GDPR: How data protection regulation will affect your business
Robert Carington, who recently joined the UK Chamber as a policy advisor, blogs on how businesses should act now to ensure GDPR compliance - and avoid eye-watering fines
GDPR – it’s one acronym you need to remember because in less than 10 months’ time it will have altered the way your business operates and how you interact with other companies, both personally and professionally.
Directive (EU) 2016/679, otherwise known as the General Data Protection Regulation (GDPR), is currently being implemented by all companies in the UK and EU. The deadline for its implementation is 25th May 2018.
The GDPR rules on the protection of individuals (whom it labels “data subjects”) regarding how their personal data is processed. Personal data includes things like names, addresses, dates of birth, IP addresses, medical information, bank details, passport numbers, union membership, nationality, religious beliefs and criminal records.
Enforcing the new GDPR will hugely increase the responsibility of companies to strengthen the protection of personal data from clients, associates and employees. There will also be hefty sanctions for companies that fail to comply.
The most important aspects of GDPR are the principles of “accountability” and “consent”. The new regulation requires companies demonstrate compliance by documenting their data-processing activities. Companies must be 100% up-to-date on when personal information should be or has been deleted. This regulatory pressure increases a company’s liability in the event of a suspected breach in data protection.
Draconian punishments have been devised to help enforce compliance and accountability. Authorities must be notified of any breach of the regulations within 72 hours of the event. Fines for failing to notify the relevant authorities and non-compliance can reach up to either €20 million or 4% of annual global turnover (whichever is higher) for serious offences. For those deemed less serious, fines can reach up to €10 million or 2% of turnover.
No business can afford to be hit with a multi-million-Euro fine for non-compliance. This is why companies must take the appropriate technical and operational measures to ensure security levels meet the approved codes of conduct. As well as calling for a detailed blow-by-blow record of all processing activities, the GDPR advises that a data protection officer (DPO) be hired (although this is merely guidance rather than a requirement).
Article 5 of the regulation outlines how to correctly process personal data. It must be processed lawfully, fairly and in a transparent manner, and collected for a specified, explicit and legitimate purpose, the regulation says. The requested data must be adequate, relevant and limited to what is necessary. Reasonable steps must be taken to ensure that inaccurate personal data is erased or rectified without delay. It must be kept in a form that permits identification of a data subject for no longer than is necessary. It must also be processed in a manner that ensures appropriate security against unauthorised or unlawful processing, accidental loss, destruction or damage using appropriate technical or organisational measures.
In terms of accountability, there is an obligation to provide comprehensive, clear and transparent privacy policies, which must be comprehensively recorded. This requires information such as the name and details of the organisation, purpose of processing, categories of recipients of the data, details of transfers to ‘third’ countries, retention schedules and details of technical and organisational security measures.
What will prove challenging is how personal and sensitive employment-related data is handled, particularly when sent to non-EU/EEA countries. A key challenge would be jurisdiction and whether the regulation applies to processors established outside of the EU that are processing the data of EU data subjects. For that matter, what constitutes an EU data subject? Would this mean the citizens of an EU country, non-citizen EU residents or for any person that remains in the EU territory? To answer this, GDPR applies to people of all nationalities where their information is being processed by an EU establishment, and to non-EU processors of data subjects who are based in the EU where their business activities are related to the supply of goods or services to data subjects within the EU.
When transferring personal data to a processor outside the EU, there are two separate categories of ‘third’ countries to which data can be sent. There are approved ‘third’ countries like Switzerland and Canada that have sufficient levels of data protection, which means processing can go ahead as if within the EU.
For non-approved countries, the organisation receiving the personal data must provide adequate safeguards. Individuals’ rights must be enforceable and effective legal remedies for individuals must be available following the data transfer. Safeguards must be enforced by a legal agreement between public authorities, binding corporate rules and standard data protection clauses in the form of template transfer clauses adopted by a supervisory authority and approved by the European Commission.
The main and most challenging aspect of GDPR, however, is the definition of a data subject’s consent for companies to use their personal information. The GDPR defines “consent” in Article 4 as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”. In other words, data must be given willingly, using clear language and, in order to be “freely given”, cannot be given in response to a misleading question or a question where the “wrong” answer carries the threat of negative repercussions from the employer (e.g. being fired). Consent is also seen as being changeable and fluid – it may be given but can also be revoked if someone changes their mind.
Law firm Hill Dickinson has recommended five steps to help companies’ process data correctly and in compliance with the GDPR:
- Be aware of the GDPR by running audits and risk assessments on collected personal data.
- Make a decision on issues (should we appoint a DPO and where is consent required) and, if unsure, contact the relevant supervisory body.
- Develop and update data protection and privacy policies.
- Review your IT and processing security.
- Train your employees and make sure they are up to date on GDPR and the correct processes.
For more information, contact Robert Carington.