What is GDPR and how will it affect our organisation? Two common questions that we have been asked over the past twelve months, and rightly so. With the new General Data Protection Regulation (GDPR) deadline coming into effect on May 25th of this year, there has been a great deal of discussion about what action needs to be taken, and by who in order to be compliant.
Our straightforward article casts some light on the basics of GDPR and what it means for an organisation.
What is GDPR
It’s legislation which supersedes the original Data Protection Act, it’s been brought about because personal data is now used in more ways than ever before. The core principle is that data can only be gathered “legally, under strict conditions, for a legitimate purpose” this gives people more say on how companies collect and handle their personal data, and above all, it effectively normalises data protection rules across Europe. Be aware as it introduces tougher fines for non-compliance and breaches which will become effective from 25th May 2018.
Why was it created
The current legislation is outdated (enacted in 1998 – when the internet was fairly fledgeling), GDPR aims to improve trust in how personal data is used, to bolster the digital economy. It also gives organisations a simpler, clearer idea of how they can use personal data.
Who it affects
It affects any organisation that stores or processes personal information about EU citizens within EU states. Let’s take two simple cases, if you own a website collects data for newsletter purposes, or if your application requires a sign-up/sign-in then GDPR affects you. Organisations are divided into two categories ‘Controllers’ and ‘Processors’, it’s worth spending some time identifying which of these titles applies to you, it could be both.
- Controllers – entities that decide how and why personal data will be used. This could be an organisation that collects and hosts newsletter sign-up data. If you own or use a website or application that does this then GDPR applies to you.
- Processors – work on behalf of controllers to process data (obtain, record, adapt and hold). This could be an organisation a controller passes data to such a CRM system. If you own or use a website or application receives data from a controller then GDPR applies to you.
Be aware that controllers are also responsible for processors that they work with. If you are a controller then you must document the processor you employ and be able to demonstrate GDPR compliance.
Things to be aware of
There are many points that GDPR covers and protects, the most obvious that will commonly apply are user identifiers such as; Basic info e.g. name, address and email, Web data such as the IP address, cookies, plus any content such as political opinions, genetic makeup – effectively anything that can identify an individual in any way.
For organisations which regularly process a lot of data, a Data Protection Officer must be nominated or employed. Their responsibility covers; monitoring compliance and regular audits, plus they are a point of contact for customers. If there is a data breach, organisations have to tell the Information Commissioners Office ICO within 72 hours.
Individual rights are
The GDPR act is designed to protect individuals data as well as allow individuals a range of rights such as access to their own data. Therefore organisations that are either controllers or processors have to allow individuals such rights as; The right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, the right not to be subject to automated decision-making.
As a controller or processor, be aware that individuals right to access is free of charge, organisations have one month to grant access to any of the above. As mentioned previously, if you are a controller or processor you are also responsible for any third parties you pass data on to e.g. CRM systems such as MailChimp.
Fines are heavy
We have spoken about this in a previous article, but again, it’s well worth highlighting the fines for non-compliance. Smaller offences carry a fine of €10 million or 2% of global turnover (whichever is higher), whereas, greater offences carry a fine of €20 million or 4% of global turnover (whichever is higher). In our opinion the GDPR terms are deliberately quite vague – so it’s best to play it safe and make sure you’re organisation is covered.
What you need to do
As an organisation that either controls, processes, or perhaps both, then you will need to document all personal data that you collect and hold, this includes; what the data is, where and when you got it, and who you share it with.
On top of this, you will need to ensure that you actively monitor the data you hold, updating what the data is, where you got it, when you got it, and who you share it with on a regular basis to ensure that it constantly up-to-date.
It’s best practice to encrypt the data if possible.
You must ensure you’re able to handle requests for information, such as a request from an individual. It’s advisable that you outline a process for handling this type of request and ensuring that the requester is who they say they are (as to avoid social engineering).
Individual data must be stored in a common format (e.g. CSV) so you can pass it on if requested, it must also be deleted if requested – note that simply turning-off or deactivating an individual’s profile will not suffice. Data must be deleted once no longer required.
Organisations must ensure privacy notices explain the lawful basis for collecting data, what the data retention period is, and that users have the right to uphold their rights. You must also ensure user consent is via ‘positive opt-in’, this means you can’t infer it from silence with pre-ticked boxes. You must also provide a clear, easy mechanism for opting out.
It’s advisable to consider sending out a ‘re-permission’ correspondence to let existing users know of these changes that are happening. In addition to that, it’s advisable to carry out a Data Protection Impact Assessment if using “new technologies” and processing a “considerable amount of personal data” – the purpose of this is to identify potential problems early and address them as early as possible. Here’s a guide, should you need to write one
The GDPR act’s intention is to bring an element of order and responsibility to the way data is used, giving individuals rights to their own data – the ICO’s GDPR preparation guide hosts more information on preparing your organisation. As a final note, if you are an organisation that either controls or processes data, or perhaps both – then you need to be stricter than ever on how you gather data, how you make users aware you’re gathering it, how you store it and what you’re doing with it.
You can find out more about what Browser is doing to comply with the GDPR rules in this blog post.