How Will GDPR Affect You?

  • Author: Alistair O'Sullivan

Download the official ICO GDPR checklist here: Download

In May this year, Europe’s data protection rules (GDPR) will undergo their biggest changes in two decades. Since the creation of the rules in the 90s, the amount of digital information that we create, capture, and store has vastly increased. Simply put, the old regime was no longer fit for purpose.

The solution being a mutual agreement on the European General Data Protection Regulation (GDPR). This will come into force on May 25 2018. It will change how businesses and public sector organisations can handle the information of customers.

The regulation has spawned a raft of GDPR experts. Whom want to help businesses prepare for the changes GDPR will bring – and make a tidy sum for their expertise.

Elizabeth Denham, the UK’s information commissioner, who is in charge of data protection enforcement. Has said she is frustrated by the amount of “scaremongering” around the potential impact for businesses. “The GDPR is a step change for data protection,” she says. “It’s still an evolution, not a revolution”. She adds that for businesses and organisations already complying with existing data protection laws the new regulation is only a “step change”.

Still, plenty of confusion remains. To help clear things up, here’s WIRED’s guide to the GDPR.

What is GDPR exactly?

The GDPR is Europe’s new framework for data protection laws. It replaces the previous 1995 data protection directive, which current UK law is based upon.

The EU’s GDPR website says the legislation is made to “harmonise” data privacy laws across Europe. As well as give greater protection and rights to individuals. Within the GDPR there are large changes for the public as well as businesses and bodies that handle personal information. We’ll explain this in more detail later.

After over four years of discussions and negotiation, both the European Parliament and European Council adopt the GDPR law in April 2016. Publishing the underpinning regulation and directive at the end of that month.

After publication of GDPR in the EU Official Journal in May 2016, it will come into force on May 25, 2018. The two year preparation period has given businesses and public bodies covered by the regulation to prepare for the changes.

Don’t we already have data protection laws?

Each member state in the EU operates under the current 1995 data protection regulation and has its own national laws. In the UK, the current Data Protection Act 1998 sets out how your personal information can be used by companies. Along with the government and other organisations.

GDPR changes how personal data can be used. Now published by the government, the new Data Protection Bill will cover the provisions in the UK. As noted by data protection expert Jon Baines, the UK’s data protection plans include everything within the GDPR. Although there are some minor changes.

The new UK data protection bill

The UK government’s new data protection legislation, will implement the vast majority of GDPR published on September 14, 2017. The bill must pass through the House of Commons and the House of Lords before it becomes law.

The government says the law sets out a number of exemptions. From GDPR, which include added protections for journalists, scientific and historical researchers, and anti-doping agencies who handle people’s personal information.

The bill is currently passing through the legislative bodies but has been subject to some amendments. In one instance, cybersecurity researchers were concerned the bill would make it impossible to research improper anonymising of data. A new amendment covers “effectiveness testing”. Saying that researchers must inform the ICO within three days if they can identify people from anonymised data.

Once the new bill passes and becomes an Act of parliament, the 1998 Data Protection Act will be repealed.

Is my company/startup/charity going to be impacted?

In short, yes. Individuals, organisations, and companies that are either ‘controllers’ or ‘processors’ of personal data will be covered by GDPR.

“If you are currently subject to the DPA, it is likely that you will also be subject to GDPR”

Information Commissioners Office (ICO)

Both personal data and sensitive personal data are covered by GDPR. Personal data is a complex category of information. It broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address… you name it. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more.

These definitions are largely the same as those within current data protection laws. That can relate to information that is collected through automated processes. GDPR differentiates from current data protection laws. Due to pseudonymised personal data that can fall under the law. If it’s possible that a person could be identified by a pseudonym.

So, what’s different?

In the full text of GDPR there are 99 articles. Setting out the rights of individuals and obligations placed on organisations covered by the regulation. These include allowing people to have easier access to the data, that companies hold about them. Implementing a new fines regime. Along with clear responsibility for organisations to obtain the consent of people they collect information about.

Helen Dixon, the data protection commissioner for Ireland – who has major technology company offices under her jurisdiction. Says the new regulation was needed and is a positive move. She adds, that large businesses are aware of the upcoming changes. While there needs to be a lot more knowledge in smaller companies – including startups.

“One of the issues with startups is that when they’re going through all the formalities new businesses go through. There’s no data protection hook at that stage,”

Helen Dixon

If you’re only just hearing about GDPR, here are some of the changes to be prepared for.

Accountability and compliance

Companies covered by the GDPR will be more accountable for their handling of people’s personal information. This can include having data protection policies; data protection impact assessments and having relevant documents on how they process data.

