How to become GDPR compliant
Since the General Data Protection Regulation (GDPR) came into force on 25th May 2018, organisations in the UK must comply with the new legislation. GDPR is a European Union (EU) law that applies to all EU companies, as well as organisations outside of the EU that supply goods or services to the EU, or monitor EU citizens. Following a number of high profile breaches featuring household names such as Facebook and Uber, data security is at the forefront of public awareness. Thorough data protection training and GDPR knowledge is a business essential.
In order to become GDPR compliant, you must first understand the rights of the individual granted by the legislation. They are as follows:
- Right to be informed of how your data is being processed
- Right to access this data
- Right to rectify incorrect data
- Right to erase data
- Right to restrict processing of personal data
- Right to data portability – this means that as a business you will need to put in place a system by which you can quickly and easily compile all the personal data you hold on an individual and make it securely accessible to them
- Right to object to your data being processed
- Rights relating to automated decision making, including processing
Organisations must then identify their role in the flow of data, e.g. are they a data controller or a data processor? Data controllers determine why personal data will be used and what for. Data processors are individuals or companies that process personal data on behalf of the data controller.
Whilst data controllers have retained ultimate responsibility for protecting their data, data processors too are required to comply with GDPR when processing and storing personal data. Data controllers should draw up a written contract agreeing that their processors will comply with their data policies and ensure it is signed by all third parties.
Under GDPR, it is important to identify the lawful basis for processing personal data. The acceptable reasons are:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
When processing special category data, sensitive personal information, the grounds on which it can be lawfully used differ. Processing requires both a lawful basis and a special category condition.
The GDPR requires some organisations to appoint a Data Protection Officer (DPO). A DPO is removed from the daily processing activities of your organisation but is responsible for ensuring GDPR compliance. You must appoint one if: you are a public authority; perform regular large-scale monitoring of individuals as a core activity; conduct large scale processing of special category data or information on criminal convictions/offences as a core activity.
Businesses must conduct a Data Protection Impact Assessment (DPIA) if a processing activity is likely to result in a high risk to individuals. This is intended to identify and minimise risk to individuals' personal data. The risk assessment considers both the likelihood and severity of impact of the risk. If whilst conducting a DPIA you identify a high risk which you cannot mitigate, you must inform the ICO.
Consent is also more tightly regulated under GDPR, meaning that businesses need to familiarise themselves with these new requirements. Consent must be freely given, clear, specific, unambiguous, and indicated by a positive affirmative action. Any consent you have obtained in the past needs to meet these requirements too and must be reobtained if not.
What about Businesses that Have Not Adopted GDPR Best Practices in Time?
Despite the EU GDPR becoming law in May 2018 with a two-year warning period for implementation, some organisations are not confident that they are compliant. Businesses that have not yet adopted good GDPR practices are subject to punishment by the Information Commissioner's Office (ICO). They could incur fines of up to €20 million or 4% of their annual turnover, whichever is greater, for a serious data breach. The GDPR places emphasis on rapid breach reporting. Breaches must be reported to the ICO within 72 hours of discovery. With growing data protection publicity, a data breach could have unprecedented effects on your reputation, a valuable asset.