Project1_Layout 1 07/05/2013 NEW DATA RULES Is GDPR on your radar? By John Hinde, a freelance business writer, who focuses on technology and In April 2016, the European Union (EU) finally passed a piece of legislation, the General Data Protection Regulation (GDPR). EU member states were given a two-year period to implement it into their own national law; despite the move towards Brexit, the UK will be fully compliant from May 25, 2018, and all businesses, irrespective of size, need to plan for the new changes. Worryingly, a recent survey in January has suggested that up to 60% of European firms are unprepared for the GDPR. Stated goal The aim of the GDPR is to establish a single set of data protection rules across Europe. Organisations and businesses outside the EU will be subject to the GDPR when they collect data concerning any EU citizen; this is one of the reasons why the UK is keeping it after Brexit. Quite simply, the GDPR will give individuals better control over the personal data held by others, and it should lead firms to appoint a data protection officer. It’s worth noting that personal data is defined as anything – any information – relating to a person who can be identified directly or indirectly. It is irrelevant how the information is garnered; private, public or work roles all are covered by the GDPR. It makes no odds how small a company is or how much data it holds; so long as data can identify an individual, the GDPR will apply. The rules – under the present Data Protection Act and the GDPR – also apply to structured paper records. If records are searchable, they’re caught by the legislation. New obligations and penalties The GDPR markedly changes the enforcement and penalty landscape. The Information Commissioner’s Office (ICO) can presently levy fines of up to 030 MARCH 2018 RCIMAG.COM small business matters £500,000 under the Data Protection Act. The GDPR raises that to a maximum of 4% of global turnover or € 20 million – whichever is higher. Secure data Those holding data on others will have to ensure that it is securely kept, and that staff are briefed on the law. More importantly, holders of personal data will have to design safeguards into their systems, which need to be appropriate and in proportion to the degree of risk associated with the data held. Technically speaking, this could involve the encryption of personal data; ensuring the “ongoing confidentiality, integrity, availability and resilience of company systems”; and having the capability to quickly restore any data lost following an incident (including accidental deletion of data). Seek consent A fundamental tenet of the GDPR revolves around the need to require consent – freely and unambiguously – to be given by an individual whose data is held. Organisations need to be able to show how and when consent was obtained. It cannot be obtained through pre-ticked boxes and nor can it be bundled with other matters such as an employment or contract. Individuals can withdraw their consent at any time and have a right to be forgotten. Tell individuals When collecting data, it’s a requirement of the GDPR that the individual is told about the identity and contact details of the data-gathering business; the purpose of acquiring the data and how it will be used; whether the data will be transferred outside of the EU and EEA (say by a payroll provider); how long the data will be stored for; their right to access, correct or have the data held Picture Credit: Adobe Stock “Organisations need to be able to show how and when consent was obtained. It cannot be obtained through pre-ticked boxes and nor can it be bundled with other matters such as an employment or contract” erased; the right to withdraw consents previously given at any time; and the right to lodge a complaint with the company and the Information Commissioner’s Office (ICO). Importantly, the GDPR demands that individuals must be told how their data is processed in a clear and understandable way. Individuals can make requests to see their data, and these must be fulfilled “without undue delay and at the latest within one month of receipt of the request”. Under the current regime, holders of data have 40 days to comply with a request for data. Where requests to access data are clearly pointless or excessive, businesses will be able to charge a fee. Reporting breaches Another change brought in by the GDPR requires companies to report any breaches of security “leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Where the breach involves personal data, companies must notify the appropriate authority, most likely the ICO, “without undue delay and, where feasible, not later than 72 hours after having become aware of it”, if the breach is likely to “result in a risk for the rights and freedoms of individuals”. This could, if a breach occurs on a Friday, mean working through the weekend. The GDPR is not going away and Brexit is not going to save a business from complying with its requirements. The penalties are, from the end of May, going to become markedly harsher. Those that choose to ignore the new rules are setting themselves up for a fall. Time spent on the ICO’s website (https://ico.org.uk) will be time well spent.
RCI March 2018
To see the actual publication please follow the link above