This short article summarises the key points to take away from the new regulations and what to do next to prepare for 25th May 2018.
The Roles of GDPR
Understanding the scope of your responsibilities under GDPR is a key part of adequately preparing yourself and your business for what’s to come.
Determining whether you’re a ‘data processor’ or a ‘data controller’ is an essential starting point; they are defined as follows:
Data controller – the organization that collects user data, they determine the purpose for which and the way in which the user data is processed.
Data processor – the organization that processes data on behalf of the data controller i.e. something as trivial as storage of user data on an external server. Historically, data processors have not fallen under the jurisdiction of data protection regulations; the GDPR changes this.
Changes to user consent
If you're using someone’s personal data, it must comply with the new legal definition of consent. In summary, consent must now be:
Auditable – whether you’re a data controller or processor, you must be able to pinpoint exactly how consent was given, who it was given by, and what was consented to.
Freely given and explicit – there should be no detriment to the user if consent is not given and there should be an explicit acceptance by the user, so no pre-ticked checkboxes!
Granular – if you’re using data for multiple purposes, the user must give consent for each separately, simply rolling everything in the small print of T’s & C’s will no longer suffice.
Specific and withdrawable – It must be unambiguous to the user what they’re agreeing to and there should be some facility to withdraw the consent if the user changes their mind.
Changes to data breach notifications
Companies must now notify the Information Commissioner's Office (ICO) within 72 hours of learning of a data breach. The data subjects themselves should also be notified within a “reasonable timeframe” given the level of risk the breach presents.
In practice, this seems like a relatively short window of opportunity, but provided contact has been made within this timeframe, and details about the nature of the breach and number of people affected have been stated, you should be OK.
Ideally, businesses should be organizing internal procedures for dealing with this eventuality now. Having the relevant contact information to hand if/when something untoward is detected could make all the difference. Equally important is educating staff about what constitutes a breach and how to prevent it.
Changes to user rights
GDPR is there to protect data subjects and It takes huge steps forwards in terms of consumer rights. Putting processes in place now to manage user requests is key in preparing for the deadline.
The right to access – a user may request and gain access to their own personal data and this must be free of charge (within reasonable tolerances).
The right to erasure – a user can request the eradication of their personal data when there is no compelling reason for it to be retained. This would include any copies of the data i.e. within database backups.
The right to data portability – a user can request their data in a commonly used and machine-readable format and has the right to transmit that data to another controller without hindrance.
A lot has been made of the strict new penalties for noncompliance under the new GDPR regulations, and it’s true they have increased drastically. The GDPR will be enforced through a fine of up to €20m or 4% of global annual turnover for major data breaches, whichever is greater.
On a positive note, as long as you can demonstrate you’ve taken all the necessary steps to make a genuine and real attempt at compliance these penalties need not apply.
There are plenty of online resources that will assist in your preparations.
ICO self-assessment questionnaire
UKFast GDPR webinars