As you may already know, one of the biggest changes to EU data protection rules is coming into effect on May 25, 2018. The General Data Protection Regulation (GDPR) is a wide-ranging set of rules you must follow when collecting, processing, and storing an individual’s personal data. Some of its key aims are to strengthen and harmonise data protection legislation throughout the EU and to ensure that individuals are fully informed about, and in control of, their personal data.
So, does this mean that data privacy and GDPR are one and the same? Not quite. Although there is some overlap, data privacy is a general, overarching concept that refers to a person’s right to privacy, whereas the GDPR is a specific set of requirements that organisations must implement in order to protect this privacy.
If you work for a UK-based company, you might also be asking yourself: “But I’m already following the UK Data Protection Act (DPA) – isn’t that enough?” Well, yes and no. While it’s true that many of the concepts and principles of the DPA are the same as those of the GDPR and remain valid, the latter will supersede the DPA and will include some significant and demanding changes.
To ensure that your organisation closely follows this new regulation – and avoids the costly pitfalls of noncompliance – you’ll need to provide effective training that explains the importance of data privacy and that highlights some of the key differences between the DPA and the GDPR, outlined below.
Under the DPA, opt-in is not required when collecting an individual’s personal data; with the new rules, however, you will need to notify individuals in clear terms that their personal data may be collected and stored and give them the right to opt out at any time. Furthermore, under the GDPR, parental consent will be required when collecting the personal data of minors, which was not mandatory under the DPA. So, to remain GDPR-compliant, it’s vital that data controllers (the people who determine why and how personal data is processed), as well as data processors (employees who process personal data on behalf of the data controllers), within your organisation are provided the relevant training.
Data Protection by Design
Data protection by design is a concept that aims to put the protection of an individual’s personal data and privacy front and centre of an organisation’s information processing structures. Under the DPA, this concept is considered a recommendation – one that was occasionally adopted as an afterthought. The GDPR, however, makes this concept a legal requirement – companies must show that they are implementing appropriate measures to safeguard personal data from the outset. This may include carrying out a Protection Impact Assessment (PIA) in circumstances where “processing is likely to result in a high risk to the rights and freedoms of individuals.” This concept may also entail the appointment of a data protection officer (DPO) in your organisation. Currently not required under the DPA, they will soon become mandatory for any company that has more than 250 employees or that processes more than 5,000 data profiles per year.
In the UK, many companies currently do not have to report breaches of personal data. When the GDPR comes into effect, any breach must be reported to the national regulator – which, in the UK, is the Information Commissioner’s Office (ICO) – within 72 hours. And if a person’s rights are likely to be threatened, companies must also report the breach directly to the person in question and advise them of the risks involved. An effective GDPR training program will need to explain in detail – using appropriate scenarios – what to do in the event of a data breach.
Under the DPA, if noncompliance with the act is proven, companies may be fined up to £500,000 or 1% of annual turnover. With the GDPR, the limits of maximum fines increase to €20m or 4% of annual turnover, whichever is greater. Also, keep in mind that individuals who believe that they have suffered material or nonmaterial damage may be awarded damages if their case is successful. And with no ceiling being set out in the GDPR, these fines could be devastating.
GDPR Compliance – An Ongoing Challenge
So…suppose you’ve got your data protection measures in place – you’ve appointed a DPO and are carrying out PIAs diligently. Is this enough to show that you are fully GDPR compliant?
Again, not quite! One of the cornerstones of the GDPR is that companies must constantly demonstrate their accountability. To achieve this, you’ll also need to conduct ongoing audits to ensure that company practices are in line with the GDPR and provide detailed documentation to show how your organisation’s actions and policies protect personal data. And central to these practices is continuous staff training that covers all aspects of the GDPR in relation to your IT, HR, marketing, procurement, and supply chain processes.
For more information contact [email protected]
By Neil Cullen (Director, Compliance Learning, Interactive Services)