Midshire partnered with international digital security giant Gemalto to raise awareness of the General Data Protection Regulation (GDPR), which is being introduced on May 25 2018
A purpose-fitted double decker bus toured the country between May 23 and June 8 to help companies across the UK prepare for this new EU data protection regulation. Dubbed the GDPR Clinic tour, the bus stopped at nine key locations between York and London.
The GDPR is a new set of obligations from the European Parliament for businesses on issues related to the data protection rights of all European Union (EU) residents. The new regulations cover breaches and breach notification, consent, and the right to be forgotten, to name just a few.
Companies based in the EU already adhere to legislation in each member state that is consistent with GDPR’s predecessor, the Data Protection Directive (DPD) of 1995, however significant changes with GDPR can result in hefty fines if found uncompliant. Overall, the new protections for EU nationals have been created to set a more harmonic degree of unification throughout the whole of the Union.
According to John Kay, TechnologySales at Midshire, GDPR will affect every UK organisation that processes the personal data of EU residents. He said that Gemalto’s GDPR Clinic is a really innovative way of giving organisations concerned about data protection an opportunity to brush up on the new regulations, and learn about how the changes might require them to refresh their internal policies.
Here, Kay answers some frequently asked questions about GDPR.
Q: So what counts as a breach?
A: Under both GDPR and its predecessor, ‘personal data’ means ‘any information relating to an identified or identifiable natural person’, (or the ‘Data Subject,’ so the person the data belongs to). The new law also gives a lengthy definition of what a personal data breach actually means, defining it as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.’
Now, the fact that this new definition is so long, means that businesses cannot afford to have unclear internal policies on data protection, as the new definition has vastly increased the scope of data protection law.
Q: How will Brexit affect GDPR?
A: In a nutshell, not at all. When GDPR comes into effect on May 25 2018, the UK will still be a part of the EU and will remain in it for almost a year until leaving the Union on March 29 2019.
I think that the uncertainty of Brexit has caused many businesses to take their foot off the gas when it comes to EU Parliamentary law, but really businesses should be striving to keep up-to-date with the latest policies.
The UK government has also shown its intent on fully integrating GDPR policies in the UK, even after Brexit. It is likely that the main reason for this is for a smooth negotiation process on Britain leaving the EU, and a continued free flow of data between EU member states and the UK. The free flow of data is particularly important today, because it is crucial for data to be shared between countries for security purposes.
Additionally, it would be ideal for the UK to remain a force and beacon for other countries to look to when it comes to the data protection of its citizens by setting a high standard for such protections.
Q: What do I need to do if a breach occurs?
A: In the unfortunate event of a breach of personal data, the Data Controller (the organisation that collects a person’s data) must report the breach to the supervisory authority in the member state where the company’s main activity resides.
The supervisory authority is a newly formed administrative body that will be founded in each member state to manage the data protection of that country’s citizens. The breach must be reported within 72 hours, and if it’s late then reasons should be provided.
The data subject must also be informed straight away. Interestingly, if the data has been manipulated, for example if the data is unrecognisable and will not be traceable back to the data subject, then the data subject doesn’t have to be informed, but the breach still has to be reported to the relevant supervisory authority.
Q: What will happen if I’m found to be uncompliant?
A: Remarkably steep fines. The new sanctions that can be imposed on uncompliant businesses include:
A written warning in instances of first and non-intentional non-compliance
Regular and thorough data protection audits
Most repeat breaches will result in fine up to €10,000,000 or up to 2% of annual worldwide turnover, whichever is greater
Breaches that the European Court has deemed more serious, for example breaches in consent or international data transfers, would result in a fine up to €20,000,000 or up to 4% of annual worldwide turnover, whichever is greater.
So it really is in a business’ interest to be prepared for the 25 May 2018.
Q: What should I be doing now?
A: Raising awareness. The deadline for GDPR is ever approaching, so your first action should be to raise awareness of GDPR internally, making sure that your employees fully understand what and how a data breach can happen, and the fines that could occur. You should also make a comprehensive document of what data you hold, how it is gathered and how it is stored.
An important aspect of GDPR is consent, so reviewing how you are obtaining and recording consent from individuals should be a priority, discussing whether any changes need to be made. Consent from minors is also important here, you should start thinking about verifying the age of individuals and whether you need to get consent from a parent or guardian for the processing of the minor’s data.
You should also ensure that you have the right procedures in place to detect, report and investigate personal data breaches. GDPR now states that all businesses should appoint a data protection officer within their organisation to take responsibility for data protection compliance. If a business works internationally, then these companies should determine which supervisory authority they will be operating under.