A whitepaper to help you get ready for GDPR and find out what it means for your data.
Whitepaper – Are you ready for GDPR – Download the paper here.
What should you be doing now?
If you haven’t started preparing your organisation for compliance then the next 3 months are crucial. If you have started getting ready for the GDPR deadline, keep going.
Make sure your board is bought in to the importance of the project. Having the support you need from the top is vital to the GDPR compliance process.
ONCE THE GDPR COMES INTO FORCE, YOUR BUSINESS MUST:*
- Keep a record of data operations and activities and consider if you have the required data processing agreements in place
- Carry out privacy impact assessments (PIAs) on products and systems
- If applicable to your organisation, designate a data protection officer (DPO)
- Review processes for the collection of personal data
- Be aware of your duty to notify the relevant supervisory authority of a data breach
- Implement “privacy by design” and “privacy by default” in the design of new products and assess whether existing products meet GDPR standards
What are TeamKinetic doing right now
See what we have already put in place, to be ready for 25th May 2018.
https://teamkinetic.co.uk/blog/2018/02/07/teamkinetic-updates-new-eula-and-data-policy/
We continue to work with our customers to ensure compliance and understanding.
Are you ready for GDPR?
Deadline – 25th May 2018
Information sourced from UKFast, Berwin,Leighton,Paisner and Onside Law
Contents
Let’s refresh
Why has the GDPR come about?
What about Brexit?
What should you be doing now?
Data security is EVERY business’s business
Key changes to consent
Key changes to breach notifications
Are the rules different for electronic communications?
What is TeamKinetic doing right now?
Disclaimer: The information in this whitepaper is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor.
Let’s refresh…
What is the GDPR? The General Data Protection Regulation (GDPR) is a binding legislative act from the European Union for the protection of personal data. The Regulation tackles the inconsistent data protection laws currently existing throughout the EU’s member states and facilitates the secure, free-flow of data.
Why do you need to know about it?
As of April 2016, businesses have been preparing for the legislation coming into effect on 25th May 2018. Although we are in the process of leaving the EU, working towards GDPR compliance remains crucial.
If you fail to comply with the Regulation you could find yourself being fined up to 4% of your company’s global annual turnover and your reputation damaged beyond repair.
That is 4500% increase on current fines that can be issued by the ICO!!
Now that the deadline is just 3 months away, is your organisation ready?
Why has the GDPR come about?
There is a need in Europe and beyond for a standardised data protection framework that addresses the rapid technological advancements that have taken place in recent years, putting the personal data of the masses at risk.
Where do vulnerabilities lie?
Everywhere. All organisations are at risk of a cyber-attack, despite common misconceptions that some industries are more secure than others.
The results of a survey carried out by the Information Commissioner’s Office (ICO) of 173 councils at the end of 2016 reveals that more than 15% of councils do not have data protection training for employees processing personal data and a third do not carry out privacy impact assessments (PIAs) as required by the GDPR.
The survey’s release coincided with the news that the ICO had fined Norfolk Council £60,000 for a data breach in which social work files were discovered in a cabinet bought in a second-hand shop by a member of the public.
Capgemini: The Currency of Trust, February 2017
74% of UK SMEs had a security breach in 2016.
While leaving vulnerable information in a cabinet or on a train may seem like a problem from 1997 rather than 2017 – when cloud technology means physical files never need to leave the office – the overarching security challenge remains.
Professionals across the public and private sectors must be aware of the nature of the data they are accessing from their home networks and ensure they are doing so securely.
Computer Weekly: Many Councils Still Unprepared for GDPR, March 2017
What about Brexit?
Despite the vote to leave the EU, UK businesses must continue to work towards GDPR compliance. Not only has the UK government stated that it is good business practice to do so, but the legislation applies to all businesses working within the EU and with EU data. A failure to comply can lead to significant fines and irreparable damage to a company’s reputation.
The latest thinking is that the UK could replace the 1998 Data Protection Act (DPA) with legislation that mirrors the GDPR, enabling the UK to achieve free data flow with the EU post-Brexit. The government has warned that it may take two to three years for the European Council (EC) to decide that the UK has an adequate data protection regime.
While the impact of the Investigatory Powers Act on the UK’s GDPR compliance has yet to be fully understood, it is possible that the mass surveillance and data retention practices carried out under the Act could cause issues when the EC comes to decide whether the UK’s practices are adequate. The existence of these two extraordinarily contradictory legislations could result in a UK equivalent of the Privacy Shield agreement held between the US and the EU to facilitate secure transatlantic data flow.
If your business activities are contained within the UK or elsewhere within Europe, you will have to observe the protections afforded by the GDPR for citizens.
What happens if my business is not complaint?
The GDPR introduces a two-tier fine system that emphasises just how small a financial deterrent existed under the Data Protection Act (DPA).
As of the 2018 deadline, any data controller or processor that fails to comply with the Regulation will face the following fines:
Tier 1
If a data breach occurs that puts highly important data at risj, the data controller/processor will be fined upto €20M (£17.25M) or 4% of the previous year’s global annual turnover, whichever is greater.
Tier 2
Any other data breach could lead to fines of up to €10M (£8.6M) or 2% of the previous year’s global annual turnover, whichever is greater.
It is estimated that if breaches remain at the same level as in 2015, the fines given will raise 90 fold from €1.4 billion to €122 billion
Key changes to consent
Do you ask your customers for permission before you use their data? Do you go a step further and tell them what it will be used for? If the answer to either – or both – of these questions is no, you could be in trouble if you don’t start changing your ways before the GDPR deadline.
