18. What is a DPO?
24. Three GDPR Myths
The GDPR is a new European Union (EU) legislation that will become directly applicable to its Member States, including the UK, on the 25th of May 2018. It is a regulation by which the European Parliament, the Council of the EU and the European Commission intend to strengthen and unify data protection for all individuals within the EU.
In essence the new law takes the existing approach to data protection and strengthens it.
The EU wants to give people more control over how their personal data is used. The current legislation was implemented before the likes of cloud technology was used extensively, meaning it is now pretty much obsolete.
The EU also wants to give businesses an easier way to operate making data protection legislation identical throughout the single market.
The current law applicable in the UK is the Data Protection Act of 1998 (the DPA). The DPA is now considered outdated and will be completely repealed by the GDPR.
Organisations should be prepared to make changes to their processes as the GDPR comes into full swing. They shouldn’t feel like the plans they’ve put in place initially are set in stone as they will most likely change as we all settle in with the new rules. Like any new piece of legislation things will take time to catch up and for “teething problems” to be ironed out. Organisations need to stay on top of personal data and make sure all employees that handle data are informed of new processes and upcoming changes.
Many European countries already have their own robust data collection and storage laws, but the GDPR’s purpose is to make safeguarding users’ data stronger, easier, and more uniform across the European Union’s 28 member states.
This makes it easier for European consumers to take a more proactive role in how data about themselves is shared and retained by private enterprises, and also offers businesses overseas a single regulatory framework to which they must adhere, rather than the patchwork of various laws and protections currently in use across the EU. This could be a considerable benefit to companies that market to several EU member states, as the GDPR will supersede any and all existing data privacy and protection laws currently upheld by the EU’s member states.
Virtually all data pertaining to individuals residing in the European Union will be protected by the GDPR. This includes not only uniquely identifying information (such as identity documents like Passport numbers) but also information routinely requested by websites, including email addresses, individuals’ home addresses, dates of birth, and online financial information including online transaction histories.
However, that’s not all the GDPR is intended to safeguard. The legislation also protects user-generated data such as social media posts (including individual tweets and Facebook updates), as well as personal images uploaded to any website. The GDPR also covers medical records.
Essentially, the GDPR protects any and all personal user data across virtually every conceivable online platform.
If you answer YES to any of the questions below, then you should comply with GDPR.
· Do you collect data from your customers?
· Do you collect data from your employees?
· Do you process digital payments? (Credit cards)
· Do you reach out to customers, partners or employees by email?
· Do you reach out to customers, partners or employees by mail?
· Does your company reach out to customers, partners or employees by telephone?
· Does your company send products to customers, vendors or partners by post or email?
If you haven’t already put plans into place you should be looking to urgently start reviewing your internal processes. In the ICO’s own words: “For those that still feel there is work to be done [… we] want to reassure you that there is no deadline. 25 May is not the end. It is the beginning.”
In Article 3 of the GDPR, it states that the General Data Protection Regulation applies to all 28 EU Member States and to companies and organizations outside the EU, as far as the processing of data concerns EU citizens.
It does not matter if the person is in the EU in the short or long term. Also, it does not matter what kind of service or product companies or organisations offer. The only decisive factor is whether personal data on EU citizens is collected and processed.
The GDPR does not differentiate between B2B (business to business) and B2C (business to consumer), it applies equally to both. The background to this is that the General Data Protection Regulation applies to the protection of individuals rather than legal persons.
In short, no. Consent is one lawful basis for processing, but there are five others. Consent won’t always be the easiest or most appropriate.
You should always choose the lawful basis that most closely reflects the true nature of your relationship with the individual you are dealing with and the purpose of the processing. If consent is difficult, this is often because another lawful basis is more appropriate, so you should consider the alternatives.
It is your responsibility, as a Data Controller, to identify a lawful basis for processing under the GDPR.
Personal data refers to any information related to a data subject, that can be used to directly or indirectly reveal his/her identity.
Sensitive data refers to information related to the data subject’s fundamental rights, intimacy, and free will. Examples of these are health records, religious beliefs, political opinion, biometric data or genetic data.
No, the new regulation includes all existing and new data and applications. That means that compliance with the regulations must, therefore, be checked for all – old as well as new – processing.
