It can be quite overwhelming when new laws and regulations are introduced, so for you, I’m going to take everything the ICO have said and reduce it into a type of simplified “crash course”. This will hopefully enable others to quickly and effectively understand and take in what needs to be understood. So without further ado, let’s dive straight in.
What is the GDPR?
GDPR, in full stands for General Data Protection Regulation, which is a new legal framework that is being enforced within the European Union (EU) and is replacing the current Data Protection Act 1998 (DPA). The GDPR has similarities with the existing DPA, but has a number of new and amended requirements.
Why the GDPR?
GDPR has been introduced to provide a law for data protection, for everyone. It’s been introduced to provide individuals with rights over their data because having a safeguarded system in place is more important than ever, given the growing digital economy.
When is the deadline?
GDPR for the UK will go into force from 25th May, 2018. It’s confirmed that the UK’s decision to leave the EU will not affect the enforcement of the GDPR. It’s important for organisations to prepare for GDPR ahead of this deadline.
Who does the GDPR apply to?
GDPR applies to all personal data ’controllers’ and ‘processors’ of organisations operating within the EU, and worldwide organisations outside the EU that offer goods or services to individuals within the EU.
‘controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
For example, if ‘Your Co.’ sells clothing to shoppers and uses ‘eMarketing Co.’ to send emails to customers on your behalf, which also tracks their email engagement, then in relation to such email data, ‘Your Co.’ is the controller, and ‘eMarketing Co.’ is the processor.
Organisations must now be responsible for obtaining and keeping a thorough record of how and when an individual gives legitimate consent to store and use their personal data. Consent now means active agreement.
For example, consent can no longer be obtained by a pre-ticked box. Organisations that control how and why data is processed will have to show a clear audit trail of consent provided by the individual. This may include screen shots/grabs or stored consent forms.
Who can ignore the GDPR?
GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.
So yes, you don’t have to permanently delete all your friends contact details from your phone.
What data does GDPR apply to?
Personal Data This means data which relate to a living individual who can be identified; (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. For example, names, home addresses, medical details, banking details and email addresses.
Sensitive Personal Data This means personal data consisting of information as to; (a) the racial or ethnic origin of the data subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union, (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
Personal data is used in everything from online sales and customer relationship management, through to marketing - ouch!
Other fun facts about GDPR?
There is now a legal right over personal data that is held by organisations. This means you can ask an organisation to permanently delete everything about yourself, or even ask for a human readable copy if you really wanted to. Remember those nuisance sales calls (PPI, recent car accidents), you’ll now be able to ask them to completely delete your personal data from their system and they will have to comply by law - finally!
Almost all organisation will need to re-write their terms and conditions, privacy, and/or contracts, etc. This means you’ll likely have to re-read a few new documents for every organisation you have relation to.
Organisations should only collect the data that is actually needed to provide the intended goods or services. For example, Spotify should not be asking the gender of a user signing up, unless they have a valid and good reason for it, and you have legally agreed to hand over those details.
GDPR will still be enforced and made law even though the UK are leaving the EU.
For organisation that provide a service, or operate, within the EU and collect personal data, will need to provide a method of exporting your personal data in a human readable format, portability. For example, Spotify will need to enable you to export your playlists in a human readable format, this is very powerful!
Organisations that do not provide methods of gaining your personal data yourself, will therefor need to manually provide this data for you on request. These organisations will need to provide you with your personal data within 30 days of request, and will not be able to charge for this action.
In the event of a data breach, the maximum fine is €20 million or 4% of an organisations annual global turnover - whichever is greater. These fines apply to all sectors (private, public, charities and individuals).
If a fine has been given for data breach, the fine that is applied to a ‘controller’ or ‘processor’ is dependent on how involved they were in the breach.
In the event of a data breach against an organisations in which personal data has been leaded, you have legally 72 hours to notify the ICO if you are impacted. Whether or not you need to notify a personnel such as customers or the general public, will depends on the level of impact in which the leaked data is believed to cause.
Organisation that enable encryption on personal data does not mean that certain areas of DGPR are solved. The data is still present and effectively accessible - it can still be accessed, it might just look different and take a lot longer for an intruder to decrypt.
