GDPR (General Data Protection Regulation) is the updated data protection law coming into force in May 2018. It’s EU legislation aimed at harmonising data trade across the EU, enhance individual’s rights in the use of their data, and put stricter penalties in place for non-compliance.
If you’re a business, charity, non-profit organisation or public service that processes personal information, then you must be compliant, even if the only data you process is your own employees’, or you process data on behalf of another organisation.
Why is it happening?
The last data protection law was passed in 1998 and since then, there have been massive advancements in technology and internet use. GDPR builds on previous legislation to ensure more protection for data subjects, as well as enhancing the safety of an increasingly online population.
It makes sense when you think about how you use your personal information. Every time you sign up to a newsletter or place an order online, you’re sharing your data. Data has value for fraudsters, spammers and identity thieves, not to mention its commercial value to the companies who’d like to send you information about their products and services that you’ve not explicitly signed up to. GDPR will protect personal data from increasing cybercrime, as well as ensuring your data is used in a lawful way.
What’s at stake?
The penalty for non-compliance is high. Breaches will be investigated by the Information Commissioner’s Office (ICO) and if found to be in breach of GDPR, organisations face penalties of:
– 2% global turnover or €10m
– 4% global turnover or €20m
(whichever is greater).
Myth: GDPR doesn’t apply to small businesses
If you’re a small business and you process personal data, you must comply. Regardless of your size, if you’re responsible for a data breach, you are as likely to be investigated as any large business.
A quick look at the enforcement section of the ICO website shows that all sizes of businesses and public services – and even individuals – can and do get fined and prosecuted for breaches to the current Data Protection Act. That’s not going to change under GDPR.
With breach notification a mandatory obligation under GDPR and much higher penalties for non-compliance, any organisation is liable, and should be implementing compliance measures now.
However, this doesn’t mean you should now live in fear of processing information. If you adhere to your industry codes of conduct and can prove you have data processing procedures in place, if you notify the ICO of the breach, and if you co-operate with the ICO on request, these factors will be weighed up against the number of people affected by the breach, the risk to them and the action you took to try to prevent or remedy the breach.
If you’re demonstrating proper responsibility and taking proactive measures to comply, you will be more able to mitigate the effects of a breach if it does happen. Moreover, implementing proper data processing procedures will ensure your business is less likely to suffer a breach in the first place.
What is ‘data’ ?
Any information that can personally identify an individual is defined as data. That means an NI number, email address, IP address and address are all personal data – not just someone’s name.
People having their personal information processed are called ‘data subjects’, just as they are under the existing Data Protection Act.
The definition of ‘sensitive data’ has been updated to ‘special categories’, which now includes biometric and genetic data as well as the previous types of sensitive information (for example, information about race, health, ethnic origin and politics). It does not relate to data processing for criminal convictions.
There are further conditions for processing special categories of data, so make sure you’ve researched your lawful basis for processing this information if you have a necessity to do so. You must consider the conditions for processing sensitive data if you process information about an individual’s health for the provision of a health benefit such as PMI.
Myth: GDPR is for IT to sort out
Don’t be put off by the term ‘data’ and think it doesn’t apply to you. While IT may need to get involved in technical compliance projects, all departments will have their own responsibilities under GDPR where personal information is processed. What’s more, this isn’t solely the responsibility of your compliance team either. A serious breach is the responsibility of the senior stakeholders, and they’re the individuals who would have to answer to investigation should it happen. Assign responsibility for the project by assembling a working team.
Want to find out more?
For more in depth information, please download our GDPR white paper.
This bulletin uses information from the ICO, the independent regulatory body of data protection and privacy laws in the UK. See ico.org.uk for more information. The information in this blog is for guidance only and is not and shall not constitute legal advice. Consult a professional adviser or solicitor for advice on your responsibilities.