We all know the Data Protection Act and think that the GDPR is not going to be that different, some people think that it is just some bureaucrats in Brussels tinkering around and trying justify their salary.
BUT: If you are of this mindset stop, look in the mirror and say very slowly “this is the biggest shake up of privacy law and protecting the rights of individual’s privacy…. Ever.”
Potential fines of £20 Million or 4% of global turnover – whichever is higher!
Make no mistake these regulations have teeth! Attention grabbing headlines and crippling fines are on their way and we are increasingly seeing regulators with an appetite to prosecute and police personal information security infringements. Facebook were recently fined £94.4m for providing misleading information over its purchase of messaging service WhatsApp. Facebook automatically matches user accounts between the two platforms and had previously stated this could not be done but in August of 2016 WhatsApp started sharing users’ personal information data with Facebook including phone numbers – major breach!
You may have also heard of the right to be forgotten (“Right to Erasure”) as it has been publicised quite widely but here are a few nuggets you might not have heard of to get you thinking about your GDPR gap analysis.
To Consent or Not to Consent what’s the answer?
The answer is AFFIRMATIVE ACTION.
Make sure you get consent and the person knows exactly what they are signing up to. Your explanation needs to be clear, accessible and unambiguous. Consent in many situations will need to be granular. If you are processing data for more than one reason consent must be given for each of the purposes that you are going to be using the data for. The act of giving consent needs to happen by an affirmative action and you must never assume that consent has been given.
If the data subject wishes to change their mind and withdraw consent they can. You need to make this process nice and easy. Don’t forget while you are collecting consent you will need to make sure that you can evidence that consent was given for the processing or you will become a 4%er.
Everyone loves free stuff!
Expect to see an influx of Subject Access Requests because they are now free (Remember to read the T&C’s certain restrictions apply). Subject access requests allow the person (data subject) to requests and be provided with the personal information that you hold on them.
What data counts?
Most data you collect will fall into the “personal data” category which is protected by GDPR
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; This includes name, address, and online identifier such as an IP address.
It’s your responsibility Mr Data Controller
The data controller determines the purpose and means of the data that is collected from the individual and the processing that takes place. The controller is liable for any data breaches, even if that breach occurs with the data processor. Key point: make sure that as the data controller you have a written contract with the data processor and there is a clawback provision written within the contract.
Your storing my data with who?
A Data Processor is a person, public authority, agency or any other body that processes data on behalf of the contracted agreement with the controller. Processing activities even include the storage of the data. Do you know the sovereignty of where your data is stored? If not a Data Inventory might be a good idea.
The global data protection regulation.
If you are handling personal data of EU citizens and your organisations is established outside of the EU, you are well within reach of the GDPR and must comply with the regulations. This includes the requirement to have a named and registered EU based representative.
Notifications of data breaches to the ICO or your local supervisory authority must be within 72 hours. Just hope it’s not Easter Bank holiday. The 72 hours is 72 hours and not 72 working hours.
You need to ensure the Confidentiality, Integrity and Availability of the information that you hold. GDPR describes this as “appropriate technical and organisational measures” I would recommend looking at implementing ISO27001. Although this is not a requirement of GDPR it is an international recognised standard in information security management. If you decided to be certified to ISO27001 use an official UKAS accredited organisation, a list of these can be found here https://www.ukas.com/list-all-organisations-category/?org_type=&org_cat=184
It’s your responsibility
Accountability runs throughout the whole of the GDPR regulations and you must comply with the six data processing principles. No excuses. Chris is working hard with the IT and Compliance team at Agenda to ensure that we are ready to meet and exceed all our information security commitments, GDPR will be implemented in May 2018 will you be ready too?
Here are some useful resources to get you started: