Who does it apply to?
Anyone dealing with personal data of EU residents – any information relating to an individual
Brexit?
It’ll apply before we leave the EU.
It’ll almost certainly apply to UK residents for some time (years) after we leave the EU.
It may apply for a long time – we’re currently regulated by the 1998 Data Protection Act
What does it mean to us?
Some things are vague. Then again, if these regulations have a 20 year life, assumptions made in 2018 will be proved wildly wrong by 2038.
We must have Privacy by Design – come June 2018, if your website spills data, you’re in big trouble.
Consent – we must explicitly ask and get consent for data collection and utilisation.
Large Scale Data Processing – no real definition of large scale data processing, but if you’re doing large scale data processing, you need a Data Protection Officer.
Obviously a definition of large scale data processing would be helpful, but.. there isn’t one.
Most companies will not need a DPO unless their business is in tracking/managing/processing individual customer behaviour or data.
I have worked at a total of two organisations that I think would need a DPO for GDPR (an exams board and a loyalty scheme)
Out of our 100 or so current customers, I struggle to think of one who would need a DPO.
I have a list of four who should consider their DPO obligations, and then write down why they don’t need one, with a review every couple of years.
Data Protection Officer – The DPO reports to the highest level management, must be expert, must be properly resourced, and must not have conflicts of interest. They need not be full-time, but even so, that will be a significant expenditure.
Data Breaches – you must inform regulator with 72 hours, and your customers without undue delay
Sanctions – max 4% of turnover or £20m, whichever is higher.
Jargon
Data Subject – an individual
Data Controller – an organisation
Data Breach – leaking, losing, or compromising in any way someone else’s data.
Individual Rights
Right to Information – no change
Right of Subject Access – not a big change – timings and fees
Right to Rectification – no change
Right to Erasure – New. An organisation must be able to permanently delete an individual’s data.
Right to Restrict Processing – New. If you cannot delete someone’s data, you must restrict its use to the bare minimum.
Obligation to notify 3rd parties – New. If an organisation passes on individuals’ data, the organisation is responsible for passing on rectification, erasure or restrictions. It must also tell the individual who it passed their data to (if requested)
Right to Data Portability – New. The individual can have their details transferred from one organisation to another – making setting up accounts with competitors easy in theory at least.
Right to Object – Change. If the individual objects to data processing, the organisation must justify their processing of the data.
Right not to be evaluated by automated processing – no change
Right to bring Class Actions – individuals can be collectively represented by not-for-profit bodies to exercise rights, bring complaints, and seek judicial remedies
Time Limits – you should reply to and fulfil requests for information within a month.
What do we need to do?
- Review your systems – can you identify and isolate all data about a particular data subject?
- Update privacy policies – do your current policies cover the rights above?
- Employee Training – make sure employees understand your obligations.
GDPR is coming. It’s going to change the way we manage company data.
