Back in 2016, the European Union passed a bill to introduce the Global Data Protection Regulation. The purpose of the legislation was to define the legal rights of EU citizens in relation to their data and to enforce regulations on the data controllers and processors who hold that data. The GDPR will be introduced on the 25th May 2018, and will put impose sanctions on businesses that don’t safeguard the data they process.
Companies that fail to implement the processes outlined in the GDPR will be hit with severe fines for noncompliance. Penalties in excess of €10 million or 2% of an organization’s global revenue (depending on which is larger) will be used if any of GDPR’s requests are not fulfilled. The key take-home of the GDPR is that data controllers and processors need to ensure their data subjects are protected.
Under the GDPR, organizations fall under two categories: data controllers and processors. Of the two categories, controllers bear the most culpability, and are responsible for working with controllers who demonstrate “sufficient guarantees to implement appropriate technical and organizational measures”. As such, controllers are required to ensure both their internal data and processed data is protected.
The definition of ‘personal data’ is any information that can be used to identify a person, either directly or indirectly. This broad definition covers a subjects name, identification number, online details or location. The result is that any organization harboring the personal data of an EU citizen will need to “implement appropriate technical and organization measures” to protect their data.
Controllers and processors are encouraged to regularly test the integrity of their systems and ensure that they are able to access data quickly in the event of a technical failure or data breach. Likewise, in many cases these entities will be expected to encrypt and use pseudonyms to protect their subject’s data whilst in transit.
Controllers and processors will also be expected to clearly define their relationship, and manage all data exchanged in order to ensure that the privacy of their subjects is respected. It’s important to note that the burden lies on the shoulders of controllers to ensure that the processor they’re working with has adequate privacy measures in place.
Under the GDPR, entities holding EU citizen data are only allowed access with consent from their data subjects. In order to be considered legal, all processing must be upheld by affirmative consent. Under the GDPR consent is defined as “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action”.
Whilst this seems simple there are a number of complications. The first being that businesses must specify what data they need, and explain its “specific, explicit and legitimate purposes” to the data subject. In addition, the policy of affirmative consent outlined in the GPDR means that controllers wouldn’t be able to take silence as an act of consent, it must be expressly stated.
The GDPR also dictates that data protection officers need to be appointed for all public authorities and businesses which conduct “systematic monitoring of data subjects on a large scale” or handle personal data pertaining to political opinions and ethnicity. Again this definition is so expansive that almost all industries are covered to some degree.
A data protection officer is required to be up to date on all current data protection legislation, whether they are an internal employee or belong to a third party organization. The officer is responsible for ensuring that the organization implements adequate processes to protect data in the workplace (which applies to both controllers and processors).
The data protection officer is required to provide advise to the organizations employees, assess compliance on an ongoing basis, train staff and conduct regular audits. In addition, the officer is expected to act as an accessible point of contact not just for data subjects but supervisory authorities as well. This is intended to increase transparency and accountability over data handling.
Companies will also need to ensure that the data protection officer is adequately supported in their role with complete access to all data processing activities. Larger companies can appoint more than one officer but will need to make sure that they can be contacted from all physical locations.
One of the biggest changes brought about by the GDPR is the increase in data transparency it promises to deliver. After implementation, organizations will be expected to provide data subjects with access to their data upon request. This means that the organization should be able to succinctly explain what data they hold, and how that data is used. A data access request must be catered to promptly, and fulfilled within one month of the initial contact.
No less important is the data subjects right to be forgotten. Just as a subject can request to access their data, they can withdraw consent at any time. This means that the data controller or processor will need to destroy any and all data associated with that subject. Similarly, the data holder will be expected to erase data that they have no legitimate need of.
In order to ensure that the personal information of data subjects is protected, the GDPR mandates that controllers and processors notify data subjects and a relevant supervisory authority in the event of a breach. A data breach is defined as any “breach of security” causing the “unlawful destruction, loss, alteration” or “unauthorized disclosure of “personal data”.
The entity holding the data will be expected to reach out to the relevant parties within 72 hours of identifying the breach. A company can take longer than 72 hours to contact the authorities if they have a “reasoned justification” but the regulatory authority will likely decide the legitimacy of this claim.
It can be difficult to get to grips with what the GDPR is but ultimately the legislation comes down to ensuring you have consent from EU data subjects, implementing internal procedures to protect that data, appointing a data protection officer and destroying data which you do not need or have been requested to erase.
Starting preparation for the GDPR’s introduction in May ensures that you have the proper procedures in place to guarantee the integrity of your subject’s data. Though it can be tempting to cut corners this isn’t advisable as the EU is going to be looking to make an example out of companies that take cavalier attitude towards their citizen’s data.
For more information about document compliance, be sure to visit our compliance and risk mitigation overview here