In this article:
- What does GDPR stand for?
- Why is GDPR important?
- Who does GDPR apply to?
- The key aspects of GDPR
- Why was GDPR needed?
- Does GDPR replace the DPA?
- How to become GDPR compliant
What does GDPR stand for?
GDPR stands for General Data Protection Legislation. It is a European Union (EU) law that came into effect on 25th May 2018. GDPR governs the way in which we can use, process, and store personal data (information about an identifiable, living person). It applies to all organisations within the EU, as well as those supplying goods or services to the EU or monitoring EU citizens.
Therefore it is essential for businesses and organisations to understand explicitly what GDPR means. It is the legislative force established to protect the fundamental rights of data subjects whose personal information and sensitive data is stored in organisations. Data subjects will now have the right to demand subject access to their personal information, and the right to demand that an organisation destroys their personal information. These regulations will affect most sectors within business, from marketing to health services. Therefore, to avoid the crippling fines administered by the Information Commissioner's Office (ICO) it is essential to become GDPR compliant.
GDPR Key Principles:
- Lawfulness, transparency and fairness
- Only using data for the specific lawful purpose that it was obtained, the most lenient of which is legitimate interests
- Only acquiring data that we strictly need
- Ensuring any data we possess is accurate
- Storage limitation
- Integrity and confidentiality
Why Is GDPR Important?
Primarily GDPR is important since it provides a single set of rules for all EU organisations s to adhere to, thus giving businesses a level playing field and making the transfer of data between EU countries quicker and more transparent. It also empowers EU citizens by giving them more control over the ways in which their personal data is used.
Prior to introducing the new GDPR legislations, the European commission found that a mere 15% of citizens felt that they had complete control over the information that they provided online. With such low trust amongst the general public it is clear that consumer habits will ultimately be affected. Measures to rebuild this confidence, through introduction and proper implementation of GDPR, are expected to increase trade.
Thorough implementation of data protection policies and staff education are important as non-compliance could result in a data breach. The Information Commissioner's Office (ICO) can issue fines of up to 4% of your annual turnover or €20 million, whichever is greater, in the event of a serious data breach. Data protection training is a necessity in mitigating the risk of data breaches.
Who Does GDPR Apply To?
The General Data Protection Regulation (GDPR) governs the way in which personal data is gathered and handled in the European Union (EU). Personal data is defined as any information relating to an identified or identifiable, living person. GDPR applies to any individual or organisation that handles personal data within the EU. Countries outside of the EU that handle personal data are known as 'Third Countries' under GDPR. They may have their own data protection legislation but they are required to comply with GDPR in the following circumstances:
When supplying goods/services to the EU
When processing data about citizens residing within the EU
The key aspects of GDPR:
GDPR has replaced the 1995 Data Protection Directive, which established minimum requirements for data protection across Europe. This moderate approach to data protection, prior to 2018, led to a series of data breaches and scandals, allowing the compromise of data subjects' personal information. Now, the changes established in the GDPR will provide better protection of data subjects' fundamental rights.
- Extended Jurisdiction: The GDPR now applies to any organisation which processes personal data of data subjects who are in the EU. This means that GDPR applies to big and small organisations, in and outside of the EU.
- Consent: There is a strict focus on consent, it has to be specific and clear.
- Right to Access: A data subject can issue a subject access request to view their personal information, and an organisation must comply.
- Right to be Forgotten: A data subject can demand that their personal information is destroyed by a data controller.
- Data Protection Officer: Data controllers are now expected to have a DPO in their team, to ensure data protection regulations are being upheld.
- Penalties: The ICO can now issue much harsher repercussions for a data breach, this includes fining an organisation up to €20 million or 4% of an organisation's global turnover, whichever is highest.
Why was GDPR needed?
Society is now more data-driven than ever, therefore the vast amount of sensitive data stored upon computers, has resulted in a rise in cyber-attacks and data breaches.
Phishing is one of the key ways that cyber-criminals can infiltrate personal information using scam emails, and even alter bank details and account details. The common nature of this sort of cyber-attack has now resulted in GDPR being essential to prevent it from happening so often.
Organisations need to be aware of emails which might contain viruses, to protect their company's IT network. If a virus manages to infiltrate an organisation's hard drive, then personal information of customers and employees will be compromised, and a data breach will occur.
