Information and Practical Advice
It has struck me that this new legislation is coming at us at lightning speed and yet from my interactions with clients, it seems that not many SME's are aware of it and its significance.
The purpose of this blog article is not to preach or judge. It is to inform, educate and create awareness for our clients and our subscribers, so that you can start to get planning and organising before the deadline.
If this is your first introduction to The General Data Protection Regulation, you will probably be overwhelmed with the amount of information floating around when you start to research it properly. Get informed, don't panic and start to put a plan in place early. Don't leave it until the last minute, the potential costs for non-compliance do not bear thinking about.
So, here we are going to present the facts, followed by some practical steps to get you started. Seeking advice from a legal/consultancy firm would also be advisable.
So let's get started...
What is GDPR? (General Data Protection Regulation)
GDPR replaces the previous Data Protection Acts 1988 and 2003. The office of the Data Protection Commissioner is responsible for upholding the privacy rights of individuals in relation to the processing of their personal data. These rights are contained in the Data Protection Acts. The Acts state that information about you must be accurate, should only be made available to the correct person(s), and should only be used as it per the original intention. You also have rights to access your personal data, have errors corrected and in some cases you may be able to remove it.
Just a quick note on Personal Data before we move on to the new legislation. Personal Data is any data relating to a living person who can be identified either from the data or in combination with other data that may already be or is likely to come into the possession of the data controller - more about Data Controller and Processor below.
So What is the Objective of the GDPR?
"Effective protection of personal data throughout the Union requires strengthening and setting out in detail the rights of data subjects and the obligations of those (in the public and private sectors) who process and determine the processing of personal data, as well as equivalent powers for monitoring and ensuring compliance with the rules for the protection of personal data and equivalent sanctions for infringements in the Member States". (Recital 11)
There was a need to update the previous legislation to include higher data protection standards to take account of factors such as technological advances (Internet, Social Media, Big Data) and a rapidly developing case law of the EU Court of Justice on Data Protection.
It is due to come into effect on 25th May 2018 (less than 9 months from the date of this Blog publication).
There are effectively 7 new principles to replace the previous 8 rules:
1. Fair, Transparent, Lawful Processing
2. Purpose Limitation
3. Minimising of Processing
4. Data Accuracy/Data Quality
5. Retention, Storage Limitation
6. Security and Confidentiality
7. Liability and Accountability
Probably the biggest change from the previous Data Protection Acts is point 7 above - Liability and Accountability.
Data Controllers and Data Processors must be able to demonstrate compliant processing.
"A Data Controller is the individual or the legal person who controls and is responsible for the keeping and use of personal information on computers or in structured manual files.... If your organisation controls and is responsible for the personal data which it holds, then your organisation is a data controller".
"A Data Processor holds or processes personal data but does not exercise responsibility for or control over the personal data".
If you want to be clear on whether you/your organisation is a Data Controller or Processor or even both, then I would recommend that you check out the link below https://www.dataprotection.ie/docs/Are-you-a-Data-Controller/y/43.htm
The Costs of Non-Compliance
GDPR is all about being able to demonstrate compliance. If you are found to be in breach, the impact could be potentially huge i.e. Up to €20 million or 4% of worldwide turnover for the previous financial year, whichever is the higher value.
So, this is not something to be taken lightly or to be ignored.
So, what should you be doing now?
By now, you should definitely be starting to get a plan in place. You should know whether you are a Data Controller or Data Processor or both.
There are some things you can start off doing internally like appointing a Data Protection Officer (DPO) or Champion. You may wish to engage with a specialist legal or consultancy firm to guide you through the process and the steps. If you want to start the process without legal advice, then I would suggest that you engage with a legal firm a little down the line to audit what you have done so far and to make sure you are doing all the right things. It may sound like a costsly exercise, but the costs of non-compliance are potentially huge and could have serious consequences for your business if you are found to be in breach.
Here are a few practical steps to get you started:
1. Appoint a DPO or Champion
Do you need to have DPO? Read this article for clarification http://www.sytorus.com/Blog/Article/141/does-your-organisation-need-a-data-protection-officer
2. Review your organisation structure
See which departments are impacted by data protection (collecting or processing data):
These may include:
- Technical Support/Customer Service
- Software Development
3. What Data do you hold/process?
You should be clear about....
- What kind of data you are holding or processing?
- What the purpose of holding/processing this data is?
- How long you keep this data for?
- What do you do with the data when you are finished with it?
A good tip is to hold the minimum amount of data possible, so you can minimise your risks. Don't hold any data that you don't need to keep.
4. Identify the Risks
- Start to put policies in place such as Data Protection, Social Media, Leaver Policy, Code of Practice, Clean Desk, Teleworking etc
- HR/Recruitment processes
- HR & Payroll Systems - access & logs and sharing data
- Smart Phones and BYOD
- 3rd Parties
You should then map out the Risk Rating for breaches going from Unlikely to Happen to Happens Continuously and then work out the potential impact and whether it would require a breach notification to the Data Protection Commissioner. Reporting breaches must be done in a timely maner but at the same time breaches must be avoided at all costs. There is potential for serious damage to your reputation and large fines if you are found to be in breach.
5. Establish your Chain
There must be actual contracts in place with all of the third parties in your chain. So, you need to identify who has access to the personal data you have collected. Is data hosted on a cloud server or data centre, do you use outsourced marketing companies to send email campaigns, do you outsource your shredding, do you use a cloud data back-up service? Data Controllers and Data Processors must have contracts in place with each other along with any other sub-contractors or parties in the chain.
I would suggest that you start making a list of all of the parties in your chain and then go from there.
I would suggest that you get informed and start an action plan sooner rather than later. This is definitely not something you can ignore and it affects sole traders right up to large corporations.
Don't panic about the workload. This is a multi-departmental project and will need contributions from the heads of each department. Assign one or more people to manage this process internally and police it once it comes into law. Plan and act now and give your company the best chance of becoming compliant. Nobody wants to be dodging The Data Protection Commissioner!
We will be running more blog articles on specific topics such as GDPR and Marketing, so stay tuned.
For now, thanks for reading and we hope that you picked up some useful information to help you get started.
Feel free to post comments.....