What is GDPR?
This is the question on everyone’s minds at the moment. The May deadline is fast approaching and it seems that every other email I get is a company trying to sell me a service that will help me with my GDPR goals.
Basically, GDPR is the European Union and the European Commission’s intent to strengthen and unify data protection for all individuals within the European Union. Or to put it in plain English, it is the introduction of a set of rules designed to prevent personal data from being exploited or misused, whether intentionally or accidentally. These rules already exist in many forms, the legislation surrounding GDPR is designed to bring all of these rules into one place and make them part of European law. By making them European law and putting a deadline on their implementation, the belief is that our data will be much safer.
Do I need to worry about becoming GDPR compliant?
For some companies, the idea of becoming GDPR compliant seems pointless. perhaps your company does not handle much ‘personal data’, perhaps you have no employees to worry about, perhaps you do not hold any customer data on file. If you have been reading about GDPR and feel that it does not apply to you, I would strongly suggest that you think again.
It is true that the ICO (for more on the ICO, see my previous post) is unlikely to investigate and fine a one-man design company, for instance, it would be considered to be a bit of a waste of their time. They have bigger fish to fry, they have the huge corporations who process billions of bits of data each hour to investigate.
Consider the below scenario:
Blackfish Designs wins the contract to design the Customer facing, user interface, side of a new app designed to improve the interaction between a popular loan company and it’s customers. This is a lucrative contract for such a small company as Blackfish Designs as the staff are comprised of two designers and one part-time member of staff who deals with the accounts and basic admin of the business.
The design has been passed and the deadline is fast approaching for the app to go live, all seems to be going well until the first batch of beta testers results come in and it is discovered that there is an aspect of customer interaction missing. Both the app developer and the designer are called in to work on the app at the head office of the loan company. They are given access to the beta testers group data and asked to fix the issue asap. This they do and go home with a large payment for their trouble.
A couple of months later, Blackfish Designs’ server picks up a worm from the internet. The company had no internet security in place, no firewall on their servers and outdated antivirus software on their computers. This worm goes through their data and harvests names, phone numbers, email addresses and all information on recent projects they have completed. This is a major inconvenience to Blackfish Designs and costs them a lot of money in upgrading and replacing their server and software which has been damaged in the attack.
A little while after this, they get called in to see the board members of the loan company. It is explained that a couple of customers who use the app have been receiving unwanted phone calls, unsolicited emails and letters from a rival company. This rival company seem to know an awful lot about the individual customers and their loans, as a result of this, a complaint has been logged with the ICO and a full investigation has been launched. The loan company are in the frame for some very harsh penalties and a massive loss of customers as their reputation is tarnished by this, understandably so. As the data controller, the loan company were in charge of harvesting the customer information and storing it in a safe and secure way, in line with their existing GDPR policy. During the investigation, the ICO officer has discovered that all of these customers were part of the group who beta tested the app. Each of the systems in place in the loan company headquarters and at the app developers company has been trawled through and there is no obvious way in which this data has been accessed from outside of these companies.
So, this is, of course, a rather extreme example designed to scare you. But the reality is that all it will actually take is a couple of complaints to the ICO, with your company name mentioned, to lead to the ICO launching an investigation. For small companies, this could end in disaster if you do not have robust policies and procedures in place. Now is the time to get this fixed.
**Blackfish Designs is a made up company. If it bears any resemblance to an existing company in name or description, this is merely a coincidence.
GDPR Penalties and fines
The introduction of harsher penalties and fines is designed to ensure that the legislation is adhered to and is taken seriously. Any gaps in policy or data breaches will ultimately incur these fines and an audit from the Information Commissioners Office (ICO)
INSERT ANIMATED GIF FROM ESHOTS
These fines are ‘discretionary’ rather than mandatory. Information from the IT Governance website states that these fines and penalties must be; “imposed on a case-by-case basis and must be “effective, proportionate and dissuasive”.”
