According to a report by PwC, cybercrime was the second most reported crime in 2016. In addition, the National Crime Agency reports that cybercrime now accounts for more than 50% of all crimes in the UK. Unfortunately, it takes 146 days for security experts to detect that an attack has occurred, according to Microsoft. As a result, the GDPR was passed into law in the European Union n April 2016.
What is GDPR?
The General Data Protection Regulation (GDPR) is a privacy regulation that will apply to all companies that sell to and store personal information about citizens in Europe, including non-EU companies around the world. Non-EU organizations will be subject to the GDPR where they process personal data about EU (European Union) and EEA (European Economic Area) citizens It will provide citizens of the EU and EEA greater control over their personal data and assurances that their information is protected. It is composed of 99 Articles and 173 Recitals which provide explanatory text to help with the interpretation of the Articles.
What constitutes personal data?
According to the GDPR portal, personal data is “any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, and posts on social networking websites, medical information, or a computer IP address.”
When will the GDPR come into effect?
Although the GDPR was approved and adopted by the EU Parliament in April 2016, the regulation will take effect after a two-year transition period which means that it will be in force on May 25, 2018. Unlike a directive (a legislative act that sets out a goal that all EU countries must achieve), this regulation does not require any enabling legislation to be passed by the government.
How much will GDPR preparation cost an organization?
According to a PwC survey, 24% of American corporation respondents say they plan to spend under $1 million USD. According to 68%, however, they will invest between $1 million to $10 million USD for GDPR preparations. Nine percent say they expect to spend more than $10 million to ensure that they are GDPR-compliant.
What penalties will companies face due to non-compliance?
Organizations can be fined anywhere from 2% to 4% of annual global turnover (net sales generated by a business of the preceding financial year) for breaching GDPR or €20 million (approximately $24.6 million USD), whichever is greater. There is a tiered approach to fines. For example, 2% for not having their records in order (article 28) or for not notifying the supervising authority and data subject about a breach. If the company does not conduct an impact assessment, it can also be fined 2%. However, for the most serious infringements, a company may be fined the maximum of €20 million or 4% annual global turnover whichever is greater. It is important to note that rules apply to data controllers and data processors which means “clouds” are not exempt.
Many organizations have been eagerly anticipating this development but to others, this may seem a daunting undertaking. With this article, Netswitch would like to provide you with:
12 Steps to Becoming GDPR-compliant
1. All members of the organization should know about GDPR
All employees, including senior management, should know what GDPR is and what it entails. Executives are responsible for making major decisions and, therefore, should be well-informed on what they need to do and what the consequences are if the company fails to comply. All employees should know what the organization’s obligations are, under the GDPR with regard to collecting, processing, and storing data.
To ensure that everyone in the organization is knowledgeable on GDPR, you need to consider training management and rank and file employees. Training employees will help them understand the organization’s responsibilities and greatly reduces the probability of your staff doing something that may result in a data breach.
2. Make an inventory of the data that your organization holds
You may need to organize an information audit. All personal data that the organization holds should be documented. You must know what personal data is held, where it came from, how it was collected and with whom it was shared. You need to identify all sources of data and all types of data relationships (e.g. third-party tools and tags on websites).
3. Review your organization’s privacy notices and communications
You need to make a full review of your current privacy notices and make sure that they are aligned with GDPR requirements before it takes effect in May.
4. Individuals’ rights should be checked
All processes and procedures within the organization should be checked to ensure that they cover all individuals’ rights. Under the GDPR, the following individuals’ rights should be included:
- The right to be informed;
- The right of access;
- The right to rectification;
- The right to erasure;
- The right to restrict processing;
- The right to data portability;
- The right to object; and
- The right not to be subject to automated decision-making including profiling.
5. Update procedures regarding subject access requests
All procedures on subject access requests should be updated. You need to plan how requests will be handled under the GDPR. Following are new rules you need to take into account:
- Your organization will not be able to charge for complying with a request in most cases.
- You have 30 days to comply instead of 40 days, the current window for complying.
- You can refuse requests that are manifestly unfounded or charge for requests that are excessive.
- If you refuse a request, the individual should be told why and that they have the right to complain to the supervisory authority and a right to a judicial remedy. This should be done within one month.
If your organization handles a large volume of access requests, consider whether it is feasible to develop systems that allow individuals to gain access to their information easily online.
6. Identify legal basis for personal data processing
Your organization should identify and document the legal basis for all processing activities in the GDPR. Your privacy notice should also be updated to explain it.
7. Manage consent given by data subjects
Review how you seek, record and manage consent and check if you need to make changes. Existing consents should be refreshed if they do not meet the GDPR standard.
It is important to remember that consent must be freely given. It should be specific, informed and explicit. There must be positive opt-in and it should be separate from other terms and conditions. If people want to withdraw consent, there must be simple methods for them to be able to do so.
All consent must be verifiable. Generally, individuals have more rights where organizations rely on consent to process their data.
8. Personal data of minors
The GDPR brings in special protection for children’s personal data specifically in the context of commercial internet services such as social networking. If your company offers online services to children and relies on consent to collect their personal data, you may need a parent or guardian’s consent to be able to process their information lawfully.
Under the GDPR, the age when a child can give their own consent to this processing is set at 16 although it may be lowered to a minimum of 13 in the UK. If the child is younger, you need to get consent from an individual holding “parental responsibility.”
Another important note – your privacy notice must be written in such a way that children will understand what your organization is saying.
9. Handling data breaches
Your organization must have the right procedures in place to detect, report, and investigate a personal data breach.
If a breach is likely to result in a high risk to the rights and freedoms of individuals, the organization has to notify the individuals concerned directly in most cases. Failure to report a breach when required to do so could result in a fine, as well as a fine for the breach itself.
10. Data protection by design and data protection impact assessments
Under the GDPR, privacy by design is an express legal requirement under the term “data protection by design and by default.” Private Impact Assessment (PIA) is referred to as “Data Protection Impact Assessment” or DPIA and are mandatory in certain cases.
For example, a DPIA is required where data processing is likely to result in high risk to individuals:
- Where new technology is being set up;
- Where a profiling operation is likely to significantly affect individual; or
- Where there is processing on a large scale of the special categories of data.
11. Designate a Data Protection Officer (DPO)
The organization should designate a Data Protection Officer (DPO) who will be responsible for data protection compliance.
You are required to formally designate a DPO if you are:
- A public authority except for courts acting in their judicial capacity;
- An organization that carries out the regular and systematic monitoring of individuals on a large scale; or
- An organization that carries out large scale processing of special categories of data, such as health records, or information about criminal convictions.
12. International transactions
You need to determine your lead data protection supervisory authority if your organization operates in more than one EU member state. The lead authority is the supervisory authority where your main establishment is in the EU or where decisions about processing are taken and implemented.
This is only relevant if you have establishments in more than one EU member state or if you have a single establishment in the EU that carries out processing which substantially affects individuals in other EU states.