European lawmakers have long been concerned that the pace at which technology is changing means that laws and regulations in place to protect consumers from the dangerous side effects of such advances quickly become obsolete. The amount of information that individuals store online is unprecedented; never before have we seen consumers swapping huge amounts of their data with businesses in exchange for use of services. While many countries had regulations in place that held these companies account for the protection of the data obtained in these transactions, a large proportion of these laws were weak and not robust to further technological developments. As a result, it was largely up to organisations to implement their own data protection strategies.
This clearly presents a problem, as a patchy data security culture leaves everyone less secure. In January 2012, the European Commission set in motion plans to reform data protection laws across the European Union to make the law “fit for the digital age”. This process eventually produced the 99 articles of the General Data Protection Regulations, or GDPR. Implemented in May 2018, the regulations have already revolutionised the data security sector across the globe.
It is essential that all organisations that any organisation that handles the personal data of individuals is aware of its requirements in order to remain fully compliant with its stipulations. The penalties for a violation are substantial; either €20 million, or 4% of the company’s global annual turnover-whichever is higher.
This article shall give a brief overview of some of its most important aspects of GDPR compliance, but it is strongly recommended that if there is any uncertainty in the application of GDPR, that your organisation seeks legal counsel.
GDPR is a complex piece of legislation, and understanding the basic facts is essential achieving full compliance. GDPR classes organisations into one of two categories; data controllers, which collects data from EU residents, or data processors, which process data
on behalf of a data controller. Recognising which category your organisation falls into is vital to achieving full compliance, as reach category has its own stipulations in the legislation. It should be noted that an organisation can belong to both categories.
Another important aspect of compliance is understanding who exactly is required to comply with GDPR. Although ostensibly it appears to only apply to EU businesses, being a piece of EU legislation, its scope is in fact much larger. Any organisation that collects or processes data of individuals located within the EU is required to comply with GDPR, regardless of the location of its physical headquarters. This is also true if only a branch or subsidiary of the organisation is based within the EU.
Another common misconception is that GDPR only grants rights and protections to EU citizens. In fact, it applies to any data collected within the EU, regardless of the nationality of the individual. Furthermore, GDPR does not protect the data of EU citizens travelling abroad. So, for example, if a Mexican citizen travelling in Europe exchanges their data for use of a service, such giving some personal information for use of free WiFi, that data must be protected by the standards outlined in GDPR. However, a French citizen travelling in Mexico would not be covered by GDPR if a similar transaction to occur, but would be protected by Mexican data laws.
In short; any business that operates within the EU, and collects, processes, or handles data that has been collected within the EU, must comply with GDPR.
Another important note is that small businesses are generally not required to comply with GDPR. GDPR’s Article 30 defines small business as having fewer than 250 employees. However, some exceptions exist, such as if the small business are involved with processing data that may affect the “rights and freedoms” of an individual. These data types are outlined in Article 9, and include sensitive data such as religious beliefs and sexual orientation.
Although the UK is due to leave the EU in March 2019, GDPR was introduced to their laws in May 2018 along with the other member states. Therefore, GDPR will remain as a part of UK law after Brexit.
All organisations which operate within EU Member States must process data that is collected from anyone within their boundaries according to GDPR rules. GDPR covers all types of organisations, including public agencies, governments, or companies of various sizes.
In order to comply with GDPR, organisations must obtain informed consent from individuals to process their data for one or more purposes. Personal data must not be processes unless there is at least one legal basis to do so. Consent must be unambiguous, informed, and not automatic. Businesses must obtain the consent of the individual for each specific reason for processing.For example, organisations using pre- checked boxes or consent-as- default in violation of GDPR.
According to Article 6 of GDPR, the lawful purposes of data processing are:
(a) If the data subject has given consent to the processing of his or her personal data;
(b) To fulfil contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
(c) To comply with a data controller’s legal obligations;
(d) To protect the vital interests of a data subject or another individual; (e) To perform a task in the public interest or in official authority;
(f) For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children).
