The General Data Protection Regulation (GDPR) is a new law that will come into effect on the 25th of May, 2018. Its primary goal is to strengthen and unify data protection for citizens of the European Union (EU). The GDPR replaces the Data Protection Directive from 1995 and marks a major departure in many aspects.
Without further ado, let’s look at the five things you need to know about the GDPR and how it changes the rules.
1. Changes the definition of personal data
Article 4 defines personal data as ‘any information relating to an identified or identifiable natural person’. Up to now, some clarification was required to define ‘identifiable’, but this has been clarified in Recital 26 as being possible to identify by ‘all means reasonably likely to be used’. This means that while data may not be by itself identifiable by the business that holds it, it may still be considered personal if it can be used to identify a person via aggregation with other data sources.
The GDPR also clarifies that personal identification does not need to be a name, it includes things like IDs, online handles, IP addresses, and cookies.
2. Requires consent
Valid consent will be required before storing or processing personal data. This consent includes the data collected and the purposes it's going to be used for. This includes marketing and other forms of communication.
3. Depends on the data subject location, not just the company location
In the past, EU data protection regulation only applied to businesses within the EU. The GDPR specifies that any company that handles the personal data of individuals within the EU are now responsible for the data and must follow regulations, no matter where the company is located. This means you can’t escape this regulation just by being a person or a firm outside the EU region.
Of course, by being in the EU, you’re still subject to the regulation, no matter where your data subjects (i.e. people) are located.
4. Includes responsibilities for "processors", not just "controllers"
In GDPR parlance, the controller is the business that receives the data and consent directly from the data subject, while the processor is any company that processes or stores data for the controller.
Under the GDPR, processors are required to demonstrate the same level of compliance and security as the controller. The processor is also required to notify of any data security breaches ‘without undue delay’. Considering that the controller is required, by law, to promptly notify the authorities of any breaches, this is a major point of contention and the relation between controller and processor must be governed by a binding contract.
Processors are also not allowed to transfer data to any sub-processor without written agreement with the controller and, even in the case of an existing agreement, prior notice will need to be provided in case the controller wants to raise objections.
5. Increases and clarifies the rights of the data subject
The GDPR includes provisions regarding the right of modification (changing) and erasing (deleting) of data, especially in cases of non-compliance with lawfulness.
Just two more things...
Sorry, it’s more than 5 things, but there is so much information to digest!
At this point, you can see that the new regulation brings major changes to the management of personal data, but we’re not done yet, we’ve left the best for last.
6. Breach notification
Any data breach including personal data must be reported to the relevant authority without undue delay i.e. as soon as it's identified. There is no definition of what the lowest level of a data breach is, so potentially any breach at all will require notification.
Individuals concerned must also be notified if it is determined that they will suffer any adverse effects.
7. Severe penalties
Failure to follow the GDPR, including failure to notify of a breach, may include a fine of up to 20m EUR or 4% of global revenue for the previous year, whichever is greater, as well as regular ongoing audits.
As you can see, the GDPR is an extensive change to data protection regulation in the EU, extending its protection beyond the existing level and scope and massively increasing requirements, as well as fines.
One key thing about this legislation is the fact that it comes into effect in May 2018, which is not long from now! Considering that it requires a complete overhaul of the way data is managed, firms may be feeling underprepared.
How to prepare for the GDPR?
The first thing to do is get an understanding of the data you currently handle. You need to know all the data you process and which of it is considered personal data.
Once you’ve determined what data you handle, you must design and implement processes for correctly handling that data, including all protective measures to prevent breaches. The standard approach is to establish a baseline of what is considered 'normal behavior' and then set protective measures to initially alert on any abnormal behavior or obvious breaches.
Don’t forget, the process is not only about detection and prevention, it must also consider how the business will deal with a breach, including notification and response times to avoid financial penalties.
Last, but not least, you must train your staff to identify and correctly handle personal information and how to escalate quickly in the case of a breach. People will make mistakes, so your processes should prevent errors from causing a breach when possible and, if not, quickly raise awareness of the existence of a breach so it can be investigated, resolved and reported.
Workshare provides risk analytics tools that can help monitor sharing of personal data in files via email. This supports data loss prevention and therefore reporting requirements of the GDPR. Protect and Protect Server will also help you prevent confidential or personal information from leaving your network via documents in hidden metadata.
For more information, or to speak to Workshare about this, please call us on +44 (0)20 7426 0000.