Failure to comply with the GDPR carries heavy penalties.
The first step of the process is a formal written warning, which can be issued to a company even in cases of unwitting violations; ignorance of the law is not a valid excuse for breaking it. The next stage of punitive actions can force companies in violation of the GDPR to undergo regular periodic data audits to ensure compliance.
For companies that still haven’t complied, firms that are found to have breached or violated any part of the legislative package after initial sanctions, can be fined.
Fines under the GDPR are up to a maximum of €20 million or 4% of annual worldwide turnover, whichever is greater (Article 83 (5)). But more importantly, any fine would be likely to give rise to a loss of public trust, attract media attention and thereby inflict considerable reputational damage to a company. Therefore, it is important organisations ensure their compliance.
When the GDPR goes into effect in May 2018, it will become one of the most robust consumer data protection initiatives in the world – if not the most. As a result, companies should expect the regulation to be rigidly enforced.
Although you may not be legally required to hire a dedicated Data Protection Officer, you absolutely MUST comply with the GDPR regulation if you collect, store, or process data from any EU nationals, regardless of how many. Failure to do so may result in the kind of penalties detailed above.
The GDPR strengthens the controls that organisations (Data Controllers) are required to have in place over the processing of personal data.
The most common impacts are:
· Organisations are obliged to demonstrate that they comply with the new law (the concept of ‘accountability’).
· There are significantly increased penalties possible for any breach of the Regulation – not just data breaches (see above).
· There are new legal requirements for security breach notifications.
· Charges have been removed, in most cases, for providing copies of records to patients or staff who request them.
· There are new requirements to keep records of data processing activities.
· Specific requirements for transparency and fair processing have been introduced.
· Rules where consent is the basis for processing have been tightened.
Some of these requirements should already be established good practice but going forward the GDPR require organisations to take specified actions, and have evidence to demonstrate that they have done so.
The ICO, Information Commissioner’s Office have published and will continue to publish guidance to assist organisations in understanding how to comply with data protection reform (i.e. GDPR). You can visit the ICO’s website for further information and sign up to their newsletters.
Organisations should undertake a thorough review of the GDPR requirements, to ensure they are compliant. This is especially important as areas which were good practice are now legal requirements (e.g. the Data Protection Impact Assessment – see below).
Other issues to think about include the information provided to data subjects. Most organisations should provide privacy notices to their data subjects as standard which explains what they use personal data for and why etc. The ICO have published a code of practice on what should be included.
A DPIA is a mechanism for identifying, quantifying and mitigating data privacy risks. It is undertaken to ensure appropriate controls are put in place when any new process, system or ways of working involving the use of high risk processing (such as processing “health data”) is introduced.
The completion of a DPIA will help to minimise the chance that any new process, system or way of working will present a high risk to the rights of individuals through a failure to comply with the GDPR.
A DPO is a Data Protection Officer. The GDPR requires some organisations (like public authorities) to have a DPO. A DPO’s role is to inform and advise their organisation(s) about all issues in relation to GDPR compliance. The DPO will also be responsible for monitoring the organisation(s) compliance with the GDPR.
The DPO reports directly to an organisation’s highest management level and may not be disciplined or dismissed for carrying out their tasks as a DPO.
Organisations must ensure that the DPO role is independent, free from conflict of interest. DPOs may be shared by multiple organisations that are ‘public authorities’ taking into account organisational structure and size, and may be either a member of staff or may fulfil the tasks on the basis of a service contract, provided there is no conflict of interest.
You may have a legal obligation to hire a Data Protection Officer (DPO) to ensure compliance with the GDPR. However, there are exceptions. You only have to hire a DPO if:
Your organization is a public authority (i.e. a company that exercises control over the maintenance of public infrastructure or has broad powers to regulate public property)
Your organization is engaged in large-scale systematic monitoring of user data
Your organization processes large volumes of personal user data
Unfortunately, the official text of the GDPR as it stands today is unclear regarding the definition of “large-scale” data processing. There is some guidance provided in earlier legal texts (Recitals) stating that if the processing is a realistic manageable workload for one professional, it could be argued that it isn’t “large scale”.
Companies must ensure that data is adequately protected to prevent loss or theft. Where a breach has taken place, companies may need to notify individuals as well as face negative impact on the company’s brand and customer loyalty.