This is perhaps one of the most important aspects of GDPR; introducing an EU-wide standard for data protection. Although the initial cost of ensuring that the correct safeguards are in place may be large, it is an essential part of ensuring your organisation is GDPR compliant. Some of the most important requirements are outlined below.
Article 25 of GDPR stipulates that data protection and privacy settings must be at a high level “by default”. Technical and administrative safeguards must be in place to ensure that the levels of data protection comply with the regulation. These standards for data protection are high, and require many organisations to change the data security framework within their organisation to ensure that these standards are met.
For example, passwords are not considered a sufficient security measure on laptops or mobile phones which store data, as a hacker can use relatively simple software to guess the password. Although these measures may be costly, all organisations covered by GDPR are expected to encrypt the devices to ensure that the data is protected. GDPR specifies that encryption and decryption operations must be carried out the organisation locally, and not by a remote a remote service, as both keys and data must remain “in the power of the data owner” if a high level of security is to be achieved.
GDPR also refers to pseudonymisation as a method of ensuring the integrity of sensitive data is maintained. Pseudonymisation is a data management technique in which personally identifiable information (PII) is transformed in such a way that the resulting information cannot be attributed to a specific data subject without the use of additional information. Encryption may also be used to this end. Pseudonymisation offers the advantage that with the correct key, the data can be restored to its original state. If anonymisation were to be used instead, the data can never be fully restored.
Most organisations that fall under GDPR’s jurisdiction are required to employ a data protection officer (DPO). The DPO is expected to be an individual with expert knowledge of data protection laws and practices. The designated DPO may be a current member of staff, or a third-party contractor, depending on what suits the organisation’s specific
capabilities and needs. However, the DPO may not hold a conflict of interest, and must be impartial in carrying out their role.
The appointment of a data protection officer (DPO) is only a requirement for large businesses under GDPR. However, if a small business is processing sensitive information, as described in Article 9 of the GDPR, it may be a requirement for them to do so.
The DPO’s roles include educating staff members on subject data rights, advising the organisation on data management and GDPR compliant, assessing IT networks and data security systems on their effectiveness, monitoring internal data compliance and cooperating with the Lead Supervisory Authority.
Article 33 of GDPR requires data controllers to notify the supervisory authority of a data breach within 72 hours of its discovery unless they have determined that the risk of harm to the individuals affected is minimal. Data processes are required to inform data controllers that a data breach has occurred without “undue delay”.
Article 34 stipulates that the organisation is required to notify individuals that their data has been compromised if it is possible that they are at heightened risk of fraud or having their data used for nefarious purposes. However, they are not required to notify individuals of a data breach if the breached data was “unintelligible to any person who is not authorised to access it”, such as through encryption.
Another vital aspect of GDPR compliance is ensuring that all of the new rights granted by GDPR to individuals over their data are respected. These new rights are another revolutionary aspect of GDPR, and have received a great deal of press attention. The “right to be forgotten” outlined in Article 15 is a notable example. Should an individual request that a business erase all of their data held by the business, under GDPR, the business is required to comply with the request.
Article 20 outlines data portability rights. This means that individuals may also request that an organisation transfer their data to another, competing service provider. Under GDPR, the organisation is required to comply with this request.
Creating effective frameworks to ensure that these requests are met efficiently should be a priority of any organising seeking to be fully compliant with GDPR.
1) Achieve a thorough awareness of all the rules and stipulations of GDPR
2) Perform a comprehensive audit on data and know what data is being held and for what purpose
3) Check that all processes and procedures that involve consumer data are GDPR- compliant
4) Ensure that consent for data collection and processing is obtained in a GDPR-compliant manner
5) Recognise high risk data and processes as described by Article 9 of GDPR and change business practices to handle this data in a safe and secure manner
6) Have a full data breach contingency plan in place
7) Consult with a third-party data security expert to ensure that your organisation’s security framework is both robust and fully compliant with GDPR
Copyright © 2023 ComplianceHome