Edited and prepared by Oscar Michel, Masters in Journalism, DCU
Interesting guest post by Siobhan Gallagher, SaaS sales leader with over 20 years experience – passionate about tech, all things InfoSec and growth-hacking. She’s an OWASP Chapter Leader, Belfast (Open Web Application Security Project). And proud to have been involved with the most successful ever AppSecEU Conference. She’s also involved with Young Enterprise NI and on the Executive of Women in Technology, actively encouraging girls and women to get involved with technology and come work in the sector. When not getting nerdy about GDPR and data breaches, she likes nothing more than a good cup of tea. You’ll usually find her at a local techy meetup.
You may have heard, GDPR – enforcement – is coming! But unlike the Y2K bug, which it’s sometimes compared to, GDPR already exists and it isn’t going away. So, if you haven’t thought about it yet or think it doesn’t apply to your business, read on.
The EU General Data Protection Regulation (GDPR) came into effect, April 2016. Enforcement of the Regulation will start in less than a year, on 25th May 2018. It is the most comprehensive overhaul of data protection regulations, bringing them into the digital age to include the internet and digital technologies. It replaces individual local data protection laws based on the former EU Data Protection Directive and will effectively become the lowest common denominator for data protection regulation. It gives the data subject increased control of their data. And if you’re an EU citizen, data subject means you. In effect, it will be privacy by design.
GDPR will mean extensive compliance obligations for organisations. If your organisation processes, holds or monitors personal data relating to EU citizens you need to be compliant. If not, you could face fines of up to €20 million or 4% of the global turnover of your organisation.
Unlike previous legislation, this will impact organisations globally, wherever the data is held or processed. Non-EU businesses processing the personal data of EU citizens will have to appoint a representative in the EU. The definition of ‘personal data’ could mean anything from a name, photo, email address, bank details, employee details, customer lists or an IP address.
With less than a year to enforcement, what are the changes you need to be aware of?
- Consent: Asking for consent should be separate from other terms and conditions and written in plain and clear language. Pre-ticked boxes are not a valid form of consent. Individuals should be clear on what they are consenting to.
- Breach: It will become mandatory to notify breaches within 72 hours of first becoming aware.
- Right to Access: Individuals can ask for confirmation as to whether personal data relating to them is being processed, where and for what purpose. Data controllers will have to provide a copy of the personal data, free of charge, in an accessible, electronic format.
- Right to be Forgotten: Data subjects will be able to have the data controller erase his/her personal data, halt dissemination of the data and potentially have third parties halt processing of the data.
- Data Portability: Data subjects will have the right to receive their data and transmit it to another data controller.
- Privacy by Design: It will become a legal requirement to include data protection from the onset of designing a system, rather than a later inclusion. Controllers should only hold the data they need for processing and limit access to those involved in the processing.
- Data Protection Officers: The appointment of a DPO will only be necessary for special categories of data controllers and processors whose core activities consist of processing operations. However, there are specific requirements for DPOs, giving them enhanced authority within an organisation.
So, what do you need to do?
- Assess the data-landscape of your business to determine exactly what data you hold, whether that is employee, end-user or customer data.
- Establish how data was obtained and whether fully informed consent was given. Remember, if you can’t prove consent, you don’t have consent. The UK pub chain, J D Wetherspoons has gone as far as deleting its existing customer database and starting from scratch, in order to be GDPR compliant.
- Determine your legal basis for processing personal data.
- Create a data-processing register, detailing how data is stored and transferred, what it is used for and who has access to it. This includes third party suppliers such as Cloud Service Providers.
- Be able to recognise and respond to requests from data subjects, for example, the right to object or the right to be forgotten. All processes must be clearly documented and become part of your business processes.
- Ensure that employees are suitably trained to respond to vulnerabilities and data breaches. Remember, data breaches need to be reported within 72 hours of becoming aware.
- Always tell individuals who your organisation is and name any third parties that the data will be shared with. If you share data with third parties, including Cloud Service Providers, you must ensure that they are GDPR compliant.
- Review and amend privacy statements and notifications to meet enhanced transparency requirements.
- Decide who is in charge of your data protection obligations and whether you have a legal duty to appoint a Data Protection Officer.
As an EU Directive, GDPR is principles based and as such interpretation must be harmonised across the EU. The Information Commissioner in your jurisdiction will issue guidance. However, the Article 29 Working Party, which will become the European Data Protection Board may have a different interpretation to the ICO. Contact your local Information Commissioner for further clarification.