What should you be doing now?<\/h4>\n
If you haven\u2019t started preparing your organisation for compliance then the next 3 months are crucial. If you have started getting ready for the GDPR deadline, \u00a0keep going.<\/p>\n
Make sure your board is bought in to the importance of the project. Having the support you need from the top is vital to the GDPR compliance process.<\/p>\n
ONCE THE GDPR COMES INTO FORCE, YOUR BUSINESS MUST:*<\/p>\n
- \n
- Keep a record of data operations and activities and consider if you have the required data processing agreements in place<\/li>\n
- \u00a0Carry out privacy impact assessments (PIAs) on products and systems<\/li>\n
- \u00a0If applicable to your organisation, designate a data protection officer (DPO)<\/li>\n
- \u00a0Review processes for the collection of personal data<\/li>\n
- \u00a0Be aware of your duty to notify the relevant supervisory authority of a \u00a0\u00a0data breach<\/li>\n
- Implement \u201cprivacy by design\u201d and \u201cprivacy by default\u201d in the design \u00a0\u00a0of new products and assess whether existing products meet GDPR standards<\/li>\n<\/ol>\n
<\/p>\n
What are TeamKinetic doing right now<\/h4>\n
See what we have already put in place, to be ready for 25th May 2018.<\/p>\n
https:\/\/teamkinetic.co.uk\/blog\/2018\/02\/07\/teamkinetic-updates-new-eula-and-data-policy\/<\/a><\/p>\n
We continue to work with our customers to ensure compliance and understanding.<\/h1>\n
Are you ready for GDPR?<\/h1>\n
Deadline – 25th May 2018<\/h4>\n
Information sourced from UKFast<\/a>, Berwin,Leighton,Paisner<\/a> and Onside Law<\/a><\/p>\n
Contents<\/h4>\n
Let\u2019s refresh<\/p>\n
Why has the GDPR come about?<\/p>\n
What about Brexit?<\/p>\n
What should you be doing now?<\/p>\n
Data security is EVERY business\u2019s business<\/p>\n
Key changes to consent<\/p>\n
Key changes to breach notifications<\/p>\n
Are the rules different for electronic communications?<\/p>\n
What is TeamKinetic doing right now?<\/p>\n
Disclaimer: The information in this whitepaper is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor.<\/p>\n
Let\u2019s refresh\u2026<\/h4>\n
What is the GDPR? The General Data Protection Regulation (GDPR) is a binding legislative act from the European Union for the protection of personal data. The Regulation tackles the inconsistent data protection laws currently existing throughout the EU\u2019s member states and facilitates the secure, free-flow of data.<\/p>\n
Why do you need to know about it?<\/p>\n
As of April 2016, businesses have been preparing for the legislation coming into effect on 25th May 2018. Although we are in the process of leaving the EU, working towards GDPR compliance remains crucial.<\/p>\n
If you fail to comply with the Regulation you could find yourself being fined up to 4% of your company\u2019s global annual turnover and your reputation damaged beyond repair.<\/p>\n
That is 4500% increase on current fines that can be issued by the ICO!!<\/p>\n
Now that the deadline is just 3 months away, is your organisation ready?<\/p>\n
Why has the GDPR come about?<\/h4>\n
There is a need in Europe and beyond for a standardised data protection framework that addresses the rapid technological advancements that have taken place in recent years, putting the personal data of the masses at risk.<\/p>\n
![\"\"](\"http:\/\/teamkinetic.co.uk\/blog\/wp-content\/uploads\/2018\/04\/GDPR-why-now-info--300x296.png\")
<\/p>\nWhere do vulnerabilities lie?<\/h4>\n
Everywhere. All organisations are at risk of a cyber-attack, despite common misconceptions that some industries are more secure than others.<\/p>\n
The results of a survey carried out by the Information Commissioner\u2019s Office (ICO) of 173 councils at the end of 2016 reveals that more than 15% of councils do not have data protection training for employees processing personal data and a third do not carry out privacy impact assessments (PIAs) as required by the GDPR.<\/p>\n
The survey\u2019s release coincided with the news that the ICO had fined Norfolk Council \u00a360,000 for a data breach in which social work files were discovered in a cabinet bought in a second-hand shop by a member of the public.<\/p>\n
Capgemini: The Currency of Trust, February 2017<\/p>\n
74% of UK SMEs had a security breach in 2016.<\/p>\n
