GDPR: How new regulations will affect your organisation from May 2018
GDPR: How new regulations will affect your organisation from May 2018
Data privacy laws across Europe are about to receive a big update.
Published: March 22, 2018 (Updated: March 29, 2019)
In just a few weeks’ time, the General Data Protection Regulation, or GDPR, will replace the various aging data protection regulations in each EU state and reform data protection for the digital age with sweeping changes that will affect almost every organisation in Europe – and any organisation outside of the EU that deals with the personal data of EU citizens. In other words, whether you’re based in the EU or sell products or services into the EU, it’s likely that you’re going to need to comply with the new laws.
Why the need for new regulations?
In countries such as the UK, current data protection regulations were conceived at a time before the Internet is used in the way it is today. In recent years, personal data has become a hot commodity and open to abuse. Add to this the fact that hacking and data theft has soared, and there becomes a need for the various current, often disparate legacy regulations in each EU state to be replaced by a set of EU-wide rules with an aim to provide protections for personal data in the modern Internet age. Under the GDPR, data must be “processed lawfully, fairly and in a transparent manner in relation to individuals”.
Here in the UK, the Information Commissioner’s Office (ICO) will be responsible for upholding the GDPR.
There has been lots of scaremongering about these changes and the consequences of not complying. But with some research and little common sense, most SMEs should be able to comply with the GDPR without too many headaches. Here we look at some of the headline principles and changes that will come into force on May 25, 2018.
1 - Individual rights
Personal data is defined by the regulation as any information relating to an identified or identifiable natural person, so this might include contact details, purchase histories and more. The regulation sets out several rights for individuals in relation to their personal data:
The right to erasure Each EU ‘data subject’ (or ‘natural person’, ie. human!) has the right to request that their personal data be deleted. The regulation calls this ‘the right to erasure’ but it’s often referred to as ‘the right to be forgotten’, and it means that a data subject can request that their personal data be erased – and this includes erasure from backups too.
The right of access Under the GDPR individuals have the right to access their personal data and supplementary information. This allows them to be aware of and verify the lawfulness of the processing. For typical requests this information must be supplied free of charge and provided within one month of receipt of the request.
The right to rectification Individuals are given the right to have their personal data rectified under the GDPR. So if data is inaccurate or incomplete, you’ll have to update it if requested, and typically do so within one month.
The right to be informed Organisations will need to ensure that clear information about how data is processed is supplied to data subjects. We’ll cover this in point 2 below (‘Transparency’).
The right to restrict processing Individuals will have the right to block processing of their data under certain circumstances. When processing is restricted, you are permitted to store the personal data, but not further process it.
The right to data portability Individuals will have the right to obtain their personal data from you and reuse it for their own purposes or with other services. The data must be supplied in a structured, commonly used and machine-readable form, such as a CSV file.
The right to object Individuals will have the right to object to the processing of their personal data under certain circumstances.
Organisations will need to ensure that clear information about how data is processed is supplied to data subjects. This will typically be through a policy such as a privacy notice or a similar document and must be concise, transparent, intelligible, easily accessible, written in clear and plain language (particularly if addressed to a child) and obtainable free of charge. The information you need to supply will vary depending on how personal data has been obtained. This write-up on the ICO web site includes a table that indicates what information must be included.
3 - Obligations for Data Controllers and Data Processors
The GDPR includes two terms that you will hear a lot in relation to personal data: Data Controllers and Data Processors. A Controller is ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’. A Processor is ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.
So for example, if your company sells widgets to consumers and uses a third party marketing company to email your customers on your behalf, then with regard to the personal data related to that email activity, your company is the Controller, and the third party marketing company is a Processor.
The notion of Controllers and Processors is not new, but GDPR introduces new obligations. Under previous EU data protection directives, compliance obligations were primarily imposed on controllers. Under the GDPR, controllers still bear primary responsibility for compliance, but processors now have direct compliance obligations under the GDPR as well.
4 - Consent
Under the GDPR, knowing when you need to obtain consent to process personal data can be difficult. Consent is just one of several lawful grounds for processing data – other lawful grounds include legal requirements, contracts (to supply goods or services, for example), legitimate interest and others – find out more about consent at the ICO web site.
5 - Breach, breach, breach!
The GDPR introduces and obligation on organisations to report certain types of personal data breaches to the relevant supervisory authority within 72 hours of it being discovered. If the breach is likely to result in a high risk to those individuals’ rights and freedoms, they must also be informed without undue delay. All organisations must have robust breach detection, investigation and reporting procedures in place and a record of all personal data breaches should be kept – regardless of whether there is a requirement to notify.
6 - Huge fines
The GDPR ramps up the fines that could be faced for non-compliance to a whopping €20,000,000 (roughly £18,000,000) or 4% of your total global annual turnover for the preceding financial year. This has resulted in a lot of scaremongering, but it’s important to remember that these are maximum fines, and supervisory authorities will have the power to impose fines of a lower amount or take other action against non-compliance, such as issuing warnings and reprimands. A number of criteria will be considered by the supervisory authority when determining any fine, including the nature, duration and character of the infringement. They may also consider any previous infringements, the level of co-operation and the types of personal data affected.
This article just scratches the surface of some of the key principles and changes that will come into force when the GDPR becomes law on 25th May 2018. The changes affect almost every organisation that handles personal data inside the EU as well as organisations in other parts of the world that handle personal data of subjects inside the union. With just a few weeks left until GDPR comes into force, there’s no time to delay! Find out more about your obligations under GDPR at the ICO web site.
When working as a NAV end user, I lost count of how many times our com...read more
About etac Solutions
etac Solutions are long established suppliers of Microsoft Dynamics NAV based ERP services. We pride ourselves in taking a different approach in order to craft the most appropriate solutions for our customers. We are a technology partner who can integrate, implement and then support your ERP solution at every step.
etac Solutions Limited
Suite 2b, Maple House,
Queensway Business Park,
Phone: 01952 897 010