Why is consent important?
Consent enables your business to lawfully process data.
Organisations applying the GDPR’s standards are giving individuals greater control over their information and, in turn, building trusting relationships that ultimately keep customers coming back for more.
Any business found to be misusing personal data will be fined according to the highest level of the two-tier system and – most poignantly – is at serious risk of damaging its own reputation. When is consent required? You must have the data subject’s consent to lawfully process their data. However, just to confuse things, there are instances that will call for consent to be acquired via alternative methods; we’ll clarify this shortly. Consent is also needed under ePrivacy laws if you’re in the business of tracking communications and installing software and apps on devices.
If you want to use someone’s personal data they must give you explicit consent to do so. This means in practise no pre-ticked boxes, a user must always choose to tick the box.
If you want to use an individual’s personal data for multiple purposes, they must give consent for each purpose, separately
Who might need an alternative method of gaining consent?
Most commonly, data controllers in a position of power such as public authorities and employers who are likely to find getting valid consent challenging and so must consider the alternative options.
For example, if you are a highly successful eCommerce business is bringing on board a new supplier of garden furniture, you will need a contract with them that clarifies the role of each party and enables you to lawfully process their data.
Whether you are the data controller or processor, you must always record how consent was given, who from, when, how, and what the interested parties were told.
You must not bundle your consent request with your standard terms and conditions.
Does your consent process meet GDPR standards?
Carry out a thorough review of existing consent processes and asses whether they meet the Regulation’s requirements. if they do, there is no need to request consent from the subject again.
Key changes to breach notifications
Europe had a phenomenally inconsistent data protection landscape. It meant that when a Switzerland-based business suffered a data breach affecting people in Greece, Italy and Spain, the organisation would need to comply with the breach notification standards of each of the three member states.
This lack of uniformity throughout Europe means that while some member states, such as Spain and Germany, are recognised for their rigorous data breach privacy laws, there are also member states with minimal to no regulations in place.
In this environment, organisations in lax member states have not needed to notify an authority of a breach.
The GDPR smooths all this out with the introduction of a single breach notification requirement.
What is a personal data breach?
A personal data breach is not simply the loss of data but a breach of security, resulting in the destruction, loss, alteration, unauthorised disclosure of or access to personal data.
When must the relevant supervisory authority be notified?
The relevant supervisory authority must be informed of any data breach that puts an individual’s rights and freedoms at risk. This includes a loss of confidentiality and financial loss.
Data controllers must inform the supervisory authority without undue delay and within 72 hours of learning of a personal data breach. They must state:
- Its nature
- The approximate number of people affected
- The contact information for the organisation’s DPO (if one has been appointed)
The controller must also pin-point the likely consequences of the breach and the measures taken to reduce further risk to those affected.
Data processors must tell the data controller about a data breach without undue delay after having become aware of it.
If a breach is significant enough that it is in the public interest, those responsible – be that the controller or processor – must do so without undue delay.
The impact of data breaches If we hark back to our real world TalkTalk and Yahoo examples, we can see that the severe consequences each company experienced following their respective breaches were related to how they handled the aftermath of the breach and not simply because the breach happened in the first place.
What should you be doing now?
A personal data breach is not just the loss of that data but a breach of security, resulting in the destruction, loss, alteration, unauthorised disclosure of or access to personal data.
- Educate your employees about personal data breaches and how to spot when one has occurred.
- Set-up an internal process for reporting a personal data breach.
- Make sure you have the internal resources and processes in place to detect and investigate breaches. Speak to any third-party data processers if they are storing your data.
- Put an incident response plan in place.
Are the rules different for electronic communications?
No, not really. The EU has introduced a complementary legal framework to the GDPR to clarify exactly what data controllers and processors must be doing to protect individuals’ communications; electronic or otherwise.
- New cookies responsibilities for browser providers Users must be given the choice to consent to cookies as part of the browser software set-up. This should reduce or eliminate cookie banners on websites entirely.
- Extra-territoriality and 4% fines The Regulation no longer applies solely to the EU. It applies to anyone in the world that provides publicly-available “electronic communications services” to acquire data from the devices of EU citizens. Any organisation that breaches the Regulation will be subject to the GDPR’s two-tier fine system. That means you should be paying attention even if your business is contained within the UK.
- The Regulation application is expanded Unlike its predecessor, the ePrivacy Directive, the ePrivacy Regulation goes beyond the traditional telecommunications organisations and internet service providers. It incorporates messaging apps like WhatsApp, and email providers, amongst other communications suppliers such as Facebook and Snapchat.
- New rules for processing communications data The Regulation introduces new rules for handling: what was said, who said it, where and when. This data is confidential; interfering with it could result in a Tier 1 fine.
- Exemption analytics cookies Businesses are exempt from the cookie consent requirement when using firstparty analytics. However, using third-party analytics platforms such as Google Analytics requires user consent.
For the non-techy amongst you, ‘party’ refers to the website that places the cookie. So when you visit www.ukfast.co.uk, and you find the domain of the cookie placed on your computer is www.ukfast.co.uk, this is a first-party cookie. If you visit www.ukfast. co.uk and a cookie by a suspiciously dissimilar name appears, this cookie has been placed by a third party.
Like the GDPR, the ePrivacy Regulation will come in to effect on the 25th May 2018.
Source: http://privacylawblog.fieldfisher.com/2017/the-new-e-privacy-regulation-what-you-need-to-know/