In the last 12 months, there’s been a score of massive data breaches. Including millions of Yahoo, LinkedIn, and MySpace account details. Under GDPR the “destruction, loss, alteration, unauthorised disclosure of, or access to” people’s data has to be reported. Informing a country’s data protection regulator. For the UK, it’s ICO. On information that could have a detrimental impact on those who it is about. This can include, but isn’t limited to, financial loss, confidentiality breaches, damage to reputation and more. The ICO has to be told about a breach 72 hours after an organisation finds out about it. Noticing the people it impacts as well.

Accountability and Compliance for Smaller Companies

For companies that have more than 250 employees, there’s a need to have documentation. Documenting why people’s information is being collect, along with the data that they process. Containing descriptions of the information held, how long it’s being kept for and descriptions of technical security measures in place.

Additionally, companies that have “regular and systematic monitoring” of individuals. At a large scale, or those that process a lot of sensitive personal data. Have to employ a data protection officer (DPO). For many organisations covered by GDPR, this may mean having to hire a new member of staff. Although larger businesses and public authorities may already have people in this role. In this job, the person has to report to senior members of staff, monitor compliance with GDPR and be a point of contact for employees and customers.

“It means the data protection will be a boardroom issue in a way it hasn’t in the past combined”.

Denham

There’s also a requirement for businesses to obtain consent to process data in some situations. When an organisation is relying on consent to lawfully use a person’s information they have to clearly explain that consent is being given. Using a clear and “positive opt-in”. A blog post from Denham explains there are multiple ways for organisations to process people’s data.

Access to your data

As well putting new obligations on the companies and organisations to collect personal data, the GDPR law also gives individuals a lot more power to access the information held about them. Whilst present, a Subject Access Request (SAR) allows businesses and public bodies to charge £10 to access info held about them.

Under GDPR, accessing personal information will be made free-of-charge. Removing the previous costs to request information. When someone asks a business for their data, they must stump up the information within one month. Everyone will have the right to get confirmation that an organisation has information about them, access to this information and any other supplementary information. As Dixon points out, big technology companies, as well as smaller startups, will have to give users more control over their data.

As well as this the GDPR bolsters a person’s rights around automated processing of data. The ICO says individuals “have the right not to be subject to a decision” if it is automatic and it produces a significant effect on a person. There are certain exceptions but generally people must be provided with an explanation of a decision made about them.

The new regulation also gives individuals the power to get their personal data and erase it, in some circumstances. This includes: where it’s no longer necessary for the purpose it was originally for. If consent is withdrawn, there’s no legitimate interest and/or it was unlawfully processed.

GDPR fines

One of the biggest, and most talked about, elements of the GDPR is the power for regulators to fine businesses that don’t comply with it. If an organisation doesn’t process an individual’s data in the correct way, it can be fined. Especially, if it requires and doesn’t have a data protection officer, it can be fined. Because if there’s a security breach, it can be fined.

These monetary penalties will be decided upon by Denham’s office and the GDPR states smaller offences could result in fines of up to €10 million or two per cent of a firm’s global turnover (whichever is greater). Those with more serious consequences can have fines of up to €20 million or four per cent of a firm’s global turnover (whichever is greater). These are larger than the £500,000 penalty the ICO can currently wield and, according to analysis, last year’s fines would be 79 times higher under the new regulation.

But Denham says speculation that her office will try to make examples of companies by issuing large business-crippling fines isn’t correct. “We will have the possibility of using larger fines when we are unsuccessful in getting compliance in other ways,” she says. “But we’ve always preferred the carrot to the stick”.

Denham says there is “no intention” for overhauling how her office hands out fines and regulates data protection across the UK. She adds that the ICO prefers to work with organisations to improve their practices and sometimes a “stern letter” can be enough for this to happen.

“Having larger fines is useful but I think fundamentally what I’m saying is it’s scaremongering to suggest that we’re going to be making early examples of organisations that breach the law or that fining a top whack is going to become the norm.” She adds that her office will be more lenient on companies that have shown awareness of the GDPR and tried to implement it, when compared to those that haven’t made any effort.

How to prepare your business for GDPR

When implemented, GDPR will have a varying impact on businesses and organisations: for instance, not every company will require a data protection officer. To help prepare for the start of GDPR, the ICO has created a 12-step guide.

The GDPR guide, which is available here, includes various steps, such as: making senior business leaders aware of the regulation; determining the information held; updating procedures around subject access requests, and what should happen in the event of a data breach. In Ireland, the regulator has also setup a separate website explaining what should change within companies.

Moreover, ICO says that “many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA)”. It adds for businesses already complying with the current data protection law, its highly likely they will be meeting many of the GDPR principles.

As well as this guidance, the ICO says it is creating a phone service to help small businesses prepare for GDPR. The service will provide answers about how small companies can implement GDPR procedures and starts at the beginning of November 2017.

Original source: Wired

0

Leave a Reply

Your email address will not be published. Required fields are marked *