It’s been reported that the ability to prove valid consent for using personal information is likely to be one of the biggest challenges presented by the GDPR for organisations to comply with.
Organisations need to ensure that the use of simple language when asking for consent to collect personal data. An organisations needs to be clear about how the information will be used, and need to understand that silence or inactivity no longer constitutes consent.
It’s now more important than ever for organisations to outline exactly what personal data they are collecting and how it will be processed and used. Without valid consent, any personal data processing activities will be shut down by ICO, or any related authorities.
GDPR not only applies to new personal data collected, but also all existing data that organisations hold. For example, If an organisations marketing subscription database includes data that was collected in a way that doesn’t comply to the GDPR’s standards, or if you can’t provide sufficient proof of consent, you might not be allowed to send any more marketing material to those subscribers from the deadline.
GDPR not only applies to the personal data stored in digital formats, but also the data stored on paper and placed within an organisations filing cabinet. It’s also important to remember that personal data is also stored on public and private CCTV systems - but thats another debate altogether.
Organisations can no longer have an automatic opt-in within terms and conditions, forms, or contracts. This means that just because you have been emailing Joe Blogs form an organisation, they should not be automatically adding you to their marketing lists, or officially and intentionally saving your details on their marketing system - unless you have legitimately and clearly given the organisation to do so.
How to comply with the GDPR?
As mentioned, organisation that do not comply with the new GDPR’s standard's, rack up the possibility that that organisation could be fined. Whether your organisation is a school, college, nursery, limited company, self-employed individual, you still need to comply. Let’s list some tips on how you can do this.
Awareness - Make people related to your organisation aware that the DPA is changing and how it will affect areas. This doesn’t need to be a long and boring process, just outline the important bits and why this is happening.
Information - Find and audit the information you currently hold and what data processing policies are currently in place and publicly available. It’s likely they will need to be updated. Remember, you should only be processing the data that your really need.
Privacy - Review your current privacy agreement for your organisation and put a plan in place for any changes that are required, or necessary. Again, it’s likely they will need to be updated.
Rights - Check your organisation’s current privacy policies to ensure your processes cover all the rights individuals have with the new DGPR. This should include areas such as, how they can request to permanently delete their personal data, and also that they can request a copy of all their personal data that you hold.
Consent - Review how your organisation is seeking, obtaining and recording consent for data processing. Remember the process needs to be clear to the individual who is providing their personal data.
Breaches - Make sure you have the correct procedures in place to investigate and report a data breach. This means having someone dedicated within your organisation that will process and notify the ICO within 72 hours.
Students - Think about what systems you're going to put in place to verify the age of potential admission and on-role students, and to gather consent from parents or guardians in regards to data processing.
Employees - Similar to that of the above 'Students’, think about the system and process you are going to put in place to obtain employee data. Remember that you should only be processing the data that is actually needed.
Officers - Similar to ‘Breaches’, it’s recommended to designate a Data Protection Officer within your organisation to take responsibility for data protection compliance. This way it shouldn’t get forgotten about and can be organised and kept current.
e-Safety - Having an e-safety policy in place is vital to ensure all key stakeholders know what needs to be done to remain compliant. Schools should already have one in place for safeguarding reasons, it’s likely this will also need to be updated.
Processor - Choose an accredited Data Processor who is also compliant with GDPR obligations and IT asset disposal. Maybe this is undertaken in-house or by a third-party. Who ever you choose, are they compliant, do you trust them and are they staying current?
Controller - Remember, your organisation is the ‘controller' of stored personal data used for your organisation. Whether you are the ‘processor’, or using a third-party, you still need to ensure your organisation comply with the new GDPR’s standards before the deadline.
I can understand that the fast approaching GDPR enforcement can seem overwhelming and scary, but one you understand it, it’s really not that bad. It’s here to stay so we just need to comply, get used to it and make it day-to-day procedures. It doesn’t matter if your organisation doesn’t benefit for these new laws, it’s being put into force for you as an individual person/human being, to protect you and give you rights against your personal data.
For as long as the ICO care, if your organisation has clear, ligament, proper and recorded consent for all data processing, you’ll be just fine 👍