Here’s What No One Tells You About GDPR, Data Protection - 9 Steps you should take to comply with GD
On 25th May 2018 the European General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) comes into force. The GDPR will be applicable in the UK despite the UK’s exit from the European Union, at the time of writing the Data Protection Bill incorporating GDPR had its third reading, making its way through Parliament.
This article aims to provide you with an explanation as to what data protection is, why the changes have been introduced and 9 steps you can take to help your business.
Information Commissioner, Elizabeth Denham talks in the video below about the importance for companies to act and comply with the regulation to bring greater protection to individuals and stronger consumer rights as data is shared across borders.
What are the consequences of non-compliance with GDPR?
The fines imposed by the regulation will give authorities more investigative and enforcement powers with the power to levy more substantial fines.
Article 58 of the GDPR provides the supervisory authority with the power to impose administrative fines, furthermore Article 83 sets out the criteria to determine the amount of the fine which considers factors such as the nature of the infringement, intention, whether any preventative measures were put in place, history and cooperation to name but a few.
For example, if the breach is for lack of technical measures, the infringement could be for an amount greater of 10 million Euros or 2% of global annual turnover of the business for the previous year. If there was a breach of a key provision of GDPR then regulators have the authority to fine the greater of 20 million Euros or 4% of global annual turnover in the prior year.
Fines will be assessed by Data Protection Authorities, in the UK this will be the Information Commissioners Office ('ICO')
Background, what is Data Protection?
In a nutshell, data protection is the process of safeguarding important information from corruption, compromise or loss.
The basic principles of data protection were introduced in the 1950’S under Article 8 of the European Convention of Human Rights (“The Convention”) and further enshrined in Article 8 of the EU Charter of Fundamental Rights.
The Convention provided that everyone had the right to respect for their private and family life, home and correspondence. Furthermore, it stated that there shall be no interference from a public authority unless there is a reason by law in the interests of national security, pubic safety, economic well-being of the country, prevention of disorder or crime, protection of health or morals or for the protection of the rights and freedoms of others.
Following the initial Data Protection Act in 1984, the 80’s and 90’s saw an unprecedented explosion in the availability and use of computers, thereby changing the way data was collected, processed and how it crossed borders within the EU, the existing act was insufficient and therefore following the 1995 EU Directive (95/46/EC) on data protection, the English Act was amended.
The Data Protection Act 1998 (“DPA”) is the current UK governing law on data protection and regulates the use of “personal data”. The DPA was amended in 2003 to give individuals more control over digital marketing, enabling an opt-in system to receive e-mails, SMS text messages, etc.
The DPA defines the word “data” as
“ Data means information which –
is being processed by means of equipment operating automatically in response to instructions given for that purpose,
is recorded with the intention that it should be processed by means of such equipment,
is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68, or
is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d).”
The Act regulates the processing of personal data to living individuals who can be identified from the data, where the person can be identified from either:
the data alone
data combined with other data accessible by the data controller
Data controllers are entities such as companies, firms, sole traders, etc, who either independently or jointly with others decide how personal data will be used and what they are to be used for.
The DPA also includes expressions of opinion about that person and any intention the data controller or another individual may have regarding them.
The Information Commissioner’s Office ('ICO') which investigates data breaches in the UK has a guideline to determine what information is data in accordance with the DPA.
Why was GDPR introduced?
GDPR simplifies the regulatory environment for international business by unifying the regulation within the EU and aims to give control back to citizens and residents over their personal data.
Historically, the EU has played a crucial role in driving the development and introduction of national data protection law in a number of legal systems where such legislation was not previously in place. The UK adopted the Data Protection Act 1998 following the 1995 EU directive on the protection of individuals regarding the processing of personal data and the free movement of such data.
Other countries within the EU were doing likewise, creating their equivalent in compliance with the 1995 EU Directive (95/46/EC)
Each jurisdiction within Europe had their own national data protection laws, but there were still differences within European Union Countries, which inhibited the free flow of information across the EU, as a consequence the GDPR was introduced and it intends to strengthen and unify data protection for all individuals within the European Union (EU).
