EU directive – General Data Protection Regulations

Sweaty Dave, Going Postal
Europa Building, Brussels

You may be wondering why recently you have been getting post from banks, utilities and financial institutions amending Terms and Conditions.
A new set of rules are coming into force in May next year, which few of you will have heard of, but most will be affected. General Data Protection Regulations (GDPR), an EU directive, comes into force in the UK on the 25th of May 2018, despite Brexit. GDPR are an update upon the older, looser Data Protection Act and will be followed by the Privacy and Electronic Communications Regulations (PECR) due in 2019.

Few companies or individuals have started to prepare for the new regulations and most that do, say they will struggle to be ready in time.

What is all the fuss about?

The regulations update rights and rules around processing of personal data.

They follow 7 principles – that the data is used lawfully and fairly; the purpose is not open-ended but specific; the minimum needed is used; it is accurate; it cannot be kept for longer than necessary; that it is held in a confidential and secure way and that there is someone accountable for compliance.

The definition of Personal Data has broadened, not only is it name and address, but any item of data that could be used to identify a person – such as id numbers, genetic, cultural, biometric or even location data. CCTV is an area that will have a lot of new controls upon stored images. It covers data not only in computer systems, but on paper, in a diary, on video, audio or social media.

Key changes include

  • Fines increased to the greater of €20m or 4% of group (global) turnover – a huge increase on the current maximum fine of around £150k.
  • Requirement to notify all breaches, in my opinion rather big brother this one. If anything happens that involves personal data that is not as planned, it must be notified to the Information Commissioner. For example, if someone emails someone’s name to the wrong addressee within their company, that is classed as a breach. In the past only major breaches such as data hacks, had to be notified to the Information Commissioner.
  • When there is a breach or data is stolen or mislaid, the company must notify the supervisory authority within 72 hours.
  • The company must notify individuals immediately if the breach was high risk. This is difficult for those without email. The customers may be able to claim compensation, which many see as be the next PPI. Expect adverts shouting ‘had your data stolen? Text ‘nicked’ for compensation’ and the like.
  • Consent to use data has to be freely given. It has to be specific, informed and include an unambiguous indication of wishes, meaning no vague tickboxes pre-filled, you have to opt in rather than opt out.
  • The company needs to demonstrate where and when consent was obtained.
  • It has to be as easy to opt out as opt in – at any point now or in the future.
  • Terms and conditions and small print will need to include very detailed Fair Processing Notices
  • New rights for individuals – to be able to object, to have elements rectified, restrict, to be forgotten, portability
    Enhanced subject access rights
  • Companies will have to appoint a Data Protection Officer who will be responsible for the management of the data, with each system having a designated data owner.
  • Data Protection Impact Assessments & privacy by design – any changes made or new systems introduced will have to consider all the rules from the earliest point of design, not added as an afterthought.
  • Data mapping –what, where, why, how long…-all documented and maintained

All this means a number of changes for companies, adding levels of burden, but helping prevent them from just storing everything for ever. Each piece of data has to be justified – why is it being stored? Why is it held? When will it be deleted? Who is responsible for it? Sounds easy, but most companies will hold thousands of different items of data, each of which will need to be reviewed, discussed and many elements removed from every system they have.

The tickbox approval you always see on contact, be it on paper or electronic also needs to be controlled a lot more carefully – as noted above, it has to be a positive request to join, not a sneaky pre-ticked box. The recording system now needs to hold not only the tick of approval, but the time/date it was made and which system/website/page it occurred. As few if any companies currently have that level of detail many are simply throwing away their current mailing lists and starting again from scratch.

As stated, the fines are now unlimited should there be problems. Being hacked doesn’t automatically incur a fine, but ignoring the regulations and not having made any preparations would be expensive. Not all companies will have systems in place by May 18, but they must have solid plans in place to show how they will reach compliance.

So if you work for or own a company make some plans. All you’ll need to do is set up a processing record; data breach log; fair processing notice; update policies and procedures with new policies for Data protection, minimisation, accuracy, retention and security; record impact assessments and update your contracts.

The consultants are going to be making plenty of money in the coming months.

© Sweaty Dave 2017