Well, if you’re reading this blog, then I suggest you should!
The European Union General Data Protection Regulation (EU GDPR) takes effect on 25th May 2018. But don’t be misled by the title. The EU reference should be treated as an indication of the Regulation’s birth place, not some form of virtual boundary restricting its influence. This Regulation has a broad reach and will affect many organisations around the globe.
Cyber security is a topic that has received an increasing amount of business-focus over the last few years. This is especially true with regards to the protection of personal data, whether card-related or otherwise. There isn’t a week that goes by now that doesn’t afford another news item revealing a data breach, a violation of personal privacy, or an inappropriate use of personal data.
A few things you really need to know about the GDPR, unless you don’t mind being caught with your proverbial pants around your ankles.
- Who it affects.
- The penalties for failure.
- Additional rights.
- Compulsory breach reporting.
- Anonymization of data subjects.
- Mandatory Data Protection Officer.
Who It Affects
The new Regulations will apply to any organisation, regardless of location, that acts as a controller and/or processor of personally identifiable information of EU residents. The term controller refers to any individual or organisation that advocates how and for what business reason the personal data will be used. Processing of data includes such tasks as collection, storage, recording, editing, or any use for operational purposes. The definition of personal data has been broadened to include additional characteristics that may be used to identify a living individual. Those characteristics include such data constructs as genetic, mental, economic, cultural or social identity.
The Penalties of Failure
Probably the most significant changes are the powers given to the Data Protection Regulators (DPRs). The DPRs will have the power to impose penalties in the form of fines against any business failing to comply with the new regulations. These penalties are significantly stronger than those provided under the current Data Protection Act (DPA). The GDPR describes three levels of non-compliance, and each level has a band of fines associated with it. For the most serious instances of non-compliance, an organisation can expect a fine of up to 4% of annual global turnover or €20 million, whichever is greater. (Note: Global turnover not profits, and euros not dollars.)
The GDPR aims to ensure individuals have easy access to any personal data being held or processed by almost any organisation. The organisation will be required to provide individuals with more detailed information regarding the type of personal data being held and also the reason and methods for which the data is being processed. It’s worth noting two additional or extended rights, as provided under the new regulations:
- The Right to Be Forgotten: There is a requirement that data should be retained only to fulfill a specific purpose, discarding the data as soon as it is no longer required for that specific purpose. The so-called “right to be forgotten” allows an individual to demand under certain circumstances that their personal data be erased by the data controller. The reasons for invoking this right can include but are not limited to the fact that the data is no longer required for the specific purpose it was provided or that the individual wishes to revoke the previously given consent. The data controller is required to erase such personal data as soon as it is practical, i.e. without any unnecessary delay.
- The Right to Portability: Under the new regulation an individual will have the right to forward personal data from one data controller to another. In practise, this will require a data controller to either provide the individual with a copy of their personal data in a structured, commonly-used, machine-readable format that the individual can then forward to a controller, or forward the data on behalf of the individual. There are certain circumstances such as records being processed in the public interest when this right does not apply.
Compulsory Breach Reporting
Under the GDPR, a breach is defined as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” It is now mandatory for all organisations to report any such breach to the relevant Data Protection Regulator (DPR) and those affected. The report to the DPA must be made, where feasible, within 72 hours of the breach being identified. Any delay will require a well-reasoned justification. The affected parties must be informed without undue delay, but as yet no time limit has been set. It’s important to note that in the case where the data breach is unlikely to result in a risk to the rights and freedoms of the individuals, there is no obligation to report it.
Anonymization of Data Subjects
It is required under the new Regulation that each individual controller or processor should take both technical and organisational measures to ensure personal data be anonymized, a process which is termed within the Regulation as “pseudonymisation.” This requires that any data that can be used to identify a specific data subject be stored separately and that it be replaced with some form of unique identifier.
Mandatory Data Protection Officer (DPO)
It will be mandatory for all public authorities and organisations where the core business activities includes the large-scale processing of personal data to appoint a Data Protection Officer. The responsibilities of the DPO should include such activities as developing and implementing a business Data Protection Policy, provisioning of guidance and best practise for processing personal data, organizing training, and co-ordinating/responding to all requests for information.
Compared to the current DPA, the GDPR is broader reaching, more prescriptive, and carries significantly stronger penalties for those who fail to comply. If the regulators enforce the appropriate penalties for non-compliance, I imagine small organisations and possibly even medium-sized enterprise could find themselves facing insolvency should they face fines for multiple breaches or failings.
Ignorance really isn’t bliss. I don’t suggest you need to read the Regulation’s full 88 pages (which are available here), but I do suggest you take the time to understand the aspects of the regulations that will affect your business.
For additional perspective on the EU GDPR, please click here.