In this data-driven world, data protection is increasingly important and has changed dramatically since the first protection act was put in place. Currently, the main law is the Data Protection Act 1988, which was amended by the Data Protection (Amendment) Act 2003. This means that data protection regulations haven’t been updated in 14 years! These rules need to be frequently updated to pose stern statutes on data-holding companies. After all, a great deal happens in technology and data from year to year which these companies need to keep an eye on.
Introduction of the General Data Protection Regulation aims to put our minds at ease on this pivotal data protection issue. It will be implemented in May 2018 and will replace the current out-dated acts. The goal of the GDPR is to ensure that citizens have control over their own personal data and will impose strict rules on data controllers and processors, anywhere in the world. (1) Below, I will discuss the new and refurbished regulations governed by the GDPR.
EU and Non-EU
The GDPR is the first global data protection law. That’s right, it not only applies to the EU, but to all companies worldwide that process personal data belonging to European Union citizens. This includes all those who process data by means of websites and cookies. Since the online identifiers become included in the definition of personal data, all the institutions performing data analytics, analysis of user behaviour, advertising or social channels, need to revise their procedures to ensure their compliance with the GDPR. For example, if a cloud storage service holds data owned by an EU resident, they must comply with these new regulations or suffer the consequences of heavy fines which will be outlined below. (2) Furthermore, this element of the GDPR will hopefully contribute considerably to companies around the world so that data protection will be taken more seriously.
Overseeing data protection strategies and implementation of those strategies is fundamental for compliance with the GDPR. This cannot be done without the intelligence and expertise of the Data Protection Officer. Data controllers and data processors are required to designate a DPO in certain circumstances, to be involved in issues relating to personal data. DPOs must have “expert knowledge of data protection laws and practices”. They are responsible for educating the company and its employees on important compliance requirements, staff training with those involved in data processing, and conducting regular security audits.(3) They then report their analysis and feedback to the highest management level. To get further information on DPO’s, you can read Section 4 of the Official Journal of the European Union which explains the designation, position and tasks of the DPO.
Data Controller and Processor Obligations
For the first time ever in EU data protection history, an even balance between the responsibilities of data controllers and processors will be created. In the past, controllers were required to comply with the law and processors were only obliged to do as they were instructed to by the controller. Under the GDPR, data processors will be placed under a direct obligation to comply with certain requirements which previously only applied to data controllers.
Data controllers determine the purpose and the way in which data is processed. They must comply with the law which includes requiring them to maintain certain documents; conduct a data protection impact assessment for more risky processing; and enforce data protection by design and default. By contrast, the processor processes the data on behalf of the controller. They also must comply with the law but their duties slightly differ from the controller. Processors are required to maintain written records of processing activities for the controller; designate a DPO in certain circumstances; appoint a representative if needed; and notify the controller of any personal data breaches that may occur. These new obligations constitute joint and several responsibilities for compliance with the new regulation, which is hoped to minimise data loss and breach. (4)
Permission is a common courtesy. It grants you freedom and ease to perform a requested task or provides you with something you desire. For example, girls borrow clothes from each other, that’s just a fact. It doesn’t matter if it’s a sibling, friend or even your mother! Everyone has borrowed at some time. However, have you ever done so without asking? Yeah, it’s not pretty. Nine times out of ten, if you ask for permission, you get it. It not only builds trust, but it shows a sense of shared power. Data controllers seeking consent from data subjects prior to processing their personal information is no different. They can’t just obtain someone’s information, process it, then use it without permission. Under the GDPR, requests for consent must be clear and separate from other terms. Essentially, customers must be aware of what they are consenting to and should not be forced to consent. It should be easy to withdraw on demand and the data controller is required to show that it was given. (5)
A large bite will be taken out of the funds of breached organisations, who will find the fines they face increasing sharply. If you think a fine of £500,000 from the current protection act was rough, you’re in for serious consternation. Severe infringements can merit GDPR penalties reaching €20 million or up to 4% of a company’s global revenue. These fines are triggered by breach of regulation relating to international transfers or the basic principles for processing, such as consent conditions. The imposition of a lesser fine of up to 2% of global revenue can be issued for other specified infringements. These penalties are certainly going to grab the attention of data-holding companies as they can be seen as a threat of insolvency. However, introducing pricey fines will urge organisations to implement a secure system to reduce breaches of personal data. (6)
Under the current data protection Directive, administrative burden, uncertainty and inconsistency exist for data controllers. To reduce this, the GDPR provides a central point of enforcement through a system of co-operation and consistency procedures. This is called the ‘one-stop-shop’ mechanism. So what is this? The so-called ‘one-stop-shop’ rule is only applicable to controllers or processors carrying out ‘cross-boarder processing’. Using the mechanism, controllers and processors will be able to communicate with the lead DPA, when cross-border data processing takes place.
The critical benefit to controllers and processors is the ability to comply with the GDPR, relying on a single or main establishment and a corresponding lead DPA. It gives them assurance and precision about their compliance with the new law and their ability to proactively engage with the DPA. The new European Data Protection Board will have a key role in the OSS mechanism. Its role is to issue opinions and guidance, ensuring consistent appliance of the GDPR and reporting to the Commissioner. (7).
The preparation for compliance can’t be done overnight, hence it is imperative to raise awareness about the requirements sooner rather than later. According to the reports from TRUSTe and TrendMicro, about 50% of companies are still not aware of GDPR. Although getting to grips with this regulation will present challenges for these companies, there’s still an abundance of time. Research on the GDPR would be an asset to data-holding companies, and even individuals, who both have rights to act on and duties to fulfil. The colossal volume of information relating to the GDPR cannot all be captured by one person, there’s too much! So don’t panic. Having knowledge of certain parts of it will definitely serve well in your favour.
In order to save on costs, and make the compliance less painful, have a look at Intouch solutions. The Intouch enterprise ecosystem for contact details will help you gain high quality personal details being driven by user consent.