If your organisation collects, stores or processes personal data and you have not heard of GDPR (General Data Protection Regulation) or have not started your GDPR implementation then please read on. It comes into effect from 25th May 2018 and will impact how organisations collect, store and process data. The new GDPR will give greater rights to data subjects (living individuals) and put additional responsibility to data controllers and data processors. Data controllers are those who decide what data is to be collected and why. Data processors are the organisations who process the data on behalf of the data controller. Traditionally the responsibility for data protection mainly rested with the data controller. However, with GDPR the data controller and data processor will have equal responsibility.
Gone are the days when you could use implied consent to communicate promotional materials to your contact list. Under GDPR you would have to gain explicit consent and the reasons for collecting data must be clear and unambiguous. This means that you cannot hide them in the long T&Cs document buried between all the legal jargon. Not only are you required to gain explicit consent you must demonstrate and audit all consent information. A pre-ticked consent box would not be allowed under the new regulation. The ability to revoke consent should be as easy giving consent.
Individuals will have greater right to access all information about them on your system. From the list of new rights one of the main one is ‘The Right to be Forgotten’. Individuals will have the right to request that their personal data is erased without undue delay, and no longer disseminated or processes by third parties. This is not an unlimited right, but must be balanced against legal freedom of expression, the public interest in health, scientific and historical research, and the exercise or defence of legal claims. This means that your systems need to be configured to cater for this and be able to demonstrate that you have done it.
Currently there is a £10 charge for SAR (Subject Access Request) where individuals may request that you disclose all the information you have on them within your organisation. The information must be provided within 40 days. GDPR will remove the charge and reduce the response period to 30 days.
If you are a public authority, process large scale systematic monitoring of individuals or process large scale special categories or data relating to criminal convictions then under GDPR you would be required to appoint a Data Protection Officer (DPO).
Another major change that comes into effect with GDPR is that any breach of PII data must be reported to the Supervisory Authority (in the UK it will be the ICO) within 72 hours. The only exception to this is if the PII data is encrypted and the encryption key is not compromised then you do not have to report the breach. It is important to note that the breach should only be reported if it likely to result in a risk to the individual’s rights and freedoms.
Although ICO have stated that they wish to use the carrot rather than the stick approach when it comes to ensuring organisations are GDPR compliant the new fines introduced will surely get most organisations make GDPR a board level item. Failure to comply could lead to facing fines of the greater of €20,000,000 (roughly £18,000,000) or 4% of your total global annual turnover for the preceding financial year. From ICO perspective they want GDPR to be the catalyst for organisations, who aren’t already, to start taking the protection of personal data seriously and to appreciate the responsibilities they have on behalf of others.
If you store personal and sensitive data in multiple locations and applications such as spreadsheets, ad hoc documents within your network file server or other IT applications then you must ensure that data in all these various locations / systems is safe and secure.
Due to the increased rights that individuals have to their data, ensuring that data is safe and secure should be a high priority for organisations. If you store personal data in multiple applications / locations, then you increase the risk of data security. Storing and capturing data in a single platform will reduce data security risk and will enable the implementation of new process and policies easier.
GDPR will ensure that as an organisation you take the necessary technical and organisational measures to ensure that your data is safe. As a basic minimum if you are an online organisation then you should look at achieving ‘Cyber Essentials’ accreditation. Companies who have ISO27001 are better placed to ensure they have the right systems and policies to ensure that your data is safe. Greater emphasis will be given so that companies make organisational and technical changes to ensure data security is a top priority.
The ICO have published a 12-step plan to start your journey for GDPR (ICO 12 Step Plan). This is a good place to start and if you already have ISO27001 and good DPA policies and procedures then adjusting to GDPR should be straight forward and painless. However, if these are not in place then you need to make an immediate start. Doing nothing is not an option. Until a GAP analysis is done then the scope of the problem will not be established. It is envisaged that a large percentage of organisations will not be completely complaint by May 2018. However, if you can demonstrate and evidence your journey of GDPR to the ICO then this may help mitigate any huge fines in the instance of any noncompliance.
A risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers will be required to conduct DPIAs (Data Protection Impact Assessment) where privacy breach risks are high to analyse and minimise the risks to their data subjects.
An essential first step for completing a DPIA is to map your organisation’s data and information flows (data mapping).
Just in case you thought that we could use the BREXIT ‘get out of jail card’ for GDPR then unfortunately you can’t. GDPR will be adopted by UK law and will come into effect irrespective of any agreement with Brexit.
Protocol and Ozola value your data and have started the GDPR roadmap back in May 2016. As a company accredited by both ISO 9001 and ISO 27001 we are committed to best practice when handling your data. If your organisation holds and processes data in disparate systems with no consent management, then we may be able to help. Our cloud based system has been developed and complies with the requirements of GDPR to ensure that your data is safe and secure. Ozola manages the consent required to process the data and gives individuals access to their data so that they can keep them up to date and accurate anytime.
Rather than viewing the GDPR as another compliance burden, Protocol see it as an opportunity to ensure that we can demonstrate that we take security and privacy of personal data seriously.
We have done a detailed analysis of our data and understand where the data is and have put measures in place to find and manage information more effectively to comply with GDPR.
If you would like more information on how Ozola can help, please contact us