Are You Ready For GDPR?
The General Data Protection Regulation (GDPR) will come into effect on the 25th of May, 2018; along with it a number of penalties for companies who fail to abide by these rules. These penalties can be very harsh, up to €20M or 4% of your company’s annual worldwide revenue. The European Commission (EC) has stated that no exceptions will be made after the 25th of May, and failure to comply will result in hefty fines. Despite these harsh penalties, not all companies are taking this new regulation seriously who will no doubt find themselves in a world of panic just before GDPR hits. Many more fail to understand the point of this new regulation and what it swears to protect. In light of this, I thought I’d give a brief overview of this new regulation and what it entails.
What is GDPR?
GDPR is a set of rules laid out by the EC which safeguards the consumer’s right to privacy. It not only applies to all EU companies, but even those outside of the EU having EU based customers. So that affects most companies, which is a good thing. The point of this regulation is to simply put into legislation a lot of common sense data security principles such as the reduction and deletion of unnecessary personal data collection, restricting access, and securing data. It also addresses the export of personal data outside the EU. Unfortunately not everyone agrees with these security principles, as some are choosing to opt out of EU markets just to escape this regulation.
GDPR is a set of rules laid out by the EC which safeguards the consumer’s right to privacy. It not only applies to all EU companies, but even those outside of the EU having EU based customers. So that affects most companies, which is a good thing. The point of this regulation is to simply put into legislation a lot of common sense data security principles such as the reduction and deletion of unnecessary personal data collection, restricting access, and securing data. It also addresses the export of personal data outside the EU. Unfortunately not everyone agrees with these security principles, as some are choosing to opt out of EU markets just to escape this regulation.
Why do we need it?
It’s simple, our current laws are outdated. The EU Data Protection Directive (DPD) was adopted in 1995, just over 22 years ago. That’s only 3 years after Dial-up was introduced. I think we can all agree that many things have changed since then. The way we process data in 2018 is completely different to the way it was being done in 1995, so our laws need to be updated to reflect these changes. The GDPR was created to fill those massive gaps left by the DPD. Companies are collecting more data about consumers every year, some of which highly sensitive, couple that with carelessness and that can become very dangerous.
I’m sure you remember all the controversy surrounding Equifax and their indiscretions last year. A consumer credit reporting agency which failed to secure the information of over 800 million individual consumers and more than 88 million businesses worldwide.
Last September, Equifax announced a cybercrime identity theft event potentially impacting approximately 145.5 million U.S. consumers. Information on an estimated range of under 400,000 up to 44 million British residents as well as 8,000 Canadian residents were also compromised.
“In today’s information economy, data is an enormous asset, but if companies like Equifax can’t properly safeguard the enormous amounts of highly sensitive data they are collecting and centralising, then they shouldn’t be collecting it in the first place.” — Mark Warner on the Equifax data breach
This is why we need GDPR. These companies must be held accountable for their carelessness when handling with consumer data.
I need some definitions
The EC defines a data controller as someone who determines the purposes and means of the processing of personal data, while a data processor is someone who processes personal data on behalf of the controller. This means the company collecting consumer data is labelled the “data controller”, while the 3rd party processing the data on behalf of the company is the “data processor”.
Processing is defined as an act performed on all or sets of personal data, whether through automated means or not, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal data is defined as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
A personal data breach is defined as a security breach resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
How do we comply?
The only exception the EC makes is maintaining a record of processing activities under a company’s responsibility, and maintaining a record of all categories of processing activities carried out on behalf of a controller. This exception applies to enterprises or organisations employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data or personal data relating to criminal convictions and offences.
This means that all other articles enforced by the GDPR apply to everyone, so I thought I’d list a few important requirements to consider.
Art. 15 — Right of access by the data subject
This article hands over the right to the data subject, the “consumer”, to request and obtain the confirmation of any personal data being processed concerning the individual. If personal data is being processed, the controller must also voice the purposes behind the processing of the data and document the recipients to whom the personal data has or will be disclosed to, in particular those located outside the EU. Data subjects also have the right to know how long the controller wishes to store their personal data for and the reasoning behind it. Data controllers must also provide the possibility for the data subject to request the rectification or erasure of personal data, or restriction of processing of personal data concerning the data subject. If such rights are not granted, data subjects must have the right to lodge such complaints to a supervisory authority representing the company, the Data Protection Officer (DPO). If the existence of automated decision making is present, including profiling, the data subject must be made aware of this.
If personal data is transferred to a location outside of the EU, the data subject must be informed of the appropriate safeguards being taken in relation to the transfer.
All these rights granted to the data subject should be presented in the form of a privacy policy, preferably online in an easy to understand accessible format. Tesco’s privacy policy is a leading example in the right of access for the data subject
Art. 16 — Right to rectification
After the data subject’s request to their personal data is processed, if their data is found to be incorrect, they shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them.
Art. 17 — Right to be forgotten
The data subject may also choose to request the erasure of personal data concerning them without undue delay from the controller. It is the data controller’s responsibility to inform 3rd party controllers which are processing the personal data that the data subject has requested the erasure. An exception to this is made if the personal data is still necessary in relation to the purposes for which they were collected or processed.
The EC defines “necessary” processing as processing being made to either exercise the right of freedom of expression and information and compliance with a legal obligation.
Art. 18 — Right to restriction of processing
If the data subject finds that the accuracy of their personal data is incorrect, the purposes for processing are no longer relevant, or that the processing is deemed unlawful, then the data subject has the right to request the restriction of processing. This entails that such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Art. 20 — Right to data portability
This article lays out the data subject’s right to request and obtain from the controller the data concerning them which has been provided to the controller. This data is to be provided in a commonly used electronic form, and reserves the right to transmit such data to another controller without hindrance from the controller to which the personal data have been provided.
Data subjects who have been granted the restriction of processing must be informed if their restriction is to be lifted beforehand.
Art. 21 — Right to object
The data subject reserves the right to object, on grounds relating to his or her particular situation, at any time in the course of the processing of their personal data. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Art. 22 — Right to withdraw consent to automated decision making
Article 22 grants data subjects the right to to withdraw consent, on grounds relating to his or her particular situation, to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. An exception to this is made if this is necessary for entering into, or performance of, a contract between the data subject and a data controller, or is authorised by Union or Member State law.
Conclusion
The GDPR simply calls that you make conscious business decisions when processing your consumer’s personal data. It may feel rather frightening at first, however once you come to understand its importance and follow the advice laid out by the regulation, then you need not worry about the heavy fines set in place. Such fines, although not to be taken lightly, are for extreme cases such as Equifax. Your local data protection regulators will most likely have some checklists into which you’d have to somehow fit, but if you follow best practices, that shouldn’t be an issue.
Historically, privacy was almost implicit, because it was hard to find and gather information. But in the digital world, whether it’s digital cameras or satellites or just what you click on, we need to have more explicit rules — not just for governments but for private companies. — Bill Gates