The General Data Protection Regulation is an EU law that comes into force on 25th May 2018 replacing all existing Data Protection laws in EU Member States. The EU’s vision is to create the largest single digital marketplace in the world by eliminating the differences in data protection laws within the single market. Many of the concepts are the same as the UK’s Data Protection Act 1998, however the main difference is that the onus to prove compliance has switched from the data subject to the organisation. Other new conditions are expanded Rights for the data subject (Right to Erasure and Right to Portability) and the fact that IP addresses are now considered to be personal data.
Technically it’s already in force. However companies have a transition period which ends on 25th May 2018.
It depends how compliant you are now. You should undertake a compliance assessment to establish this, which The Data Guardians can help you with.
On the whole yes. Even if your business is mostly B2B, you will hold data on your employees. In fact you would hold personal data on your employees that is far more sensitive than a retailer would of its customers; for example ethnicity, medical conditions, allergies, bank account details, National Insurance number etc. All this personal data could be used to perpetrate identity theft, or financial fraud, or both.
Because the EU wants to have the same laws applied within the single market. Then it is a level playing field between countries.
Firstly the Supervisory Authority, in the case of the UK this is the Information Commissioner’s Office, can stop you processing all personal data. This would shut down many businesses. If your company is found guilty of any transgressions you could be fined 4% of global turnover or up to £17m (€20m).
The UK Goverment has already presented the GDPR as a UK bill for Parliament. Also, in order for the UK to be able to easily trade with the EU post Brexit, it will need to have laws that are deemed to be ‘Adequate’ by the EU Data Protection Board.
A Data Protection Officer (DPO) is a subject matter expert on matters to do with data protection and privacy. Since more and more organisations process more and more data, there will be an increased need for DPOs. Our advice is to get guidance from an specialist company, like The Data Guardians, or the ICO.
Yes you can. The GDPR is explicit on this point. In many ways it is the best solution because it guarantees independence, you can rely on subject matter knowledge being the best and it is very cost effective.
Yes you can. However you must be careful that there are no conflicts of interest. For example the IT Director would not be the best person to take an objective view of system security, the Marketing Director will be under pressure to create new methods of communication. Also it is Murphy’s law that if the Marketing Director is the DPO, then the data breach will be 6 weeks before Christmas when his focus is on maximising sales over this period, or if it’s the Finance Director the problem will happen just as the financial auditors walk through the door.
No. It is all about the amount of data you process, the type of data you process or how often you process personal data.
The same as it does for large companies, except you may not have the resources you can dedicate to the topic.
Special data is personal data that could be used to discriminate against you. Article 9 of the GDPR states the following: “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.” It then describes the conditions where you are permitted to process this data, e.g. employment contract, with the express consent of the data subject or in the vital interests of the data subject.
Yes you can, but you will need to send them a Data Privacy Notice and it would be best if you asked them for consent going forward. However be aware that there is a risk that all of them could say “No” and so you could lose quite a large chunk of your customer database. The Data Guardians can give you more advice on this.
It all depends on the legal basis you are using to process their data in the first place. Please ask us more about this.
No it is not. The GDPR is more akin to HSE laws as compared to the Y2K problem, for those old enough to remember that!!
No it isn’t. There are some fundamental changes to people’s behaviours, as well as to the processes and procedures they will have to adopt going forward.
It rather depends on how the breach happened. However assuming that you did everything you could to have prevented the breach and you have been declared as compliant, then the sanctions and fines that you will face will be much reduced as compared to an organisation that had done nothing.
It slightly depends on what you have done wrong, but they could be up to 4% of global turnover, or £17m.
All staff will be required to have general awareness training every year. Those that deal with personal data as part of their job, e.g. HR, Sales, marketing, Customer Services, Payroll and Senior Managers will have to have more in depth training every 6 months.
Hard and long!! We need to see how compliant, or otherwise you are, then design a programme to get you to compliance and then implement those actions – and finally keep this up year after year!!
The GDPR defines it as follows: “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The GDPR defines it as follows: “‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.”
Nothing. To collect personal data you must have a lawful purpose to do so. There are 6 lawful purposes but most organisation rely on Contract (where you are providing a service to that individual usually in return for financial compensation), Legitimate Interest (where your interests don’t outweigh the rights freedoms and interests of the data subject) or Consent (where you ask permission from the data subject to carry out a specific data processing activity).