It is possible to minimise the risk of data breaches by following a number of best practices:
– Up-to-date Security Software (Ensure software is updated and patched regularly to avoid weak spots for hackers to exploit).
– Regular Risk Assessments (Carry out vulnerability assessments to review and address any changes or new risks in data protection. Consider all aspects, such as data storage and remote access for employees, and ensure that policies and procedures are adequate.
– Encryption and data backup (Personal data should at least be encrypted, including on work laptops issued to staff. Instead of using backup tapes that can be lost or stolen, data can be backed up to remote services using the Internet.
– Staff training and awareness (Train staff to follow best practices, be aware of the importance of data security and how to avoid mistakes that could lead to breaches. Awareness of sensitive data and security should be a part of the company’s culture).
– Ensure that contractors and partners maintain high data protection standards (when working with other companies that may be handling your customers’ data, make sure that they also have adequate systems in place to protect data)
No, companies that rely upon cloud-based storage providers will not be exempt from the GDPR. This means that if your company uses Amazon Web Services, Google Cloud, or Microsoft Azure, you will not be able to blame Amazon, Google, or Microsoft for failure to comply with the GDPR.
Brexit isn’t really going to change anything and compliance is a must.
There is cross-over period between the GDPR coming into force and the UK exiting the EU. The UK will need to comply with the Regulation while it is still a part of the EU. The GDPR was approved in 2016 and will become directly applicable as law in the UK from 25th May 2018.
The General Data Protection Regulation will still apply to all companies with EU citizens as customers. It has an extraterritorial effect, so non-EU countries will also be affected. Even though the UK is planning to leave the EU, the UK will still need to comply with the GDPR. Great Britain’s forthcoming exit from the European Union will have absolutely no impact on the EU’s expectations for GDPR compliance whatsoever.
The current Data Protection Bill, which will become the Data Protection Act 2018 (DPA18), fills in the gaps with the GDPR, addressing areas in which flexibility and derogations are permitted. The GDPR will not be directly applicable in the UK post Brexit – it is expected that the DPA18 will ensure continuity by putting in place the same data protection regime in UK law post-Brexit, to create a data protection regime in the UK equivalent to that introduced by the GDPR.
Understandably with a new high-profile law, myths have developed and been mixed with the truth about how the law will be applied and the consequences for individuals and organisations. Below are three such myths.
MYTH 1: Everything has to be sorted out and perfect for 25 May – FALSE
Two quotes from the Information Commissioner Elizabeth Denham’s blog best addresses this: “GDPR compliance will be an ongoing journey”; and “… if you can demonstrate that you have the appropriate systems and thinking in place you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world”.
MYTH 2: Consent is needed for all processing of personal data – FALSE
The GDPR sets a high standard for relying on consent, especially where that data is health related. However, it also provides many alternative conditions that can be relied on instead of consent.
MYTH 3: The Information Commissioner’s Office (ICO) can levy fines of up to £17 million – TRUE
However, the ICO has been a pragmatic and constructive regulator. It is likely that large fines will only be used where organisations wilfully ignore their obligations and put data subjects (e.g. patients/individuals/citizens) at risk of harm because of their lack of legal compliance. As the Information Commissioner has said: “Issuing fines has always been and will continue to be, a last resort.”
For direct marketing communications, the main principle of the GDPR is that such communications are allowed under user consent (i.e. the user has actively agreed to such direct communications). Also, a “soft opt-in” option is in place for existing customers where they can be contacted for similar products or services as long as an opt-out is guaranteed.
The definition of direct marketing is facing criticism for being too broad in meaning. There are widespread concerns surrounding the impact on B2B marketing (business to business) where less stringent measures need to apply to preserve organisations’ opportunities to operate in the corporate world. Currently, marketing to limited or public limited companies is carried out on an opt-out basis in the UK. Restricting B2B marketing to a prior opt-in consent would prevent businesses communicating and seriously impinge their ability to sell their goods and services.
The ePrivacy Regulation (due out later in 2019) will decide how B2B direct marketing is regulated.
Whether you are a parent, school teacher, club coach or healthcare professional, we’d love to hear about how we can help you. If you’d like to get involved with Return2Play or learn more about how we can tailor our solutions bespoke to your needs, then please get in touch.