data subjects, or an individuals, personal data.
The GDPR clearly states that any request for consent should be in clear and plain language and not wrapped in unintelligible terms and conditions, and should be separate from any other terms. Perhaps the easiest way to interpret this from the perspective of a data controller is that consent to process personal data must be as easy to withdraw as to give, and that you must be able to demonstrate that consent was given.
What are the consequences of non-compliance?
A major reason behind the attention that GDPR has been receiving is the increased level of the fines that can be handed out.
There is a tiered approach to penalties for breach of the regulation whereby the DPAs can impose fines of up to 4% of annual worldwide turnover or €20 million, whichever is the higher. Other infringements can result in fines of 2% of turnover or €10 million.
What should you be doing to prepare?
Each organisation is different and the individual processes that each will go through to be fully prepared for GDPR will be different. However, the below checklist should help ensure that you have addressed the key areas and ensured that your organisation understands how to be prepared come May 2018.
- Assign responsibility – ensure that an appropriate person within the organisation has responsibility for data protection compliance, and if required by the regulation then appoint a Data Protection Officer.
- Review privacy notices and policies – ensure that all relevant information is provided in clear language, and that all policies are transparent and easily accessible.
- Review how you manage consent – how do you ask for, record and manage consent and plan to refresh these relationships prior to GDPR introduction if required.
- Review the information you hold – review the personal information you hold, where it is stored and how it is used.
- Consider rights of individuals – if requested by data subjects, can data be provided in a commonly used format? Can you demonstrate legitimate reasons for retaining any personal data?
- Understand your role as a data controller or processor – ensure that the services you offer as a data processor are aligned with GDPR, as your customers will be asking. If you are obtaining data processing services then document each party’s responsibilities.
- Establish data breach procedures – you’ll need to ensure you have a data breach document which includes a response procedure.
- Embed data protection by design – consider GDPR in the way your organisation operates on an ongoing basis, such as processing of data and product design.
- Understand and lead supply chain compliance – GDPR will need to be addressed in contractual negotiations and, although data processors have specific obligations, controllers are not exempt from liability. Organisations therefore need to carry out appropriate due diligence on all suppliers, as should a supply chain breach occur it could have serious financial and reputational consequences.
To ensure you don't miss our regular blog updates and events, please sign up to our blog.