– the most important change in data privacy regulations for 20 years?
The EU General Data Protection Regulation (GDPR) is the most significant change in data privacy regulations for two decades, and it comes into force on 25 May 2018.
The General Data Protection Regulation, or to give it its formal title Regulation (EU) 2016/679, “is a directive by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the EU”.
This legislation will also address the export of personal data outside the EU, as well as giving back to people control over their personal data. It will also simplifying the regulatory environment for international business by unifying the parameters within the EU.
It’s come about because of the rise in cyber attacks and data breaches, as well as the growing controversy around data collection and consumers’ concerns over how it’s being used. GDPR will rule out the possibility of gathering data through opt-out consent; something that many businesses have previously deployed.
Before we go any further, what about Brexit?
Brexit will not affect GDPR, which also means that come 25 May your business will not have any excuse whatsoever to not be compliant.
In August, the Government announced the Data Protection Bill (DPB) which is designed to align with GDPR when it comes into force because the UK will still officially be an EU member on 25 May 2018.
DPB will emulate GDPR’s consumer-focused data protection laws, and will ensure that UK companies operating within the EU will be able to continue with the exchanging and handling of data across EU borders.
Post-Brexit the UK will be able to make changes to the GDPR framework, some will be inevitable as a matter of mechanics; for example, the role of the UK’s supervisory authority (the ICO) will have to change within the regulatory consistency and cooperation mechanism set out in GDPR.
As an example, a method of ensuring adequate protection for transfers of personal data from the EU to the UK will need to be found as data will no longer be able to flow freely. This is not a major issue but it is something that trading partners within the EU will not have to contend with.
So just how will GDPR affect my business?
Companies wanting to collect your data must ask for consent in an “intelligible and easily accessible form, using clear and plain language, and with the purpose for data processing attached to that consent”, and it must be as easy to withdraw consent as it is to give it. This means that long, illegible terms and conditions full of legalese are out.
Businesses will also have to conduct data privacy impact assessments to identify risks and mitigations before engaging in high-risk activities.
They’ll also have to obtain clear consent from involved parties before initiating data collection activities, identify all personal data, assess how they are stored and for what purpose they are used to prepare for audits and obtain explicit parental consent for any data collected about minors.
Data breaches will have to be reported to the regulator and to affected customers within 72 hours.
What do I need to do to prepare for it?
A data protection officer (DPO) must be appointed in the case of public authorities, organisations that engage in large scale systematic monitoring and those that engage in comprehensive processing of sensitive personal data. If you don’t fall into any of those categories, then you don’t need a DPO.
It is recommended that the DPO will operate at board level and will be skilled or trained and have an expert understanding of a company’s responsibilities regarding GDPR. They don’t have to be a full-time employee and depending on the size of the company or the amount of data being handled, the role could be outsourced.
Crucially though, decision makers and key people need to know about GDPR and how it will affect the business.
It’s also highly likely that the privacy policies and terms and conditions within a company’s website will need to be updated.
What if I bury my head in the sand, and ignore GDPR?
Companies in breach of GDPR can be fined up to four per cent of their annual global turnover or £17 million (whichever is the greater). This is the maximum fine that can be imposed for the most serious infringements such as not having sufficient customer consent to process data or infringing the core of “privacy by design” concepts.
How can Vital Technology Group help you?
We are an ISO 27001 and ISO 9001 accredited company, meaning that we have been recognised for our commitment and adoption of best practice in the fields of information security and quality management.
These certifications were achieved after a rigorous external audit and ensure that our systems, processes and procedures meet the internationally recognised ISO standards.
ISO 9001 is an international standard that ensures that customers get consistent, good quality products and services; while ISO27001 relates to information security management systems and both officially recognise the robustness of our security controls and the importance that we place on the protection of our customers’ data.
We ensure that our clients’ computers, regardless of whether they use desktops or laptops, plus their devices have the latest encryption management solutions to ensure that their data is protected in the event of loss and theft.
Ahead of GDPR coming in we expect to be busy amending clients’ websites with updated privacy policies and T&Cs and, importantly, adding data collection statements.
If you're finding yourself confused and concerned about GDPR and your IT security, we can help - talk to one of our security specialists.