While leaving vulnerable information in a cabinet or on a train may seem like a problem from 1997 rather than 2017 – when cloud technology means physical files never need to leave the office – the overarching security challenge remains.<\/p>\n
Professionals across the public and private sectors must be aware of the nature of the data they are accessing from their home networks and ensure they are doing so securely.<\/p>\n
Computer Weekly: Many Councils Still Unprepared for GDPR, March 2017<\/p>\n
<\/h4>\n
What about Brexit?<\/h4>\n
Despite the vote to leave the EU, UK businesses must continue to work towards GDPR compliance. Not only has the UK government stated that it is good business practice to do so, but the legislation applies to all businesses working within the EU and with EU data. A failure to comply can lead to significant fines and irreparable damage to a company\u2019s reputation.<\/p>\n
The latest thinking is that the UK could replace the 1998 Data Protection Act (DPA) with legislation that mirrors the GDPR, enabling the UK to achieve free data flow with the EU post-Brexit. The government has warned that it may take two to three years for the European Council (EC) to decide that the UK has an adequate data protection regime.<\/p>\n
While the impact of the Investigatory Powers Act on the UK\u2019s GDPR compliance has yet to be fully understood, it is possible that the mass surveillance and data retention practices carried out under the Act could cause issues when the EC comes to decide whether the UK\u2019s practices are adequate. The existence of these two extraordinarily contradictory legislations could result in a UK equivalent of the Privacy Shield agreement held between the US and the EU to facilitate secure transatlantic data flow.<\/p>\n
If your business activities are contained within the UK or elsewhere within Europe, you will have to observe the protections afforded by the GDPR for citizens.<\/p>\n
What happens if my business is not complaint?<\/h4>\n
The GDPR introduces a two-tier fine system that emphasises just how small a financial deterrent existed under the Data Protection Act (DPA).<\/p>\n
As of the 2018 deadline, any data controller or processor that fails to comply with the Regulation will face the following fines:<\/p>\n
<\/p>\n
Tier 1<\/p>\n
If a data breach occurs that puts highly important data at risj, the data controller\/processor will be fined upto \u20ac20M (\u00a317.25M) or 4% of the previous year\u2019s global annual turnover, whichever is greater.<\/p>\n
Tier 2<\/p>\n
Any other data breach could lead to fines of up to \u20ac10M (\u00a38.6M) or 2% of the previous year\u2019s global annual turnover, whichever is greater.<\/p>\n
<\/p>\n
It is estimated that if breaches remain at the same level as in 2015, the fines given will raise 90 fold from \u20ac1.4 billion to \u20ac122 billion<\/p>\n
Key changes to consent<\/p>\n
Do you ask your customers for permission before you use their data? Do you go a step further and tell them what it will be used for? If the answer to either \u2013 or both \u2013 of these questions is no, you could be in trouble if you don\u2019t start changing your ways before the GDPR deadline.<\/p>\n
<\/p>\n
Why is consent important?<\/p>\n
Consent enables your business to lawfully process data.<\/p>\n
Organisations applying the GDPR\u2019s standards are giving individuals greater control over their information and, in turn, building trusting relationships that ultimately keep customers coming back for more.<\/p>\n
Any business found to be misusing personal data will be fined according to the highest level of the two-tier system and \u2013 most poignantly \u2013 is at serious risk of damaging its own reputation. When is consent required? You must have the data subject\u2019s consent to lawfully process their data. However, just to confuse things, there are instances that will call for consent to be acquired via alternative methods; we\u2019ll clarify this shortly. Consent is also needed under ePrivacy laws if you\u2019re in the business of tracking communications and installing software and apps on devices.<\/p>\n
If you want to use someone\u2019s personal data they must give you explicit consent to do so. This means in practise no pre-ticked boxes, a user must always choose to tick the box.<\/p>\n
If you want to use an individual\u2019s personal data for multiple purposes, they must give consent for each purpose, separately<\/p>\n
<\/p>\n
Who might need an alternative method of gaining consent?<\/p>\n
