The arrival of the new General Data Protection Regulations (GDPR), recently approved by MEPs, will have a wide-ranging impact on all businesses processing personal data and is currently a hot topic.
As the countdown begins for the two-year lead in, what we do know is that there will be a huge amount of speculation, misunderstanding, confusing interpretations and probably denial at large. Already, the myths, as businesses seek to digest the announcement and consider the impact on their organisations, are starting to emerge.
Myth 1: I have to appoint a qualified, independent Data Protection Officer (DPO)
Previous proposals that the GDPR would force every organisation with over 250 employees, or processing more than 5,000 personal data records, would need to formally appoint a DPO were amended during the draft stages. The GDPR Section 4, states that Data Protection Officers are to be appointed if:
a) You are a public body
b) You are a private sector controller whose core activities consist of processing operations that require ‘regular and systematic monitoring of data subjects on a large scale’, (how large is ‘large’ is open to interpretation).
c) You are a private sector controller whose core activities consist of processing special categories of personal data (e.g. sensitive personal data under the UK DPA).
The DPO, where appointed, must be independent. This doesn’t mean you have to appoint an external person - they can be an employee. The post can be a part-time role or combined with other duties, but in performing the role, the DPO must have an independent reporting line (like most compliance officers), be empowered and report directly to the Board without interference. What is important is that the appointed person must be a data protection professional with ‘expert’ knowledge of data protection law and practices to perform their duties and ensure your organisation achieves and maintains compliance
Myth 2: I am considered to be a small to medium enterprise (SME), so the GDPR doesn’t apply to me, does it?
Whilst there are some concessions to micro and small businesses, particularly in relation to record keeping, the GDPR applies to all organisations ‘engaged in economic activities’ involving the processing of personal data. It depends upon the nature of the processing you perform, not the quantity of records or size of the organisation. You will also need to recognise that your customers may be larger enterprises and you may need to prepare for the obligations placed on data processors.
Myth 3: I’m only acting as a data processor so I don’t have to worry about the GDPR – my customers, as the data controllers, deal with all that, don’t they?
Data controllers will, over the next two years, need to review all of their supplier (controller to processor) contracts to ensure they are compliant with the new regulations, but data processors will also, for the first time, have direct responsibilities under GDPR, one of which is a requirement that they (or their representatives) must maintain a record of processing activities that includes:
a) The name and contact details of the processor or processors, or where applicable, the processor’s representative
b) The name and contact details of each controller (or the representative) the processor is acting for and their data protection officer
c) The categories of processing carried out on behalf of each controller
d) Transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of appropriate safeguards (e.g. contractual clauses within inter-company data transfer and sharing agreements based on risk assessments etc.)
e) Where possible, a general description of the technical and organisational security measures the recipient of the transfer has implemented
f) The records need to be in writing, including in electronic form and made available to a supervisory authority on request
Myth 4: My personal data is all encrypted so I don’t need to worry about fines
Security measures are vital, but fines can be levied for an infringement of the data controller or data processor obligations under the GDPR, not just for data security breaches. The level of potential fines is extensive and hitting the headlines, as the supervisory authorities will have the power to impose fines of between 2 to 4 per cent of global annual turnover (in the previous financial year) depending upon the seriousness of the infringement and the circumstances of the case, including:
• The nature, gravity and duration of the infringement
• The purpose of the processing concerned
• The number of data subjects affected
• The level of damage suffered by data subjects (including infringement of their rights)
• Whether the infringement was intentional or negligent
• Any action taken by the controller or processor to mitigate the damage suffered by data subjects
• The degree of responsibility of the controller or processor, taking into account technical and organisational measures implemented
• Any relevant previous infringements
• The degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects
• The categories of personal data affected by the infringement
• The manner in which the infringement became known to the supervisory authority, in particular whether, and if so to what extent, they were notified
• Whether any previous measures ordered against the controller or processor relating to the same subject matter were complied with
• Whether approved codes of conduct or approved certification mechanisms were in place
• Any other aggravating or mitigating factors such as financial benefits gained, or losses avoided, as a result of the infringement
Encryption is not a panacea. You will still need to consider the ‘organisational and technical’ measures in place, not just in relation to security risk assessment, security management and the implementation of controls to ensure personal data is protected, but potentially in terms of documented privacy impact assessments.
These are now mandatory where new processing operations are likely to result in a high risk to the rights and freedoms data subjects and the specification of measures required to reduce that risk, (including the potential need to seek prior approval from a supervisory authority in some cases) is vital. Organisational measures include the overall governance and compliance regime in order to demonstrate compliance and ensure your obligations for 'accountability' are met and maintained.
The GDPR has a potentially significant impact upon IT, with data controllers and data processors needing to be thinking ahead. For example, does your organisation have the knowledge, capability and technology in place to:
• Perform data discovery and data audits to identify where personal data is stored, processed or transmitted by your organisation?
• Do your applications/systems (whether internally developed or acquired) enable you to record how consent for processing personal data was obtained, who it was obtained from, who it has been shared with, whether it has been changed, its accuracy disputed and approval for disclosure under data sharing agreements (internal, external and inter-company)?
• Do your applications/systems developers understand the GDPR implications?
• Are you preparing to perform documented privacy impact assessments and criteria for prior consultation with data protection authorities as part of your compliance regime?
• Are your applications/systems able to support the GDPR data deletion requirements?
• Are you planning application changes to support the new rights of data subjects to receive copies of their personal information in common (interoperable) electronic format and/or forward that data to another entity (portability)?
• Are you proactively talking to your software suppliers, service providers and data processors? Have you identified them and planning contract reviews? Are you a data processor or software solutions provider?
• Will your incident management and investigation procedures enable compliance with data breach notification obligations, to notify supervisory authorities where necessary within 72 hours? Are you considering what, how and when you may need to notify data subjects that a breach has occurred and what assistance you will provide them?
• How will you review online privacy information notices and achieve online consent? How will online consent translate into recording that consent and subsequent withdrawal of consent trigger potential data erasure?
• How will the data erasure/portability requirements impact your current data retention and archiving arrangements?
• What resources and support will you need for your GDPR reform project?
Myth 5: If we leave the EU, the GDPR will not be relevant so it is better to wait and see
That would not be an advisable approach. Either way, UK businesses will still have to meet the rights and freedoms of citizens of EU member states when the GDPR comes into effect, once the final release date has been announced. If the UK stays in Europe, the GDPR will automatically supersede the UK Data Protection Act. If we leave, due to complex withdrawal agreements, it will potentially be after the GDPR is already in effect and the UK Government would need to consider harmonisation and legislate accordingly. As such, it is highly unlikely that the GDPR requirements will be changed, however, there is a period of up to two years in which the UK has to ratify the Regulation before full adoption. Given the continuing need to ensure the free flow of information and remove barriers to trade across international boundaries, the UK is more likely to phase in the GDPR soon after the EU Parliament has announced the final date.
The ICO has published a useful 12-step guide on what organisations should do now and launched a new micro-site where it will publish future guidance.
One thing we can be sure of, there will be a mass of information to digest over the next two years and you need to use information sources and specialist partners you can trust.
Lisa Dargan, Business Development Director for Ultima Risk Management
Image Credit: Shutterstock/Maksim Kabakou