The current Data Protection Act of 1998 will very soon be repealed as we see the new and improved GDPR Regulations come into effect on the 25th May 2018.
The new law entered into force on the 25th May 2016 and has brought upon worry and confusion for many businesses; but how might it affect their in-house data protection systems and what must they to do in order to comply with this new law?
In order to really understand the regulations at their basic form, RSVP have boiled down all the necessary information on the what’s, how’s and why's of GDPR to help you on your way in preparation for 2018.
So what exactly is GDPR? The GDPR is essentially how organisations protect EU citizen’s personal sensitive data. The regulation was originally set up by the European Parliament, the council of the European Union and the European Commission to strengthen and unify data protection for all individuals within the European Union (EU).
So what qualifies as sensitive data now? Presently, the Data Protection Act of 1998 (DPA) covers all sensitive data including the following;
Once GDPR is in effect, the current data protection regulations (DPA) will be repealed; so what’s the difference?
The new regulations are far more extensive in scope and application than the current DPA. In order to keep up the pace with modern digital technology, it is important to extend the data rights of individuals as people become more vulnerable to data infringement. GDPR also requires all organisations to develop clear policies and procedures to protect personal data, and adopt appropriate technical and organisational measures.
What are the key changes?
Here are some helpful FAQs that will help you get your head around how to make these changes and why they are important to implicate.
1.After Brexit, will GDPR laws still apply to UK business?
The answer in short is yes. One of the key changes to the new DPA is that if your business is not in the EU you will still have to comply with the regulations regardless, making all businesses who deal with data, accountable for data breeching.
2. What qualifies as personal data after May 2018?
The definition of personal data will become much broader in order to bring more data into the regulated perimeter and protect people from modern day vulnerability of technological infringement.
3.Will parental consent be necessary for all children’s data processing?
There will be a limit to a child’s consent when processing their data without parental involvement in order to further their security and safety.
4.Have the rules for obtaining consent been changed?
In order for people to understand terms and conditions more easily, companies will not be allowed to produce these documents in long, illegible formats anymore. Instead, they will have to create much clearer and concise arrangements using clear and plain language.
5.Will the appointment of a Data Protection Officer (DPO) be mandatory?
For certain companies - including all public authorities - the employment of a DPO is compulsory. Their core activities involve any form of “regular and systematic monitoring of data subjects on a large scale” OR “large scale processing of special categories of personal data.”
6.What are Mandatory Data Protection Impact Assessments?
Thesehave been introduced in order to implement a risk-based approach before undertaking higher-risk data processing. These assessments must be conducted where data privacy breach risks are higher to analyse and minimise the risks to data subjects.
7.What are the new requirements for data breach notifications?
Under GDPR rules, it will be mandatory when the risk is likely to affect the data subjects’ rights of freedom. There is a 72 hour period in which to notify data subjects starting from the time you are first aware of such events occurring.
8.Do data subjects now have the right to be forgotten?
The data subject now has the right to ask the processor to erase any personal details from their systems and also any third parties from processing the data.
9.What restrictions have been put in place on international data transfer?
In order to ensure the protection of personal data is not challenged there are further restrictions when transferring data to countries outside the EU and third countries or international companies.
10.Do data processors share responsibility for protecting personal data?
Data subjects will be able to enforce their rights against data processors. There is a new enforcement regime which could open data processors up to sanctions including hefty fines of up to 2-4% of global turnover OR €20 million (whichever is greater at the time, levied by watch dogs) for those that don’t comply with regulations.
11.Are there new requirements for data portability?
Yes, these new requirements allow data subjects to request a copy of their personal data which they have provided previously in “a machine readable format” and have it electronically transmitted to another processing system.
12.Must processes be built on the principle of ‘privacy by design’?
‘Privacy by design’ simply means that the privacy in a service or product is taken into account not only at the point of delivery, but from the commencement of the product concept. Data Controllers should now only collect the data necessary to fulfil the specific purposes and discard that data when it’s no longer required.
So, where does all of this leave us?
The GDPR is a one-stop-shop
Firms will only have to deal with one singular supervisor or authority rather than one for each of the 28 states within the EU. The reason for this change is that subsequently it will be cheaper for companies to do business in the EU.
Hiring DPO- Data Protection Officers
It seems like a lot to take in but the most important change to take advantage of is the required mandatory employment of a Data Protection Officer. It is imperative that you get to grips with everything required from the new GDPR regulations but the government doesn’t expect you to be able to implement this all yourself.
It’s clear that many of the requirements need a certain expertise in order to implement them professionally and accurately in the work place, which is why you must seek the aid of a DPO. This can be done in two ways:
When preparing for audit you should have a single ‘source of truth’ that documents all systems and processes that touch personal data, as well as requirements that demonstrate need for data. If you create and maintain a culture in which your documentation stays updated - either through manual efforts, automation or both - you will find the auditing process fare easier to approach and prepare for.
Bring on the 25th May, 2018!
Here at RSVP, we have a number of departments working together to make the implementation of these new regulations as painless as possible. The most important thing is a good head-start; we aren’t going to sit on our hands and wait. Measures are already in place to facilitate the transition and we are ready…are you?
If you have any further questions regarding these changes, get in touch via twitter (@RSVPMediaUK) or emailing our business Development Executive, Lydia (Lydia.Hackett@rsvp.co.uk).
Best of luck and don’t leave it too late!