The General Data Protection Regulation (GDPR) is a new law that will come into effect in the European Union (EU) on the 25th of May, 2018. Its primary goal is to strengthen and unify data protection for individuals in the EU. The GDPR replaces the Data Protection Directive from 1995 and marks a major departure in many aspects.
Without further ado, let’s look at the five things you need to know about the GDPR and how it changes the rules.
1. Changes the definition of personal data
Article 4 defines personal data as ‘any information relating to an identified or identifiable natural person’. Up to now, some clarification was required to define ‘identifiable’, but this has been clarified in Recital 26 as being possible to identify by ‘all means reasonably likely to be used’. This means that while data may not be by itself identifiable by the business that holds it, it may still be considered personal if it can be used to identify a person via aggregation with other data sources.
The GDPR also clarifies that personal identification does not need to be a name, it includes things like IDs, online handles, IP addresses and cookies.
2. Requires consent
Valid consent will be required before storing or processing personal data. This consent includes the data collected and the purposes it's going to be used for.
3. Depends on the data subject location, not just the company location
In the past, EU data protection regulation only applied to businesses within the EU. The GDPR specifies that any company that handles the personal data of individuals within the EU are now responsible for the data and must follow regulations, no matter where the company is located. This means you can’t escape this regulation just by being outside the EU region.
Of course, by being in the EU, you’re still subject to the regulation, no matter where your data subjects are.
4. Includes responsibilities for processors, not just controllers
In GDPR parlance, the controller is the business that receives the data and consent directly from the data subject, while the processor is any company that processes or stores the data for the controller.
Under the GDPR, processors are required to demonstrate the same level of compliance and security as the controller. The processor is also required to notify of any breaches ‘without undue delay’. Considering that the controller is required, by law, to promptly notify the authorities of any breaches, this is a major point of contention and the relation between controller and processor must be governed by a binding contract.
Processors are also not allowed to transfer data to any sub-processor without written agreement with the controller and, even in the case of an existing agreement, prior notice will need to be provided in case the controller wants to raise objections.
5. Increases and clarifies the rights of the data subject
The GDPR includes provisions regarding the right of modification and erasure of data, especially in cases of non-compliance with lawfulness.
Just two more things, promise...
Sorry, it’s more than 5 things, but there is much information to digest. At this point, you can see that the new legislation brings major changes to the management of personal data, but we’re not done yet! We’ve left the best for last.
6. Breach notification
Any data breach including personal data must be reported to the relevant authority within 72 hours. There is no definition of what the lowest level of a data breach is, so potentially any breach at all will require notification.
Individuals concerned must also be notified if it is determined that they will suffer adverse effects.
7. Severe penalties
Failure to follow the GDPR, including failure to notify of a breach, may include a fine of up to 20m EUR or 4% of global revenue for the previous year, whichever is greater, as well as regular audits.
As you can see, the GDPR is an extensive change to data protection regulation in the EU, extending its protection beyond the existing level and scope and massively increasing requirements and fines.
One key thing about this legislation is the fact that it comes into effect in May 2018, which is not long from now, considering that it requires a complete overhaul in the way data is managed.
How can I prepare for the GDPR?
The first thing to do is get an understanding of the data you currently handle. You need to know all the data you process and which of it is considered personal data.
Once you’ve determined what data you handle, you must design and implement processes for correctly handling that data, including all protective measures to prevent breaches. The standard approach is to establish a baseline of what is considered to be normal behaviour and then set protective measures to initially alert on abnormal behaviour or breaches.
Don’t forget, the process is not only about detection and prevention, it must also consider how the business will deal with a breach, including notification and response times to avoid financial penalties.
Last, but not least, you must train your staff to identify and correctly handle personal information and how to escalate quickly in the case of a breach. People will make mistakes, so your processes should prevent errors from causing a breach when possible and, if not, quickly raise awareness of the existence of a breach so it can be investigated, resolved and reported.
Workshare provides tools that can help with the GDPR: Protect and Protect Server will help you prevent confidential or personal information from leaving your network via document metadata. Risk Analytics will allow you to gain the full view of what documents are leaving your network and where they are going. If you want to more information, call us on +44 (0)20 7426 0000.