In May 2018, the Data Protection Act 1998 (DPA) designed to protect personal data will be replaced by the European Union’s General Data Protection Regulation (hereafter, GDPR).
The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation takes effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government, which means that it definitely comes into effect on 25 May 2018. The aim is to give people more control over how their personal data is used because the current legislation was enacted before the internet and cloud technology created new ways of manipulating data.
Despite the fact that UK is in the process of leaving the EU, this regulation is likely to be converted into British law by introducing a new Data Protection Act which will mirror the GDPR. In fact, “if you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit” (EU GDPR, Feb 2018).
Personal data is used in everything and by everyone including the sales sector, customer relationship management and marketing and therefore all businesses, charities and organisations that deal with any personal information will be affected. The changes brought by GDPR are not to be taken lightly, and businesses must realise the impact of processing personal data and the importance of ensuring safety and security towards someone’s privacy.
This article will discuss the most important things that you and your business, charity or any other type of organisation must know before GDPR comes into force.
What counts as personal data?
Personal data is any information that makes a person identifiable, such as name, identification number, location data, telephone number or online identifier (e.g. IP addresses).
If you think that you don’t process any personal information, then think again! Visitors to your website, people on your emailing list, the contacts you have on your phone or in your email system, clients in your CRM system, etc. they all count as personal information.
Who must comply with GDPR?
Everyone who deals with personal information, which is actually everyone.
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or have EU individuals on their emailing list. It applies to all companies processing and holding the personal data of people residing in the EU, regardless of the company’s location.
Does GDPR apply to charities and other not-for-profit organisations?
Oh, yes. As said above, any organisation whatsoever that processes personal information (and that includes email addresses and phone numbers) need to. All charities will have to ensure they are GDPR compliant by 25 May 2018, in the same way that they have to currently comply with the Data Protection Act (DPA).
What will be new under the GDPR?
- Consent and the Right to be Forgotten
Under the new regulations, companies will have to keep a record of every single time an individual will give consent to store and use their personal data. However, consent is not enough to be through a pre-ticked box, but it will have to be through an active agreement, for example having the individual to sign a consent form. Note that withdrawing consent is also the right of the individual and in the case of a withdrawal of consent, the information stored must be permanently erased, and not merely deleted from the system. This is the right to be forgotten and an individual will also have the right to be informed of the reason why their data requires to be processed.
- Data Breach Notification
If a data breach is detected, then it must be informed by the organisation to the relevant supervising authorities within 72 hours. Information about the breach as well as a solution on how to alleviate the effects of the breach must be provided by the organisation where the breach took place. The organisation must also inform their customer about the breach.
Personal data does not include only names and addresses. The new regulation will include IP addresses, internet cookies and DNA.
- Data Protection Officer (DPO)
It is recommended that organisations will appoint a DPO and that will be an effective way of being accountable. The DPO must be independent and will have the responsibility to address any possible issues with regards to data protection and the organisation’s compliance to the GDPR. The DPO will report directly to management if there are any concerns.
- Data Controller & Data Processor
The Data Controller is the organisation that decides why and what data to collect and process in their own company, while the Data Process is the one that processes personal data on behalf of the Data Controller. Following the new rules, now the Data Processor is also responsible for the data processed for the client, not just the client. So you’ll need to know the source of personal data you’re working with and how any data service providers are storing it on your behalf.
- Storage Systems
From May 2018 sensitive data will be known as ‘special category data’ and you won’t be allowed to store an EU citizen’s ‘special category data’ outside of the EU. Special category data includes information pertaining to health, political or religious beliefs, so if you work with medical or health practitioners then you can’t store this data in Dropbox for example (Dropbox holds the data in the US).
Organisations can be fined up to 4% of the organisation’s worldwide annual turnover, or €20 million. These penalties are making businesses and organisations comply more with these regulations and offering individuals a tougher protection of their personal data.
Three Most Important Privacy Threats
Under GDPR, organisations must protect private data and any breach will be penalised even if it is simply accidental or malicious. The three most important threats that businesses must keep an eye on are:
- accidental data leaks: these could be simply sending an email to the wrong address or forgetting important paperwork on the bus. GDPR recommends strong internal security policy in order to tackle this.
- disloyal employees: it often happens that after they leave the firm, employees want to take revenge against the organisation and leak important information. GDPR recommends data-access policies, identity and access management controls and tools that restrict access by user profile.
- cyber crime: also known as theft of personal information, targeted malware etc. GDPR recommends that organisations make sure their cyber defences prevent data reaching the wrong hands.
So what do organisations have to do to comply with GDPR?
Firstly, organisations must raise awareness of this new Act and train all the employees in data protection. For organisations, the most important value to clients and individuals is that their privacy and personal data is protected. Employees and staff must be trained and businesses must make sure that all employees and volunteers understand how data moves around their organisation as well as the importance of data protection.
Secondly, even though the rules are not that clear yet and it may take a year before they are set in stone, start now by doing anything you can now as it will be one less thing you’ll have to do later.
Here are some recommendations:
- If you haven’t registered with the Information Commissioner (ICO) yet, then you must do that as soon as possible. It costs just £35.
- Encrypt your hard drive and mobile phone.
- Don’t share logins.
- Encrypt emails when sending information like passport details.
- Enable double opt-in if using Mailchimp for your emailing list.
- Disable ‘Reply to All’ in your email agent to avoid ‘sharing’ confidential information by mistake.
- Stay informed.
Security of personal data is a most important thing to be considered by organisations. It is not only about complying with a few rules. It is about protecting and caring for the customers, as well as ensuring a good reputation of the company as trustworthy and professional, which in turn will protect the future of the organisation. The changes brought by the GDPR might seem frightening, but there is nothing to worry about. These changes are a good opportunity for re-organising and addressing any gaps in order to ensure that your organisation is fully protected against any leaks, threats and breaches of the law.
In fact data privacy is actually a good thing because that also means YOUR data and My data as individuals is being protected.