With the new EU data protection regulation due to come into force, we look at the changes it introduces and how it will affect your business.
The General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, is a big shake-up to the way that personal data is collected, stored and processed. Its goal is to give individuals more control over their data while increasing the penalties for companies that breach the rules. Under GDPR, a business can be fined up to €20m or four per cent of worldwide turnover, whichever is greatest.
Who does the new regulation apply to?
Any company that stores, collects or processes personal data of EU citizens must operate within the new regulations. Personal data is any information that can lead to an individual being identified, such as their name, address, email address or telephone number. Effectively, this means that all UK businesses must be compliant.
What's new with GDPR?
GDPR replaces existing data protection legislation and tightens the controls on how data can be collected and processed. Foremost, companies need to prove compliance and that they have the right to process data. Customer consent is the easiest method to establish a lawfulness to process, but it's not the only route. GDPR sets out five other lawful bases that you can use:
- Processing is necessary for the performance of a contract or to take steps to enter into a contract
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purposes of legitimate interests
According to Article 7 of the regulation, where processing is based on consent, the main change is that businesses must "demonstrate that the data subject has consented to processing of his or her personal data".
The UK's Information Commissioner's Office (ICO), the body responsible for upholding individual's rights, explains further that consent must be freely given; require positive action (that's a ‘no’ to pre-ticked boxes); and that consent requests must be “prominent, unbundled from other terms and conditions, concise and easy to understand, and user-friendly". Consent must also be easy for an individual to withdraw.
GDPR also gives individuals more rights over their data, including the right to be provided a copy of all data that you hold on them, for free. In addition, individuals have the right to be forgotten, and the onus is on businesses to remove all data, bar that which must be retained for legal reasons.
Finally, GDPR requires that companies take better care of personal data and improve security. Should a company suffer a data breach, under GDPR the incident needs to be reported. With the existing data protection regulation, only certain types of company were obligated to report breaches.
How does GDPR apply to B2C and B2B marketing?
GDPR sets out that individuals must opt-in to any marketing communications. As the ICO's draft guidance on consent states, you must: "name your organisation and any third parties who will be relying on consent – even precisely defined categories of third-party organisations will not be acceptable under the GDPR."
Potentially confusing is Recital 47 of the GDPR, which also states that: "the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest." This would seem to imply that you can get by without consent. But as the Direct Marketing Association (DMA) points out, this statement applies to companies that have fulfilled their obligations under the current Privacy and Electronic Communications Regulations (PECR).
In other words, if you've collected data under current PECR regulations, you can legally process under GDPR.
When it comes to B2B marketing, the situation is slightly different. Under PECR rules, B2B communications should be ‘opt-out’, but GDPR changes a couple of things. First, according to the DMA, when dealing with sole traders or partnerships, the same rules for individuals will apply: you need opt-in consent to send marketing information.
When dealing with employees of a company, where personal information may be used, such as a work email address, you must provide an opt-out method.
The EU is looking to overhaul the ePrivacy Directive, the legislation from which the UK's PECR is derived, to put it in-line with GDPR. This is likely to mean a requirement for opt-in at all levels, for all types of marketing. The initial review is timetabled for completion in May 2018.
Do you require a data protection officer?
A lot has been written about the need for a data protection officer (DPO). Large companies will want to do this, but smaller companies are not all obligated to do so. The ICO makes it clear that there are three types of business that must appoint a DPO: you are a public authority; your business carries out large-scale systematic monitoring of individuals (for example, online behaviour tracking); or your company carries out large-scale processing of special categories of data or data relating to criminal convictions and offences.
That said, having one person in charge of GDPR and data protection makes a lot of sense, to ensure compliance and to create any necessary documentation.
How will fines be handled?
The headline numbers for GDPR fines sounds rather scary and could put a lot of companies out of business. However, large-scale fines are not the goal of the ICO. As Elizabeth Denham, the Information Commissioner, wrote: "The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick."
Provided businesses act responsibly, the ICO is there to help and advise. This support will be particularly important when GDPR comes into force, as this crossover period will likely result in fresh advice from the ICO as challenges are realised and met.
To make sure you don't miss part 2 of this blog series, sign up to our monthly digest below.
ComputerWorld offer a range of security services and solutions to help your business get prepared for GDPR covering:
- Identity Management
- Protection and recovery
- Perimeter security and Networking
- Patch Management
- Security Strategy and Auditing
Complete the form below to speak to one of our security specialists today!