To be honest, the general consensus is that, until there has been a test case go through the European court, (or possibly, in our case, the UK courts) we will not really know the extent to which these fines will be upheld.
It is important to remember not to be scared by this. As long as you practice ‘Due Diligence’ and have the correct policies in place before the deadline, you should be well on your way. Once you are happy that this is the case, you just have to ensure that these policies are regularly checked and that you and your staff are following them.
It is as simple as that.
Where to start with GDPR?
The deadline for GDPR compliance is fast approaching.
May 25th 2018
Although the official timeline states that companies have had 2 years to implement the relevant policies and procedures, in reality, the term GDPR has only been on many people’s radar since early 2017. Now, however, it is everywhere.
There are many resources out there for anyone struggling with this implementation but sometimes it is hard to wade through all of this. The ICO themselves have many resources on their official website which should help, as does the IT Governance website.
Here are the ICO’s 12 steps to getting started.
GDPR checklist from ICO
Make sure all the decision makers and anyone who will be involved in handling personal data and upholding the policies are aware of GDPR and what it means. Make sure your staff are briefed on the relevant procedures for handling personal data and know the consequences for not doing so.
Information you hold
Run a data audit on all of your records. This sounds scary, but all you need to do is find out what data you hold, how is it used, where it was collected from, when it was obtained and will be destroyed and who has access to it. Depending on the size of your company, this could be a simple job or a project which involves a bit more resources ploughed into it. It is, however, a necessary step to take. If you don’t know what you have then you won’t know what policies and procedures you need to implement in order to look after it.
Check out ‘How to carry out an internal audit’
Communicating privacy information
Review your current policy, make any necessary amendments to bring it in line with GDPR. Re-issue to any interested parties. Make this updated policy available on your website, to your staff, to your customers and ensure that there is a link to this policy on all of your online marketing material. Make sure that your policies and procedures cover all of an individuals rights. If they don’t then make sure you get them up to date and cover all aspects of an individuals data
Right to be informed
Right to access
Right to rectification
Right to erasure
Right to restrict processing
Right to data portability
Right to object
Right not to be subject to automated decision-making, including profiling
Subject access requests
These now need to be completed within 30 days and can no longer attract a charge. They have to include all relevant information available about the ‘subject’ and be provided in a secure way and in a commonly used format.
A lawful basis for processing data
Consent is no longer enough of a reason to use a person’s data (see Lawful basis). Consent can now be withdrawn at any time and can be limited. See more on consent here.
Review your policy for gaining consent, does it meet the GDPR criteria?
Update any existing consent you currently have in a transparent way.
You need to start thinking about whether you need to put age restrictions in place and how you verify an individuals age.
This may not apply to everyone, but it is worth thinking about.
Data breaches are becoming more and more common in this cyber age. It is vitally important that you have a robust policy in place to deal with them WHEN (and not IF) they occur. It is not enough to react to a data breach, you need a pre-emptive policy in place, and it needs to be tested.
Data protection by design/data protection impact assessments
Familiarise yourself with the ICO’s code of practice on Privacy Impact assessments and the guidance from the article 29 working parting. Implement these into your company.?????
Data Protection Officer
Your company needs a Data protection officer, it is their job to take responsibility for compliance with GDPR. This person can be from within the framework of the company or can be an external party. There are companies who can provide this service and some law firms are also able to provide these services at a cost.
Don’t overlook your international obligations. GDPR covers data shared within the EEA. It also covers data which belongs to EEA citizens, being shared outside of Europe and the EEA. See the European Commissioners website for more info on where you can safely send data and how.
The Data protection act states: “Personal data shall not be transferred to a country or territory outside the EEA unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
Safe Harbour is also covered under this principle and applies to any non-EEA country or state who has chosen to abide by these rules.
This is not an area in which I need to delve too deeply, thankfully. So I’m afraid I won’t be giving you any gems on wisdom on this topic. The European Commissioners website is probably the best place to get the most comprehensive overview of this aspect of GDPR.
For the original ICO document please find here:https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf