From May 25th 2018, the European Union will implement the General Data Protection Regulations (GDPR).
The new regulations, which will be adopted into UK law regardless of Brexit, are the most significant in decades and will have far reaching implications for businesses, charities and public sector organisations of all sizes and types.
The GDPR will fundamentally change how organisations capture, use, store and manage data. It will require many organisations (potentially involving functional teams across IT, marketing and management) to take specific steps concerning protection and privacy of customer details.
While mainly aimed at harmonising data privacy protection regulations, for organisations that do not take the necessary steps or make the required preparations, the GDPR regulations also have the potential to impact the efficiency of business operations.
Key Aspects of the GDPR
Essentially, the GDPR regulations are intended to protect the data of consumers and business who provide their details to 3rd parties, by mandating the steps and processes that the receiving organisations must put in place.
It’s worth glancing through the following highlights to see which ones apply to your organisation.
1. Inclusion of mandatory privacy impact assessments (PIAs)
The inclusion of mandatory PIAs is primarily influenced by the Information Commissioner’s Office, which has a strong history of working with PIAs. With the GDPR in place, data controllers are required to conduct such assessments to minimise data breach risks.
The ICO provides a helpful description of a PIA on its website, calling it “a process which assists organisations in identifying and minimising the privacy risks of new projects or policies.”
It goes on to state that organisations which conduct a PIA will benefit because the privacy policies and systems they use will improve – thereby strengthening the relationships they have with their customers.
2. Further widening of the definition of ‘personal data’
Though the definition of personal data is already broad, the GDPR is set to widen it even further by including new kinds of data such as social, economic, cultural, mental, and genetic information.
3. Mandatory appointment of a data protection officer (DPO) for certain businesses.
Public authorities and organisations processing personal information are required to appoint a DPO to help ensure systems, activities and processes conform to the new policies by design.
This is especially important when an organisation’s operations involve large-scale systematic monitoring of individuals or organisations.
4. Stronger policies for obtaining consent to use personal data
Under the GDPR, companies that collect personal information need to prove clear, simple, but affirmative consent to process such data.
For example, an insurance company needs to state clearly why they collect sensitive information from their clients and how they intend to use such information.
5. Unified pan-European data breach notification requirements
The EU has various data breach notification laws, and with the implementation of the GDPR, they will be harmonised. This helps ensure that organisations will be able to conduct constant monitoring for data breaches.
6. Application of the right to be forgotten
One of the most restrictive data-handling principles the GDPR enforces is one that requires businesses not to hold any personal information longer than necessary.
This “right to be forgotten” principle also requires that data should not be used in a different way than originally agreed and must be deleted at the request of the individual or organisation.
7. Application to all companies processing personal data of EU citizens
Using the “one-stop shop” concept, the GDPR applies to all companies around the world that process personal data of EU citizens, making it the first global data protection law.
Steps That UK Businesses Should Take
Since the GDPR ensures data protection policies are in place, proper documentation of privacy safeguards is necessary and all crucial issues related to personal information should be addressed. Otherwise, compliance with this new regulation would be impossible.
Here are the recommended steps that UK businesses can take to address GDPR requirements:
1. Understand file content. The regulation specifies that contents of internal data must be Identified i.e. companies should know where their data resides, what it is, and what it contains.
2. Handle information requests properly. Organisations processing personal information should understand that their customers have the right to request access to their data, so they should be well-prepared for this. If absolutely necessary, they should be able to provide customers with the information they may need, such as how data is accessed, who has access to their information, and why should it be accessed.
3. Map data. Organisations (and their DPO if appropriate) must know the location and content of data the organisation is holding and processing in order to comply with GDPR requirements. In order to do this it must carry out data mapping. Note that any data stored by a third party, such as a data archiving company or cloud service provider, is also subject to the GDPR regulations.
4. Obtain consent when collecting personal data. A key requirement of GDPR is for data processing entities to gain specific consent before obtaining, storing or using personal information. In addition, the new regulation honours the Right to be Forgotten, which means that information must be explicitly deleted upon request of the true owner.
5. Implement protection against security breaches. UK companies must make every effort to secure data against compromise by outside entities. This will mean deploying and/or increasing cyber security systems to prevent data from being hacked, appropriated or stolen. It is also incumbent upon organisations to be aware of data loss or theft events, and to notify those that will be primarily or indirectly affected.
6. Enforce retention schedules. To be fully compliant with the GDPR and Information Governance (IG) rules, businesses should have an efficient means of dispensing specific data outside of an applicable document retention schedule.
What This Means for IT Teams
As the GDPR generally affects how electronic data is handled, it has specific implications for IT teams, IT functions or individuals responsible for IT at all types of business.
To ensure compliance with the new rules, IT teams should:
+ Rethink sign-up procedures in order to obtain more explicit and clear consent, essentially using a process that complies with sign-up and configuration settings recognised by the GDPR.
+ Ensure data portability by adapting commonly used standards. Ideally IT teams should implement open standards to port personal information and have their services accessible through a well-designed application programming interface.
+ Redesign data security and encryption systems. IT teams should consider processes, systems and technologies that adhere to the principles of data protection.
+ Ensure adequate data mapping. If not, they should discuss with the team to update it and create a comprehensive data management plan according to the GDPR principles.
Complying with the stringent requirements of the GDPR is not easy. But with proper planning, you still have time to address the many complex issues before the new regulations come into force next year. Alliance Solutions can help. Contact us today for more information!