What are the key changes with GDPR?
An expanded definition of personal data
Anything that contributes or links to identifying an individual will be included, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, a computer’s IP address and includes both biometric and genetic data.
New and strengthened individual rights and conditions for consent
These include rights of access, to be forgotten, and to data portability. Data Controllers and Data Processors have an obligation to clearly communicate these rights to individuals they collect data from:
How long data will be stored for;
If data will be transferred to other countries;
Information on the right to make a subject access request;
Information on the right to have personal data deleted or rectified in certain instances;
Strengthened conditions for control. Companies will no longer be able to use long illegible T&Cs full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent now must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
More information on GDPR and Consent.
Greater liability
Data Controllers (businesses) and Data Processors (third party solution providers), but particularly for Processors, can now be held accountable and have action taken against them. Controllers will also have the right to audit Processors. Higher fines for non-compliance can be levied – up to 4% of global turnover or €20 million/£17 million, whichever is higher.
More information on how to work with Third Party Solution providers.
Extra-territorial effect
GDPR requirements will apply if you process the personal data of EU citizens regardless of which country you are based in.
Risk based accountability
The requirement to notify appropriate authority of data processing has been removed but risk based accountability now takes an important role. This will impact amongst other things, contracts, privacy notice obligations, risk assessment, record keeping, etc.
Breach notification requirement
A new mandatory breach reporting scheme will take effect. Where there has been a data breach, whether as an accidental or unlawful loss, the data controller will have to notify and provide certain information to the data protection authority, data controllers and sometimes affected data subjects, within 72 hours. Where the breach poses a high risk to the rights and freedoms of the individuals, those individuals will also have to be notified. The data controllers must maintain an internal breach register. Non-compliance can lead to an administrative fine up to €10,000,000 or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Data Protection Officer requirement
DPO (Data Protection Officer) requirement applies to both controllers and processors of companies, irrespective of their size. The Regulation requires a DPO appointment in three specific cases (more information on How do I prepare for GDPR?). Non-compliance with the DPO obligation can be levied – up to 2% of global turnover or €10 million/£8 million, whichever is higher. If a business chooses not to appoint a DPO, it must maintains records of the reasons behind its decisions which demonstrate that all the relevant factors have been considered.
Stricter technical and organisational measures
Companies should look at existing best practices and recommendations, for example, the guidances of UK’s National Cyber Security Centre or CIS Critical Security Controls. Below some examples of measures recommended:
Organisational measures:
Recruit, train and appoint a DPO or appoint an external DPO – from outside your organisation;
Embed an appropriate Risk Management Regime;
User education and awareness programs and training;
Develop a home and mobile working policy and train staff.
Technical measures:
Secure Configuration of all systems (security patches, system inventory and baseline build for all devices);
Network Security (monitor and test security controls);
User Privileges Management (least privileges and user activity monitoring);
Continuous Monitoring and Control of all systems and networks;
Encryption;
Tokenization;
Anonymisation;
Pseudonymisation (separation of data from direct identifiers so that linkage to an identity is impossible without additional information that is held separately);
Resilience of systems and services processing;
Allow business to restore the availability and access of the data in the event of breach;
Frequent testing of the effectiveness of the security measures;
Implement privacy by design for all new technical programs and projects.