Most commonly, data controllers in a position of power such as public authorities and employers who are likely to find getting valid consent challenging and so must consider the alternative options.<\/p>\n
For example, if you are a highly successful eCommerce business is bringing on board a new supplier of garden furniture, you will need a contract with them that clarifies the role of each party and enables you to lawfully process their data.<\/p>\n
Whether you are the data controller or processor, you must always record how consent was given, who from, when, how, and what the interested parties were told.<\/p>\n
You must not bundle your consent request with your standard terms and conditions.<\/p>\n
<\/p>\n
Does your consent process meet GDPR standards?<\/p>\n
Carry out a thorough review of existing consent processes and asses whether they meet the Regulation\u2019s requirements. if they do, there is no need to request consent from the subject again.<\/p>\n
Key changes to breach notifications<\/h4>\n
Europe had a phenomenally inconsistent data protection landscape. It meant that when a Switzerland-based business suffered a data breach affecting people in Greece, Italy and Spain, the organisation would need to comply with the breach notification standards of each of the three member states.<\/p>\n
This lack of uniformity throughout Europe means that while some member states, such as Spain and Germany, are recognised for their rigorous data breach privacy laws, there are also member states with minimal to no regulations in place.<\/p>\n
In this environment, organisations in lax member states have not needed to notify an authority of a breach.<\/p>\n
The GDPR smooths all this out with the introduction of a single breach notification requirement.<\/p>\n
<\/p>\n
What is a personal data breach?<\/h4>\n
A personal data breach is not simply the loss of data but a breach of security, resulting in the destruction, loss, alteration, unauthorised disclosure of or access to personal data.<\/p>\n
When must the relevant supervisory authority be notified?<\/p>\n
The relevant supervisory authority must be informed of any data breach that puts an individual\u2019s rights and freedoms at risk. This includes a loss of confidentiality and financial loss.<\/p>\n
Data controllers must inform the supervisory authority without undue delay and within 72 hours of learning of a personal data breach. They must state:<\/p>\n
- \n
- Its nature<\/li>\n
- The approximate number of people affected<\/li>\n
- The contact information for the organisation\u2019s DPO (if one has been appointed)<\/li>\n<\/ol>\n
The controller must also pin-point the likely consequences of the breach and the measures taken to reduce further risk to those affected.<\/p>\n
Data processors must tell the data controller about a data breach without undue delay after having become aware of it.<\/p>\n
If a breach is significant enough that it is in the public interest, those responsible \u2013 be that the controller or processor \u2013 must do so without undue delay.<\/p>\n
The impact of data breaches If we hark back to our real world TalkTalk and Yahoo examples, we can see that the severe consequences each company experienced following their respective breaches were related to how they handled the aftermath of the breach and not simply because the breach happened in the first place.<\/p>\n
What should you be doing now?<\/p>\n
A personal data breach is not just the loss of that data but a breach of security, resulting in the destruction, loss, alteration, unauthorised disclosure of or access to personal data.<\/p>\n
- \n
- Educate your employees about \u00a0\u00a0\u00a0personal data breaches and how to \u00a0\u00a0spot when one has occurred.<\/li>\n
- Set-up an internal process for reporting \u00a0\u00a0a personal data breach.<\/li>\n
- Make sure you have the internal resources and processes in place to \u00a0\u00a0detect and investigate breaches. Speak to any third-party data processers if they are storing your data.<\/li>\n
- Put an incident response plan in place.<\/li>\n<\/ul>\n
Are the rules different for electronic communications?<\/h4>\n
No, not really. The EU has introduced a complementary legal framework to the GDPR to clarify exactly what data controllers and processors must be doing to protect individuals\u2019 communications; electronic or otherwise.<\/p>\n