The countdown is on with GDPR coming into force on May 25th 2018 and for months now there have been lots of talks and rumours of how the changes will affect different businesses. Everyone you talk to seems to know bits and pieces but in general people are pretty confused by the whole thing, so we have written this article to help supplement your own research.
What is the GDPR?
The GDPR stands for General Data Protection Regulation and is the Europeans policing and protection for the processing of personal information of individuals. The GDPR applies to all companies that process EU citizen’s personal data whether or not that company is in fact in the EU itself.
What are the key changes I should make note of?
If you’re confused by all of the grey areas in the regulation, then you’re not alone! If you log onto the ICO’s website there are quite literally pages and pages of information to read through and you would be forgiven for being overwhelmed. To help get you on the right path, here is a list of all the changes we feel are the most prominent to be taking note of:
OK, so this is a big one. If you are in breach of the GDPR then penalties can be up to 4% of annual global turnover OR €20 million. Whatever is the greater amount. Pretty scary, right? However this is the maximum fine you can get for violating the regulations and will be imposed for only the most serious of offences. It is important to remember that the GDPR fines work on a tiered approach and the lower cost is 2% of annual global turnover OR €10 million. Still a punch.
The leash has been tightened, with consent now having to be clear, distinguishable and explicit. I’m sorry to say that it is time to wave goodbye to pre-ticked opt-in boxes or any other form of default consent. It is also necessary that you keep your opt-in boxes separate from all other terms and conditions. You must be granular in what the consumer is opting- in for and name all third parties in which their data may be handed to. The GDPR is making things easy for consumers, which means you have to give a very simple way for them to opt-out if they wish to and remember, keep all records stored and locked away for evidence! (Caveat: If someone requests to be forgotten, their data must be deleted!) Opt-in boxes are the easiest way to make sure you are in regulation with the GDPR, however other forms of consent are still legal such as legitimate and vital interest. These are some grey areas.
Breach of Personal Data
If there is a data breach of personal information then it is now mandatory for all organisations to tell the relevant supervisory authorities. This must be done within 72 hours from the time you become aware of the data breach itself. If there is a high risk of the breach affecting individual rights then you must also inform that individual straight away. So what is considered a data breach? Well according to the GDPR a data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” To put it simply; if there is any kind of leak/loss or destruction of personal data, whether it be purposely or accidentally done, you have to inform the relevant people.
Right of Access
This one is fairly easy to understand. All individuals have the right to access and obtain their personal data. This must be free and needs to be provided within a month of the request.
Right to Data Portability
Each individual has the right to not only access their data but also to transfer and reuse this data across multiple services. According to article 20 of the GDPR this must be done in a “structured, commonly used and machine-readable format”.
Right to be Forgotten
If an individual requests to have their data erased or withdraws consent then you have up to one month to do so. There are certain circumstances where you can refuse to erase the personal data such as if the information is needed for public health purposes. It is also your responsibility to inform any third party who may have required the personal information of the individual about the request to be forgotten.
Data Protection Officers
If your company lays within the public authorities OR you require a large level of individual monitoring OR your data controllers deal with data relating to criminal offences then you will be required to assign a data protection officer. This person can be hired internally or externally but must have the relevant experience. They will be reliable for the monitoring of data, making sure your company stays compliant with the GDPR and of the training of employees. They will also be the first point of contact for both the supervisory authorities and individuals. For a full description of the data protection officer role and guidance on whether you should be hiring someone, visit the ICO’s website.
Remember how at the beginning of this article I said that the GDPR applies to all companies that process consumer data in the EU, whether or not that company is actually in the EU itself? Yeah, that’s the extra-territorial scope. The laws have always stated that any company that processes data within the EU falls under the territorial scope and this will still apply when the GDPR regulations come into play. The difference now is that the regulations will also apply to data controllers processing personal data of EU citizens outside of the EU. This has been made explicitly clear.
Privacy by Design
OK, so this is a new one for data controllers to get to grips with. Previously, although you would have to take the correct measures to ensure that personal data was protected, you wouldn’t have to actually design it. So, what do I mean by this? Basically, in short data protection must be a core consideration from the get go when designing and implementing software, not just an extra addition. Secondly, data controllers must only process data that is absolutely necessary and only store it for as long as needed.
So, these are the main areas of the GDPR that we feel to be the most important. However, every company is different and will need to make their own changes. The best way to get prepared is to take a series of self-assessments, which you can find here. You will receive guidance and advice on what your next steps of action should be, along with an overall rating.
Salesforce have provided some guidance on GDPR however there is more set to be released on 23rd May in relation to the right to be forgotten. Read the post from Pardot here.
Please note that we are not giving legal advice on this subject. We are simply conveying our understanding of the GDPR changes.