Before the introduction of the General Data Protection Regulations in 2018, the 1995 Data Protection Directive was the most important data privacy and security law in Europe. However, this was enforced before the age of ‘big data’, and was not robust enough to deal with the new challenges that the Internet and ‘web of things’ brought to data privacy. Nowadays, the average individual stores a significant amount of data online. European lawmakers recognised that there needed to be an update to data privacy laws to ensure that organisations kept this data safe. GDPR was created to address these concerns.
GDPR has had wide-reaching consequences. Any organisation which collects or processes data within the EU is subject to GDPR compliance, regardless of where the physical location of their headquarters. Even businesses that only collect or process data through subsidiary or branch of the leading company which is based in the EU must comply with GDPR.
In addition to holding organisations accountable for the data they hold, GDPR granted new rights to individuals over their data. These include:
Data processing means the collection, handling, use, storage and destruction of information. Data processors and controllers are responsible for ensuring data security during the entire processing process.
However, GDPR does not treat all types of data the same. Some types of data are ‘high- risk’, although GDPR does not explicitly define what types of data (or data processing procedures) fall into this category. The laws indicate that the organisation should be able to determine the level of risk associated with the data or processing procedure by conducting a Data Protection Impact Assessment.
GDPR provides some guidance on what might be categories as risky processing activities, stating “such types of processing operations may be those who, in particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing”. Just because an activity falls into one of these categories does not mean that it is automatically high-risk; organisations should consider many different factors when conducting the assessment.
Eight core GDPR privacy principles underlie GDPR.
GDPR’s new rules regarding individual consent made headlines when many organisations were assessing whether their mailing lists complied with the new legislation. GDPR
requires organisations to obtain informed consent from data subjects to use their data for a pre-defined purpose. Only organisations that can produce a legitimate legal reason for the personal data to be held or processed are exempt from this rule.
This ruling means organisations can no longer use pre-checked tick boxes to obtain consent; data subjects must deliberately give consent. This is particularly important for organisations with websites that use plugins and cookies to collect user data; the user will need to consent to these being used.
Organisations may need to conduct an audit on their data to see if they need to re-obtain consent for any of the information they hold.
GDPR states that individuals under the age of 16 are unable to give informed consent, and a parent or guardian must give consent. However, GDPR allows individual EU states to lower this age of consent to 13 if they wish.
There are some specific cases—such as a national emergency or criminal incident—for which the above rules do not apply, and consent is not needed for data collection to take place.
1) Carry out an audit: Audits help organisations assess whether the data they hold meet GDPR’s requirements. The audit should assess what data the organisation holds, how it is stored, and for what purposes it is used. The audit allows organisations any particular issues which may need to be addressed to achieve full compliance.
2) Data management systems: Data management systems allow organisations to keep a record of what personal data they hold and process, where that data is stored, how they obtained it, whether or not the need for the retention of the data still exists. The organisation should appoint a member of staff should be responsible for the management of the data. Developing data management processes allows businesses to comply with GDPR efficiently.
3) Deleting data: Businesses should only keep data if they can still use it for its original purpose. The organisation should safely delete the data if this is no longer the case. Organisations should have a valid legal reason for keeping the data and processing it if the original purpose no longer exists. It is a good practice to regularly delete data, as the less data an organisation holds, the less damaging a breach of that data would be.
4) Compliant reporting processes: Businesses must be able to prove to authorities that they are compliant with GDPR. Keeping detailed records of their policies and procedures allows them to prove that they follow GDPR’s requirements efficiently. If businesses fail to present the regulatory authority with sufficient evidence, they may be subject to a fine.
5) Data Protection Impact Assessments: Data Protection Impact Assessments (DPIAs) allow businesses to assess the risk level of different types of data they hold. They also allow businesses to identify data that would be particularly dangerous if compromised. Businesses are responsible for ensuring that all risks are identified and mitigated.
6) Train staff in GDPR best practices: GDPR requires all employees to undergo training. The amount of training that an employee depends on their specific role. Many data breaches occur due to employee negligence, such as leaving a laptop in a location in which it can be easily stolen. Furthermore, employee ignorance about basic IT safety practices may result in employees accidentally falling for phishing emails, which may result in millions of files being stolen by a hacker.
7) Employee training should be held regularly, in short sessions. Employees should be engaged during the training course, and tested on their understanding of their responsibilities under GDPR. Certain aspects of GDPR, such as the rules surrounding data processing are more applicable in a day-to-day setting and should be allocated more time. Employees should be served regular reminders on issues such as IT best practices and the dangers of cyber attacks.
As employee training is a requirement of GDPR, auditors may need to see proof that training occurred, so it is essential to keep a record of all GDPR training events.
8) Data breach response plan: GDPR introduced strict requirements that organisations must follow in the event of a data breach. Organisations should plan for a potential data breach well in advance and ensure an efficient response to the incident. GDPR requires data controllers to notify the supervisory authority of a data breach within 72 hours of its discovery unless they have determined that the risk of harm to the individuals affected is minimal. Data processes are required to inform data controllers that a data breach has occurred without “undue delay”.
Organisations must notify individuals that their data has been compromised if it is possible that they are at heightened risk of fraud or having their data used for nefarious purposes. However, they are not required to notify individuals of a data breach if the breached data was “unintelligible to any person who is not authorised to access it”, such as through encryption.
Copyright © 2019 ComplianceHome