What does GDPR govern?
GDPR regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU.
Who does GDPR apply to?
GDPR applies to those who are identified as ‘controllers’ and ‘processors’
A controller is someone who determines the purposes and means of processing personal data
As a controller you are not relieved of your obligations if a processor is involved, the obligation is still on you to ensure the processors are in compliance with GDPR
A processor is responsible for processing personal data on behalf of a controller
GDPR applies to processor organisations whether they are operating within the EU or outside the EU that offer goods or services to individuals in the EU.
The ICO has released its own 12 step guide to the GDPR to help companies prepare for the legislation.
Does GDPR apply to Small Medium Enterprises (SME’s)?
The size of the company does not have an impact on the regulation, however the nature of the activities do, therefore all businesses are affected.
For companies with fewer than 250 employees there is no need to keep records of their processing activities UNLESS
processing of data is a regular activity
poses a threat to individual rights and freedoms, or
concerns sensitive data or criminal records
The EU estimates that the GDPR Regulation will save businesses around 2.3 billion Euro a year by providing businesses with a simpler, clearer legal environment in which to operate throughout the single market.
Do I need to appoint a Data Protection Officer (“DPO”)?
If processing is the main business of the company and it poses specific threats to the individual rights and freedoms, then a Data Protection Officer will be a mandatory role within an organisation.
Any organisation that processes or stores large amounts of personal data, whether for:
individuals outside the organisation
Under Article 37 of the regulation, DPO’s must be appointed for all companies that collect or process EU citizen’s personal data.
What are the responsibilities of a DPO?
Under Article 39 the DPO’s will be responsible for
Educating the company and its employees on compliance requirements,
training staff involved in data processing
conducting audits to ensure compliance and address potential issues
Serve as point of contact between the company and any supervisory authorities such as the ICO that oversee activities related to data.
Maintaining comprehensive records of all data processing activities conducted by the company
When does GDPR not apply?
GDPR does not apply to the following:-
processing of personal data of deceased persons or of legal entities.
Data processed by an individual for purely personal reasons or for activities carried out in the home, provided there is no professional or commercial activity connected to it
Processing for national security purposes
9 Steps you should take to comply with GDPR for your organisation?
Where to start?
The first step is that you should not panic, the GDPR is not as scary as you first thought, the consequence of a hefty fine for non-compliance are real and therefore the following 9 steps should assist you to comply.
Create awareness - Make sure policy makers or decision makers in your organisation understand the implications of GDPR before 25th May 2018
Review – review and document all data activities and security processes within the company, identify the legal grounds for data processing
Assess the risks – do any activities have a high sensitivity risk
Identify needed measures – within the existing processes in the business
Identify key partners – identify joint controllers and processors who will assist to create instructions on how data will be treated
Review contracts and policies – amend existing contracts and policies to be in compliance with the new regulation
Appoint a DPO – check if one is required within your business
Operations – if you operate across multiple jurisdictions consider a uniformed application of compliancy
Inform and enforce – review your contracts, terms and conditions and agreements with third parties
You can assess your level of compliance by completing self-assessment checklists for the role of data controllers and data processors.
Further details of what steps you need to take to ensure your business is compliant can be taken by clicking on the links below:
If you require assistance to ensure your business is compliant with GDPR my team and I can undertake a legal audit of your existing documents, contracts, supplier agreements, terms of business to advise you on what steps you should be taking to comply with the GDPR regulation.
The time to act is now!
If you enjoyed this article, you can subscribe to my blog. I will be writing further articles on the on development's in legal services and changes in legislation.
Avinder Laroya is a Partner at Serenity Law LLP, she is an expert in International Dispute Resolution. If you enjoyed this article you can subscribe to my blog here
Serenity Law LLP is a niche virtual commercial law firm based in London providing commercial legal services such as company commercial, real estate, litigation and employment services to UK and international clients.