In just a few weeks’ time, the General Data Protection Regulation, or GDPR, will replace the various aging data protection regulations in each EU state and reform data protection for the digital age with sweeping changes that will affect almost every organisation in Europe – and any organisation outside of the EU that deals with the personal data of EU citizens. In other words, whether you’re based in the EU or sell products or services into the EU, it’s likely that you’re going to need to comply with the new laws.
In countries such as the UK, current data protection regulations were conceived at a time before the Internet is used in the way it is today. In recent years, personal data has become a hot commodity and open to abuse. Add to this the fact that hacking and data theft has soared, and there becomes a need for the various current, often disparate legacy regulations in each EU state to be replaced by a set of EU-wide rules with an aim to provide protections for personal data in the modern Internet age. Under the GDPR, data must be “processed lawfully, fairly and in a transparent manner in relation to individuals”.
Here in the UK, the Information Commissioner’s Office (ICO) will be responsible for upholding the GDPR.
There has been lots of scaremongering about these changes and the consequences of not complying. But with some research and little common sense, most SMEs should be able to comply with the GDPR without too many headaches. Here we look at some of the headline principles and changes that will come into force on May 25, 2018.
Personal data is defined by the regulation as any information relating to an identified or identifiable natural person, so this might include contact details, purchase histories and more. The regulation sets out several rights for individuals in relation to their personal data:
Organisations will need to ensure that clear information about how data is processed is supplied to data subjects. This will typically be through a policy such as a privacy notice or a similar document and must be concise, transparent, intelligible, easily accessible, written in clear and plain language (particularly if addressed to a child) and obtainable free of charge. The information you need to supply will vary depending on how personal data has been obtained. This write-up on the ICO web site includes a table that indicates what information must be included.
The GDPR includes two terms that you will hear a lot in relation to personal data: Data Controllers and Data Processors. A Controller is ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data’. A Processor is ‘a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller’.
So for example, if your company sells widgets to consumers and uses a third party marketing company to email your customers on your behalf, then with regard to the personal data related to that email activity, your company is the Controller, and the third party marketing company is a Processor.
The notion of Controllers and Processors is not new, but GDPR introduces new obligations. Under previous EU data protection directives, compliance obligations were primarily imposed on controllers. Under the GDPR, controllers still bear primary responsibility for compliance, but processors now have direct compliance obligations under the GDPR as well.
Under the GDPR, knowing when you need to obtain consent to process personal data can be difficult. Consent is just one of several lawful grounds for processing data – other lawful grounds include legal requirements, contracts (to supply goods or services, for example), legitimate interest and others – find out more about consent at the ICO web site.
The GDPR introduces and obligation on organisations to report certain types of personal data breaches to the relevant supervisory authority within 72 hours of it being discovered. If the breach is likely to result in a high risk to those individuals’ rights and freedoms, they must also be informed without undue delay. All organisations must have robust breach detection, investigation and reporting procedures in place and a record of all personal data breaches should be kept – regardless of whether there is a requirement to notify.
The GDPR ramps up the fines that could be faced for non-compliance to a whopping €20,000,000 (roughly £18,000,000) or 4% of your total global annual turnover for the preceding financial year. This has resulted in a lot of scaremongering, but it’s important to remember that these are maximum fines, and supervisory authorities will have the power to impose fines of a lower amount or take other action against non-compliance, such as issuing warnings and reprimands. A number of criteria will be considered by the supervisory authority when determining any fine, including the nature, duration and character of the infringement. They may also consider any previous infringements, the level of co-operation and the types of personal data affected.
This article just scratches the surface of some of the key principles and changes that will come into force when the GDPR becomes law on 25th May 2018. The changes affect almost every organisation that handles personal data inside the EU as well as organisations in other parts of the world that handle personal data of subjects inside the union. With just a few weeks left until GDPR comes into force, there’s no time to delay! Find out more about your obligations under GDPR at the ICO web site.
If you’re a Dynamics NAV user, contact etaCsolutions today to discuss the next steps in your Dynamics NAV GDPR compliance journey.Back to Blog