1 What is covered
In a nutshell, anything and everything you hold about a person that can be identified by name, user ID etc., or by inference through other linkages such as genetic, financial, geographic, IP address, RFID tag, social identity, etc. It is aiming to cover “Personal data” of an “Identifiable” individual – and that is regardless of whether it is a domestic or business relationship.
So, step one is to work out what data you hold and how it can be accessed or brought together. Step two is to decide whether you really need to retain it, and if you do, how you are going to make your life easier by documenting where it all is and how you get it all out if you need.
Do you have the person’s consent? If so, how was it given and when? If you are challenged with a personal data request you must be able to justify why you hold it (that you have a genuine business need) and how it came about. The new GDPR does away with any charges you could make for personal data requests and places a deadline of 72 hours in which to respond – we doubt that is working hours – so a Friday afternoon request needs to be fulfilled by Monday afternoon!
3 Data subject rights
Right to obtain
Much as already in the Data Protection Act but affecting any identifiable individual and includes
- confirmation that their data is being processed;
- access to their personal data; and
- other supplementary information – this largely corresponds to the information that should be provided in a privacy notice
Right to rectify error
Exiting right continues, but is obvious. There may be some exceptions to this where a correcting comment may be added instead of a change (medical or credit reference records).
Right of objection, access, or restricting processing
These were all in the previous legislation but have now been enhanced. The processing elements relate to restrictions on how the data is processed but also specifically to stop automated processing and profiling.
Right to be forgotten, to data portability and transparency. “Forgotten” this time means erasure, though there are obviously circumstances where that is not completely possible – maintained financial records for tax purposes, etc. Data portability is for more clarification and is complex when allied to geographic restrictions.
Erasure is in specific circumstances – when the data is no longer required for the purpose for which it was collected, if it was processed unlawfully or consent is withdrawn, but only then when no other processing requirement exists (e.g. finance records).
4 Breach notification
The rules apply equally to the data processors as to the controllers – so if your data is in a sub-contractors or service providers control and they have a breach, it is for them to tell you as the controller and then you to inform the “supervisory authority”. You have 72 hours in which to do that unless the breach is unlikely to result in any risk to the data subject – that in our view is a loophole some will use.
All breaches are to be recorded, whether notifiable or not, so that a “supervisory authority” can request access at any time.
5 Enforcements and fines
This is where it gets serious. There are two broad categories of breach where the fines are concerned and the full clarification is yet to be defined, but for the worst, culpable or negligent breach where data subjects are affected, we are looking at €20 million or 4% of previous years global, group turnover (whichever is the higher). For lesser breaches, it may be €10 million or 2% of turnover, again whichever is the higher. Turnover limit relates to the previous year’s global turnover of the group of companies. Sanctions to be effective, proportionate and dissuasive.
But it doesn’t stop there. Although the legislation tried to bring any breach under the control of a single “supervisory authority”, it failed, and so each EU country can react to it separately and individually. Further it will be significantly easier for an individual to take private action against processors and controllers – including rights to claim damages even where there has been no monetary loss.
6 Documentation and processes
You need to be able to demonstrate you are compliant with the GDPR through your staff education, documented processes for managing data, for retrieving it if asked and for undertaking the “right to be forgotten” where applicable.
You must also be able to demonstrate your internal processes for protecting the personal data from external and internal threats, both online and offline. And don’t forget that the Safe Harbour arrangements for storing data outside of the EU no longer apply. Know where your data is at all times (think of your cloud services), where your processors are holding it, where backups go and if any off-site backups are taken of that.
Cover the four types of vulnerability;
- natural disaster – should be documented in your business continuity plan
- external malicious attack – from simple hack of a website through to personnel records
- internal malicious attack – disgruntled employee, etc.
- errors – human or just malfunction
Where are you up to with your preparations?