The European Union (EU) has changed its data protection rules. The changes are now law and they will go live across the EU on Friday 25th May 2018. These rules are called the General Data Protection Regulation (GDPR) and apply across the board from public authorities to small and medium-sized businesses. These will change the way we all do business.
What is the EU data protection and what does it apply to?
In the EU there are existing legal rules for the collection and processing of personal data. Anyone who collects or processes personal data must protect it from misuse and comply with a range of legal requirements. The GDPR upgrades the existing rules.
The GDPR will apply to both electronic data (like emails and databases) and hard copies (with a few exceptions).
Will businesses have to do more?
Yes. Every organisation will have more responsibilities and obligations under the new rules. In particular, organisations have to implement technical and organisational measures to make sure that they are processing data properly. To assess the right level of security you must consider the risks that presented by processing - especially from accidental or unlawful destruction. You will also need to be able to show the measures you have taken when a regulator asks you what these measures are. An important part of that is checking who you send personal data to - for example, you will also need to check the processes of people you work with like mailing houses, shredding companies and temp agencies.
What kind of fines can my business face for breaching the rules?
Under the new regime, data protection regulators can impose high fines for infringing the new rules - the highest level of fine is either a maximum of €20 million or 4% of the global annual turnover of a business, whichever is the higher. Although not every breach will result in the highest fine, getting fined is simply not an option - we must all make sure that we follow the rules.
Has anything changed with the data transfers to third countries?
Not really. Special existing rules about the transfer of data from the EU Member States to third countries (including the US) remain in place under the GDPR, including the requirement that those data transfers can only occur where an adequate level of protection is assured by these third countries. Under the new regime, these rules have in effect just become more detailed. This is a complicated topic that is also subject to development under the existing data protection rules which you should talk through your legal team.
What should you do now?
To do the work to be GDPR-compliant you must budget and plan resources (including IT). Also use your planning time well to adapt. The following are ten top compliance issues to start addressing:
|1||Put in place a privacy impact assessment process - map your data and determine areas of risk.|
|2||Thoroughly review vendor contracts - you will need your vendors' help especially in reporting security breaches very quickly and so make sure that you have the contractual rights to insist on this;|
|3||Update systems and materials and prepare new detailed documentation and records ready for production for regulatory inspection;|
|4||Review key practical aspects including data retention with all the data used by the business;|
|5||Make sure you have plans in place to securely destroy data that you don't need;|
|6||Ensure that new aspects such as explicit consent, the right to be forgotten, the data portability right, and, the right to object are all included in policies and procedures;|
|7||Put in place a data breach notification procedure,including detection and response capabilities, and rehearse this like you would a fire drill;|
|8||Consider appointing a data protection officer;|
|9||Training, training, training - train staff on all of the above (data protectionregulators pay speical attention to this); and,|
|10||Set up and undertake regular compliance audits in order to identify and rectify issues.|
Now you are in the know, why not check out our GDPR Part 2 article.
If you have any unanswered questions, you can find the new rules on the European Commission's website.