Organisations should implement email encryption, so that personal information included in the emails can't be infiltrated by cyber hackers. A data controller can use a secure email gateway to prevent emails containing malware, phishing attacks or spam, from reaching an organisation. Consequently, to be GDPR compliant an organisation needs to organise the installation of a secure email gateway to monitor their emails.
Office 365 and GDPR
Many organisations and businesses use Office 365's software to store vital information, such as tables with employee personal data and sensitive data, business contracts and annual reviews. Therefore, Office 365 have the responsibility to ensure this data is protected.
Office 365 utilises a cloud software, therefore up to 85% of businesses store their data in the cloud. Despite this data being stored in a cloud, Office 365 still need to remain GDPR compliant. To do so, Office 365 have utilised auto-label policies and intelligent content searches to help locate personal information easily. Therefore, Office 365 has proved its GDPR compliance, through ensuring personal data is transparent and easy to locate.
End User Consent
The GDPR has imposed tighter control on end user consent, when processing personal data. The GDPR takes the stance that a data subject must be informed of the processes which will be used to store their personal data. Subsequently, it will then be the data controller's responsibility to make the processing of personal data available to the data subject. The user will then be able to put an end to their consent, once they feel that a data controller no longer needs their personal information, or that there may be harm to the personal information.
Article 32 of the GDPR stipulates that an organisation should apply technical measures to protect personal information, such as through two-factor message authentication. This two-factor message authentication should be applied to systems which process personal information, such as mobile devices which should be encrypted.
GDPR should not intimidate organisations, because if the regulations and safeguards are implemented clearly, there should be no problems and no reason for the ICO to get involved.
Does GDPR replace the DPA?
The Data Protection Act (DPA) 1998 was superseded by the European Union (EU)'s General Data Protection Regulation (GDPR) on 25th May 2018. Prior to 25th May 2018, the ruling UK data protection legislation was the Data Protection Act (DPA) 1998. The DPA was brought in at the end of the 20th century as computers became increasingly commonplace in businesses. However, by 2018, the DPA was admittedly outdated and no longer reflected the digital/technological age in which we live. For example, a vast proportion of individuals in the UK use social media, many of us possess more than one digital device (phones, tablets, laptops), and almost all businesses rely on computer networks. The digital world that we live in has changed the way we process information, and the laws were updated accordingly.
How to become GDPR compliant
In order to become GDPR compliant, you must first understand the rights of the individual granted by the legislation. They are as follows:
- Right to be informed of how your data is being processed
- Right to access this data
- Right to rectify incorrect data
- Right to erase data
- Right to restrict processing of personal data
- Right to data portability – this means that as a business you will need to put in place a system by which you can quickly and easily compile all the personal data you hold on an individual and make it securely accessible to them
- Right to object to your data being processed
- Rights relating to automated decision making, including processing
Organisations must then identify their role in the flow of data, e.g. are they a data controller or a data processor? Data controllers determine why personal data will be used and what for. Data processors are individuals or companies that process personal data on behalf of the data controller.
Whilst data controllers have retained ultimate responsibility for protecting their data, data processors too are required to comply with GDPR when processing and storing personal data. Data controllers should draw up a written contract agreeing that their processors will comply with their data policies and ensure it is signed by all third parties.
Under GDPR, it is important to identify the lawful basis for processing personal data. The acceptable reasons are:
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
When processing special category data, sensitive personal information, the grounds on which it can be lawfully used differ. Processing requires both a lawful basis and a special category condition.
The GDPR requires some organisations to appoint a Data Protection Officer (DPO). A DPO is removed from the daily processing activities of your organisation but is responsible for ensuring GDPR compliance. You must appoint one if: you are a public authority; perform regular large-scale monitoring of individuals as a core activity; conduct large scale processing of special category data or information on criminal convictions/offences as a core activity.
Businesses must conduct a Data Protection Impact Assessment (DPIA) if a processing activity is likely to result in a high risk to individuals. This is intended to identify and minimise risk to individuals' personal data. The risk assessment considers both the likelihood and severity of impact of the risk. If whilst conducting a DPIA you identify a high risk which you cannot mitigate, you must inform the ICO.
Consent is also more tightly regulated under GDPR, meaning that businesses need to familiarise themselves with these new requirements. Consent must be freely given, clear, specific, unambiguous, and indicated by a positive affirmative action. Any consent you have obtained in the past needs to meet these requirements too and must be reobtained if not.