General Data Protection Regulation (GDPR) incoming 18/3
26th March 2018
Enforceable 25 May 2018, many of GDPR’s main concepts are similar to the provisions laid out within its soon to be predecessor, the Data Protection Act 1998 (DPA). Therefore, the majority of your current, DPA compliant policies and procedures, will remain valid post GDPR implementation. That being said, as outlined within this memorandum, there are a number of new elements and significant changes to prepare for.
The purpose of GDPR is to provide a set of standardised data protection laws across all of the member countries. This should make it easier for EU citizens to understand how their data is being used, and also raise any complaints, even if they are not in the country where its located. It seeks to give individuals more control over how organisations use their data, with the long term aim of legally safeguarding data security rights in the digitalised world.
In preparation, firms should review their approach to governance, and how data protection is managed as a corporate matter. The key points of the incoming regulation are as follows.
Information held by the firm
There will be an increased responsibility for firms to maintain records of data processing activities. Firms will need to monitor and record all personal data held, along with details of where it came from and who it is shared with. This will effect the role that firms play within the networked world. For example, if you have inaccurate personal data which you have shared with another organisation, you will need to tell the other organisation about the inaccuracy so it can correct its records. Maintaining adequate records of all information held by your firm is therefore vital. The exercise mentioned would be impossible if you did not have on file: records of personal data held, data origin and details on who the data is shared with.
Firms should review their current privacy notices. A key element of the DPA- privacy notices provide transparency by informing individuals on how firms will use their personal data. GDPR will extend requirements in regard to the content of privacy notices and there will be additional factors that firms must detail. Firms will need to explain its lawful basis for processing the data, and its data retention periods. Lastly, firms will need to include the individual’s right to complain to the ICO if they think there is a problem with the way the firm are handling their data. The ICO have stressed the requirement for firms to detail the aforementioned information in a concise, and easy to understand manner.
Although the rights of individuals remain similar, GDPR brings some significant developments for firms to prepare for. GDPR includes the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision making including profiling
The principle underpinning the right to erasure enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
The right to data portability will allow individuals to obtain and reuse their personal data for their own purposes across different services. Enabling them to move, copy or transfer personal data more easily from one IT environment to another in a safe and secure way, without hindrance to usability. To comply, firms must:
- Provide the personal data in a structured, commonly used and machine readable form
- Provide the information free of charge
- If requested, transmit the data directly to another organisation
- Consider the rights of all individuals where data concerns more than one person
In regard to individuals’ rights, firms should internally contemplate topics such as. Would our systems help to locate and delete data? Who will make the decisions about deletion? And of course, how will we comply with ‘the right to data portability’ requirement?
Subject access requests
Firms should update procedures and plan how the firm will handle requests. In most cases you will not be able to charge for complying with a data request. Additionally, you will have only a month to comply, rather than the current 40 days. You may refuse or charge requests that the firm deem to be excessive. Where requests are refused, you must explain to the individual why, also informing them of their right to complain to the ICO.
Firms should review how consent is sought, recorded and managed- making the appropriate amendments for GDPR compliance. Firms must obtain explicit permission to collect, process or store using language that clearly describes how data will be used. Under GDPR, consent must be freely given, specific, informed and unambiguous. There must also be a positive opt-in and consent must not be inferred from silence or inactivity. In addition, consent must be use-specific, meaning that data collected for one reason, cannot be used for another purpose. Organisations must also make it easy for EU residents to withdraw their consent at any time. In preparation, fims should refresh all consents where necessary; ensuring compliance with the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn.
Non-compliant organizations can be fined up to 4 percent of (global) annual sales or €20 million, whichever is greater. Fines will be levied on a tiered approach in accordance with the seriousness of the violation.
GDPR introduces a duty on all organisations to report certain personal data breaches to the ICO. Therefore, firms must have in place robust procedures to detect, report and investigate a personal data breach. Systems and controls will need to be audited and enhanced where necessary.
Firms will only need to notify the ICO where a breach is likely to result in a risk to the rights and freedoms of individuals- i.e. resulting in discrimination, reputational damage or financial loss. You must report breaches within 72 hours, if practicable. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, you will also need to make direct notifications to those involved. Failure to report breaches will lead to financial penalties.
Privacy by design and data protection impact assessments
Adopting a privacy by design approach and conducting Privacy Impact Assessment (PIA) has long been considered good practice. However, GDPR makes privacy by design a legal requirement and data protection impact assessments (DPIA), mandatory in certain circumstances.
A DPIA is required where data processing is likely to result in high risk to individuals, for example:
- where a new technology is being implemented
- where a profiling operation is likely to significantly affect individuals
- where there is large scale processing of special categories of data
Data protection officers
The data protection officer (DPO) will hold the responsibility of compliance with GDPR and all other data protection matters. Formal designation of a data protection officer is compulsory where a firm meets certain criteria. Although, even where firms do not meet the criteria, it is advisable to voluntarily appoint a DPO.
Our Compliance Team remain abreast of regulatory developments concerning the General Data Protection Regulation and are happy to advise firms on the new requirements. Book a consultation with us today to discuss your needs.
© CPA Audit LLP 2019.