­­    

​

 

​

 

GDPR (General Data Protection Regulation) was agreed in the European Parliament on 14th April 2016 and will be enforced from 25th May 2018. The GDPR will harmonize data handling requirements across Europe and as it is a regulation rather than a directive it will eliminate national differences.  It also serves to update data protection legislation to take account of technology advancements and plans for future innovation.

 

 

GDPR is enforceable from 25th May 2018

The regulation applies to any EU citizen data, personal or professional, irrespective of where that data is processed. This also means that post Brexit, most UK business will still need to comply.

 

 

Key changes brought in by the regulation impacting businesses and public bodies include:

 

• Regulation concerning Data Controllers & Processors

• Rules concerning acquisition of consent

• Rights of individuals over their own data

• Role and working practices of Data Protection Officers (DPOs)

• Breach incident obligations

• Data breach fines

• Privacy by design

 

We will examine these changes in more detail and look at actions your business should take to move towards GDPR compliance

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Data Controllers and Processors

 

Action!

 

 

 

• Review contracts

 

• Review data held

 

• Review data lifecycle

 

• Review data protection

 

 

 

Data Controllers and Processors are equally responsible

for data protection

Data controllers and data processors will now be equally responsible for the protection of data and avoidance of breaches and therefore data processors must also comply with the regulation. A data controller cannot therefore outsource the risk to a third party such as a cloud service and is responsible for downstream control of data.  It is important that you ensure your contracts with any data processors you use are clear on data protection responsibilities and they too are GDPR compliant.  This is necessary even if the data processor is not headquartered in Europe.

 

 

 

Consent

 

When a business is seeking consent to use an individual’s data then the consent request must be clear and easy to understand.  Implied consent will no longer be sufficient – unambiguous consent is required therefore pre- ticked boxes or other assumptions of consent will no longer be acceptable. It must also be clear the reason you are requesting consent and if you plan multiple uses of the data then each use case needs to be identified. You have an obligation to document when and how consent was given for future reference. Should you be processing data on children below 16 years of age you are also required to obtain parental/guardian consent, this age limit may be reduced by individual countries to a minimum of 13. You are not required to refresh all DPA consents in preparation for GDPR but must make sure you comply with the requirements – it is a good opportunity as you communicate with customers to refresh the consent.

 

 

Unambiguous consent of individuals is required

 

 

Rights of individuals

 

 

Action!

 

 

 

 

• Review data portability approach

 

• Review capability to respond to subject access requests

 

• Review process for data update

 

The Data Protection Act already gave individuals many rights, the key change in the GDPR is the “right of data portability” which combined with “right of access” and “right to be forgotten” (erasure) gives an individual a high level of transparency.  An individual has the right to see all data held on them, the right to erasure (except in certain circumstances) and the right to be given their data in a commonly used machine-readable format at no cost (for data they provided to the controller for automated processing). An individual retains the right to rectify errors, restrict processing, object to data use and not to be subject to automated decision-making/profiling.

 

Controllers have a right to refuse to delete data under specific circumstances (compliance with legal obligations or public health, or rights of freedom of expression).

 

If a business receives a subject access request you have a reduced period of 1 month to comply.

 

 

Right to data portability – delivery in a month

 

DPO

 

 

Action!

 

 

 

• Review requirement for DPO

• Review support & authority of DPO

• Review data   recording/reporting

 

There is no longer a requirement to register your data processing activity with a supervising authority, you are now required to maintain internal records this will simplify and improve the process of managing your data processing activities.

 

A DPO is mandatory where data processing is carried out by:

< >A public authority or A company whose core activities require systematic monitoring of data subjectsCompanies processing data on a large scale (large scale not yet specified – considering 5000 records per year)If the business is processing 'Special categories' of data, e.g. health, religious and political beliefs, criminal convictions 

Clarity on DPO requirements, role and responsibility

 

 

 

Breach Notifications

 

 

Action!

 

 

 

• Review security incident plan

• Review breach role & responsibilities 

 

Mandatory actions following a data breach have changed. A breach must now be notified to a company’s supervising authority within 72 hours furthermore the data subjects should be notified without undue delay ensuring that the data controller can’t wait months and years to inform those affected by a breach. Breach notification to affected individuals may not be deemed necessary if it can be shown that access to the data was not possible (e.g. if it was encrypted)

 

 

 

 

Breach notification to DPA within 72 hours of breach

 

 

 

 

 

 

 

Breach Fines

 

 

Action!

 

 

 

• Inform Board of breach fine changes

 

Fines for companies who have suffered a breach have changed.  There are now 2 tiers of fines that are applied according to the severity of a breach up to 4% of global annual TO or €20 million for major breaches and up to 2% or €10 million for data record breaches or failures to notify.  While these are the maximum levels that can be levied, they won’t apply in every case, that said, it is clear that fines will rise from the current levels. Fines will apply to both controller & processor as they are equally responsible.

 

 

Significant increase to breach fines

 

 

 

 

 

Action!

 

 

 

• Review & edit project plans to include privacy by design approach

 

• Review technology solutions

 

Privacy by Design

 

While privacy by design and privacy by default is not a new concept, GDPR makes it a legal obligation so it is no longer permissible to add privacy and security as an afterthought to a system or process. Data controllers & processors are required to build privacy into their processes and technology solutions from the outset.

 

 

 

 

Privacy by design becomes legal obligation

 

 

 

 

 

 

 

Implementation of GDPR in the UK

 

Action!

 

 

 

 

• Check compliance with UK definition of personal data

 

• Check ability to comply with automated profiling opt-out

 

 

 

 

The UK’s Data Protection Bill, will get its first reading in September 2017 (the second reading, when lawmakers debate legislation, is not currently scheduled).  The Bill is designed to: < >Implement the GDPR and the new (UK) Directive which applies to law enforcement data processing Replace the Data Protection act of 1998 Modernise data processing by law enforcement agencies covering both domestic & international data processing & transfer Update the powers and sanctions available to the Information Commissioner.Require social media companies to delete all of an individual’s posts from before they were 18 should they request it.The definition of personal data will be extended to include IP addresses, website cookies and DNA all of which can be used to target individuals.  Enable an individual to demand to be excluded from automated processing and profiling and to have the profiling done by a person (e.g. for insurance, mortgages etc.)The Data Protection Bill sets the maximum fine at £17 million and 4% of turnover translating it to UK currency.The powers of the Information Commissioner will be extended and strengthened to enable it to implement the new regime.There will also be two new criminal offences, which could have unlimited fines: Re-identifying people from reconstruction of bits of anonymous dataTampering with data that has been requested by an individual

Summary

 

GDPR will harmonise the processing of data across Europe and will offer individuals far greater transparency and choice over how their data is used.

 

By clearly understanding the key changes that GDPR will bring and implementing a company wide action plan your business will achieve GDPR compliance by the deadline date of 25th May 2018.  GDPR compliance will improve and enhance your process leading to better protection of your customers and improved customer service.

 

A number of key actions have been highlighted in this article.  Blue Cube Security have prepared a detailed action plan that will help you further in prioritizing your actions and reviewing technology solutions to support GDPR compliance, contact us directly for further consultancy and assistance.

 

 

 

Additional UK protections to be implemented

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Blue Cube Security Ltd.

Fairway House

Portland Road

East Grinstead

RH19 4ET

enquiries@bluecubesecurity.com

+44 (0) 345 094 3070