Barely a day goes by without cybercrime and data leaks hitting the headlines. Using personal data increases at an exponential rate through the use of social media. It means people’s control over their data, and businesses’ approach to information governance, are increasingly important.
The legal landscape
Today, the UK legal requirements relating to personal data are set out in the Data Protection Act 1998 (DPA) and enforced by the regulator, the Information Commissioner’s Office (ICO). The DPA and equivalent legislation across EU member states is based on the EU Data Protection Directive 95/46/EC, but as each country was able to adopt the directive on an individual basis, there are variations in data protection compliance requirements across Europe.
Last year, the introduction of the General Data Protection Regulation (GDPR) kick-started a two-year implementation period requiring all EU member states to comply with the new regulation by 25 May 2018.
As the GDPR is a regulation, not a directive, it automatically becomes law in each EU member state.
The UK Government has confirmed that the Brexit vote will not affect the introduction of the GDPR. This decision is not surprising given so many businesses now operate across borders. One of its major aims is consistency of data protection laws, as the need for local member state legislation on data has been removed. The GDPR’s primary objective is to harmonise the regulatory environment to simplify international business.
Even if there is a change in stance by the UK Government, the GDPR has “extra-territorial reach” which means that all organisations who offer goods or services to, or monitor the behaviour of, EU data subjects need to comply with the GDPR, irrespective of their geographical location.
Simply, the GDPR is UK law and is likely to remain so. Even if the UK elects to change the law in this area, your business still needs to comply if it employs anyone from Europe, or if you trade with Europe at all.
Scope of the GDPR
The GDPR applies irrespective of size. Everyone from sole traders to multinationals need to comply. Of course, it is expected that the regulators (in the UK’s case the ICO) will treat organisations proportionally, but the principles remain the same for all.
Fines of up to 4% of global annual turnover or €20m (whichever is the higher) can be imposed on any businesses that don’t comply. This is on top of any compensation payments made to affected individuals and PR damage, which could be unquantifiable. It’s a huge jump from today’s maximum of £500,000.
The GDPR has many similarities with the DPA – the principles are similar and key definitions remain such as “data controllers”, “data processors”, “personal data” and “sensitive personal data”. A data controller says how and why personal data is processed and the data processor acts on the data controller’s behalf and instructions.
As with the DPA, the requirements under the GDPR apply only to personal data, meaning data that identifies a living individual. However, the definition is more detailed and makes it clear that online identifiers such as IP addresses can also amount to personal data. Additional obligations remain if you handle sensitive personal data which have been widened slightly from the DPA and can include generic and biometric data where processed to uniquely identify an individual, for example.
The main changes are:
a new accountability requirement, which means you now have to demonstrate how you’re complying with the GDPR, such as documenting decisions taken about data processing;
data processors have to actively comply with legislative requirements under the GDPR (they can no longer push responsibility on to data controllers);
some organisations will need to appoint a data protection officer who is independent, not conflicted (so not the IT director) and has a direct reporting line into senior management;
the ICO will need to be informed 72 hours after an incident is identified under mandatory breach notification procedures;
the GDPR introduces data portability, a new concept which gives the right for a data subject to receive personal data concerning them in a commonly used and machine readable format to transmit to another data controller;
data subjects have a right to be forgotten, also referred to as data erasure; and
privacy by design is now a legal requirement and not a best practice recommendation.
Delivering good information governance goes hand in hand with GDPR compliance. Boards are interested in minimising risk to their organisations, without unreasonable bureaucracy. As technology and digital leaders, you need to ensure that you manage your organisation’s information securely. There are a handful of measures you can take:
have meaningful policies and stick to them;
understand enough about the law, and comply with it; and
have clear accountabilities in your structure, and demonstrate how you comply.
This applies to technical information security and data policies. You can read more on a practical approach to IT security here.
Keep calm and carry on
There’s no need to worry about introducing and implementing the GDPR. There’s still plenty of time to identify the requirements, plan and implement policies, systems and strategies to ensure compliance.
Organisations (and the people within them) are best placed to ensure that they comply as the requirements and steps involved will differ for every business. That said, help is out there.
The ICO has lots of accessible guidance and toolkits to help ensure that you are compliant. As the regulator and body who will be imposing the fines this is the best source of information you can use.
Guidance is being released on GDPR all the time so make sure you keep yourself up to date with the latest developments. The ICO are updating their pages monthly to help you with this.
Systems integrators, lawyers, trade bodies and the CBI are also great sources of help and advice. Lawyers can assist with training and creating the policies required in compliance programmes.
The ICO’s 12 Steps programme is the best place to start your compliance journey.
As a very basic outline, your plan should include:
mapping the data flows into, within and outside your organisation;
identifying the legal basis on which you’re processing data;
identifying any changes needed to processes, systems (e.g. CRM, website, emarketing tools) and policies;
training staff on the law and their obligations; and
implementing the changes before 25 May 2018.
Organisations need a light-touch, regular eye on these matters rather than codifying absolutely everything. You should take notice of the changes in the law and take a little time to ensure compliance. Don’t ignore it, but don’t panic!