The General Data Protection Regulation (GDPR) comes into force on 25 May 2018, replacing existing Data Protection regulations. Under GDPR the definition of personal data, the responsibilities of those handling personal data, and the penalties for non-compliance, will all be considerably ramped-up, so if your firm or organisation handles personal data (and if you're operating in the modern world then you almost certainly will be) then it is imperative to ensure your practices and systems comply with the new rules.
The following is an overview of the core principals of GDPR - those that all enterprises and organisations will need to consider. However, please note that GDPR is complex, both from a legal point-of-view and from an IT standpoint, and so all firms are advised to seek qualified expert advice as required.
The GDPR indicates a set of core principals that all data controllers must adhere to. As-of 25 May 2018, any organisation that handles the personal data of ‘data subjects’ will be considered a data controller.
Penalties and fines
A data controller can be fined up to 4% of annual turnover for non-compliance. There will be no leeway given in the initial months following 25 May; rather, states are right now ratcheting-up and stiffening compliance with existing DP laws as a way of preparing people for the tougher regime that’s expected under GDPR.
Reason for holding data / data minimisation
There has to be a valid legal or operational justification for holding any piece of personal data. Data controllers should only hold data that they genuinely and justifiably need in order to perform their function; data controllers should not gather or hold extraneous data that does not relate to their activities.
Permission to store each piece of personal data must be obtained from the data subject. Furthermore, information about when and how that permission was given should also be recorded. A data subject has the right to request an audit of the various consents they may have given, and to modify those consents at any time. Consent data will likely be construed as being a subset of the data subject's personal data, and so will be subject to the same right to be forgotten / right to access requirements (see below).
Data subjects have to give specific consent to any processing of their personal data. This includes both manual processing and automated ‘algorithmic’ processing. Note that performing a mail-merge, or even doing simple searches within data, could be considered to be 'data processing'.
Specific consent is also required if a data controller will 'aggregate' the data they hold with other data sources (I.E. combine data with data from other sources in order to reveal more information about a data subject). 'Aggregation' in this context could include common activities such as performing a credit check on a client, or investigating a job candidate's background via social media channels.
Right to access
A data subject is entitled to request a copy of any-and-all data pertaining to them that is held by a data controller. The data controller has to provide such data in a ‘machine-readable’ way (I.E. in a form where all data 'tokens' and 'relationships' are resolved into actual readable data), and that data be supplied in a common file format.
Right to be forgotten
A data subject may request that all information pertaining to them be deleted in its entirety from a data controller’s systems. Once a data subject has exercised this right, it is the responsibility of the data controller to ensure that that data is not and cannot be restored from a different source (such as a data backup or archive), inadvertently or otherwise.
Where a data controller needs to hold data derived from personal data in order to undertake their business or responsibilities, then mechanisms should be put in place to anonymise that data, or to arrange things such that the data can be anonymised in the event of the data subject exercising their right to be forgotten.
Privacy by design
Privacy by design is an approach to systems and data architecture / design that calls for data protection and privacy to be a primary consideration and function in the design and operation of a system. Specifically:
The controller shall [...] implement appropriate technical and organisational measures [...] in an effective way [...] in order to meet the requirements of this Regulation and protect the rights of data subjects.
All personal data that is stored in a permanent or semi-permanent fashion must be adequately protected from unauthorised access. Typically this will mean encryption of all stored data and password protection of all systems that access that data. Storage, backups and archives should be arranged such that if a computer or system storing data is compromised the data itself has additional layers of security protecting it.
Notification of breaches
Under GDPR, in the event of a data/security breach and if that data breach is likely to
result in a risk for the rights and freedoms of data subjects, then any affected data subject must be informed of the breach within 72 hours of the data controller first becoming aware of the breach.
- Owen O'Rourke on why it's important to take control of your data
- A practical guide to tackling the new GDPR legislation, by Paul Cummins, Head of Legal at Milton Keynes Council and member of the Law Society's In-house Division committee
- GDPR seminar for in-house lawyers, 26 October, presented by Law Society vice president Christina Blacklaws
- Law Society webinars
- Cybercrime trends - Is your firm prepared
- Your money or your data: 4 reasons to comply with GDPR
- Keep your papers under wraps for GDPR compliance