The General Data Protection Regulation GDPR) is the biggest change in data protection in over a generation. GDPR is not only about IT system security – it is a journey to where the data subjects have full control and visibility of their data during the full data life-cycle.
The 1988 data protection act was put in place before the internet and the majority of social media sites did not exist when the 2003 update was issued and so a major update was over due to protect the data of people inline the the human rights act.
Organisations who process any personal data will need to be ready for these changes, able to demonstrate their data processing privacy notices, policies/procedures and alignment to GDPR. (this may include an external review) They must also continue to ensure they use up to date ‘state of the art’ physical and data security based on the data risks presented by the data type, volume and storage period during the data processing lifecycle, regardless of the business size. To prepare for these changes and avoid huge fines for non-compliance, companies need to review their current practices and consider:
- Technical and organisational protection measures, which includes documenting how the organisation will comply with the principle of “data security by design and by default” and in-line with “state of art” based on the data risks at all times. This means they must have documentation that clearly outlines the detailed policies, procedures and technical solutions that demonstrates the data Confidentially, Integrity and Availability at all points in the data lifecycle.
- The need for a Data Protection Officer in some cases, and this person needs to have “expert knowledge of data protection law and data security practises”.
- Under Article 37 of the General Data Protection Regulation (GDPR), Private sector organisations that on a large scale as part of their core activities regularly and systematically monitor data subjects or process sensitive personal data will also have to appoint a DPO
- Detailed legal contracts with all staff and external organisations that they use to process/store or could impact the data, including any web hosting/credit card company or external IT company for example.
- Planning, documenting and training staff on how to respond to data subject access requests, which need to be responded to within 1 month and at zero charge otherwise the data subject can complain to the data commissioner who will then investigate the complaint.
- Commercial risk because of the possible data commissioner fines of up to €20million or 4% of global turnover (whichever is higher), plus the possibility of data subject legal action for material and non-material impact, and reputational damage to the organisation when a data breach occurs.
While the GDPR regulation itself runs to 88 pages, there are also 173 recitals that add clarity or more details to the core regulation and these add hundreds more pages.
Some people may think the changes are scary or too difficult/complex and so take the risk of doing nothing, as they may have done with the data protection acts, but by working through the 12 steps as outlined by the data commissioner http://gdprandyou.ie/organisations/ we have helped a number of solicitors, accountants and other SME’s across West Cork with their GDPR projects, in a way that matches the risks with the documentation, procedural/working practises, and system changes required to meet the challenge without significant expenditure, and in-line with their organisation size and risk profile.
It is critical to understand that GDPR applies to ALL personal data. This is any data that can directly identify a natural person and can be in any format. The scope of personal data has now increased and is split into the following areas: –
- Personal data,
- Name, address, email address, photograph, video, IP address, location data, online behaviour (cookies), profiling and analytics data.
- Special categories of personal data. (extra security required to reduce the risks to this data type)
- Race, Religion, political opinions, trade union membership, sexual orientation, health information, Biometric data, Genetic data.
It is essential for data protection to be integrated into corporate risk management for every organisation. They will need to consider how they will manage breach reporting both internally and in respect of their obligations to the Data Protection Authority, and the data subjects. If they use a data processor, be clear about their expectations in respect of breach management, and ensure these expectations are incorporated into the relevant contracts.
Some of the high-risk organisations include, hotels, solicitors, accountants, doctors, dentists, pharmacies, local charities or organisations who may have health or other “Special category” data; organisations who process any data at volume or design/build systems to store or process data.
A number of example areas for review: –
- SME’s need to ask themselves questions about how they are collecting and handling personal data both physically and electronically. They need to look at what data they have, ask why they have it, if the data was stolen whether they could stand up in a court of law and justify it being kept, and prove they had the data subjects permission to have it.
- Things like old mailing lists should probably be cleaned up or deleted. If you haven’t used the data for more than a year, why are you still keeping it? Remember if you don’t have the data it can’t be stolen or otherwise abused, which is one of the things that legislation like GDPR is aimed at preventing. Some organisations are currently sending out email asking people to subscribe again or confirm their subscription, otherwise they have no legal basis under GDPR to keep the data.
- Where medical data is involved that should be encrypted.
- Many employers may also have electronic or physical copies of the CVs of prospective employees sent to them after they have filled vacancies. You won’t be able to justify keeping them, so delete them and shred the physical versions if you’ve got them printed out.
- If you’re recording phone calls or have a CCTV system how long are you holding on to them?
- Remember the way the IT team organised those backups to save you from a disaster? You might need to check that they aren’t backing up tonnes of personal information that you really need to purge once you’ve finished with it, also is the backup encrypted and password protected.
- Did you follow the data commissioners detailed guidance?
- Do you have GDPR compliant notices?
- Are your laptops and mobiles fully encrypted and have secure pin codes/passwords?
- Where data is stored or processed outside of the EU for example:- drop box, office 365, Google, survey monkey, they need to ensure they tell their data subjects that the data may be stored/processed in the US. If stored or processed anywhere else outside of the EU that must also be made clear, along with the legal basis under which that is being done, and the data security around that data. They also need to ensure a suitable contract exists between the data controller and processor.