The EU has published General Data Protection Regulation (REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016). Organisations have to comply by 25 May 2018.
Certainty 1: You will be Audited and Could be Fined
With the Information Commissioners Office (ICO) having no set budget for next year, the regulator will be conducting external audits to fund itself through fines. The ICO has issued fines for nuisance marketing.
Fines are not welcome publicity. Fines can cause further reputation risk losses for an organisation through loss of trust and sales.
With fines from 2% of worldwide turnover for a data protection infringement by design/by default even if there is no breach and 4% of worldwide turnover if there is a breach, companies will have to take GDPR very seriously.
Certainty 2: Brexit Will Not Protect Your Organisation
Do not think that you are protected by Brexit. Organisations will have to take into account that while Britain negotiates with the EU, they will still be subject to EU regulation. Even after Brexit, if your UK organisation trades with another organisation, GDPR will still apply. The ICO has published that they will be a new standard called UKGDPR post Brexit (backed up by Trade Agreements). This will be at least an equivalent standard to EU GDPR. Post Brexit, could the UK be a safer data haven than the EU?
The General Data Protection Regulation has set out seven core principles of European data protection.
Many will struggle to read the 88 technical pages of the GDPR. Since EU regulation is set out in principles, these seven principles are found under Chapter Two Article Five:
Principle 1 LAWFULNESS: Personal information will be processed lawfully, fairly and in a transparent manner
This principle is the concept of consent. Where personal information is collected, it should have the documented consent of the data subject. For example opt-in tick boxes are still permitted, but the regulation explicitly prohibits consent by non-action or opt-out boxes. Consent is mandatory for sensitive data but if your organisation has a legitimate business reason to handle sensitive data to execute a contract, there may be a balance. For websites, consent is mandatory.
Databases that have been used in the past to mass email without consent will have to be reviewed in depth to comply. Marketing Junk mail campaigns maybe a thing of the past .
Principle 2 PURPOSE LIMITATION: Personal information can only be collected for specified, explicit and legitimate purposes
Where and when personal information is collected, it must be communicated to the data subject (the person from whom the data is being collected) the purpose for its collection (WHY) and subsequent processing (WHERE AND BY WHOM). Organisations have to better communicate and be very clear with data subjects about what their personal information is going to be used for (WHY). Data subjects access requests will be free of charge, organisations can expect an increased volume of requests. The ICO will actively encourage data subjects to be able to access their own information.
Principle 3 MINIMISATION: Personal information has to be reduced to the minimum, relevant, and adequate
When collecting personal information, the data controller (Your Company) must only collect personal information that is absolutely required for the specified purpose. If your company is collecting personal information where there is no basis for registering a date of birth or the mother’s maiden name, your organisation will breach GDPR, unless it is needed for a legitimate business purpose in order to execute a contract. If the sensitive data is needed, the business will have to demonstrate its legitimate purpose beyond reasonable doubt.
Principle 4 ACCURACY: Personal information has to be accurate and kept up-to-date
The data controller has to ensure, to the best of its ability and to best practice, that the information collected is correct.
The regulation is trying to mitigate the risks where processing incorrect personal information may cause distress, loss of reputation and financial loss to data subjects.
Principle 5 STORAGE LIMITATION: Personal information shall be retained only for as long as necessary
All personal information will now have a shelf life applied appropriate to its collected purpose. Indefinite retention is now illegal and will attract fines.
Principle 6 INTEGRITY: Personal information shall be processed in an appropriate manner to maintain security
This principle requires data controllers and processors to ensure that their information systems maintain the confidentiality, integrity and availability of data processing systems.
Principle 7 ACCOUNTABILITY: The Board is Accountable for Data Breaches
This last principle could leave senior executives facing further fines or prison by Financial Conduct Authority.
A Final Word
Following these principles are not enough to be compliant. This needs to be managed with a proper programme to educate, plan, design and maintain these into principles into the business process. Please contact us for further details via our contact form.
Follow our blog, to understand better how to implement GDPR with having for it to be expensive.