The EU’s General Data Protection Regulation (GDPR) goes into effect on May 25, 2018. There’s been a big buzz about it recently (Google Trends showed a 3000 percent increase in searches over the past month) because GDPR won’t just affect EU member states. The new regulations maintain the same coverage for EU citizen and resident data as covered by the current Data Protection Act (DPA) enacted in 1998 with some significant changes, including that coverage will include EU individuals’ data collected by companies and entities outside of the EU.
The GDPR affects the collection and processing of personal data, meaning any information stored about a person that can directly or indirectly identify that person. This includes generally considered private information like names, birth dates, addresses, and email addresses, but also extends to information that when compiled could indirectly identify a person, including location data and electronic identifiers.
It’s important to note that GDPR enforcement starts May 25, 2018, and there will be no grace period. We can probably expect to see EU regulators make an example of a few companies to show they’re serious in the first months of enforcement. And penalties will be strict: up to 20 million Euros or 4 percent of the company’s global revenue, whichever is greater.
Do I need to prepare for the GDPR?
If you process or store personal information about residents or citizens of the EU, even if they don’t live in the EU, you’ll need to ensure your data and processes comply. And by all accounts, GDPR will still apply for UK companies even after Brexit for those companies who process or collect data on EU individuals.
We surveyed 200 companies within the UK in February and March of 2018, and we found:
- 36 percent of companies said they were ready for the GDPR
- 25 percent of companies identified as “Nearly Ready” for GDPR compliance
- 15 percent stated they have done some preparation for GDPR, but still had a long way to go
- 21 percent of companies had done nothing to date, but have plans to prepare soon
- 3 percent stated they had done nothing to prepare, and don’t plan on taking any steps
Some key takeaways from this data:
- Most companies are aware of the changing regulations under GDPR, and 97 percent are making moves to gain compliance by the deadline
- Over 60 percent of the companies surveyed were planning their updates or were working on their compliance by early Spring 2018, but had yet to complete their preparations.
If you find yourself in that 60 percent, don’t despair. TechnologyAdvice put together this checklist to get compliant a little quicker.
Disclaimer: This article is meant to help you understand what you might need to do to prepare for the GDPR. We are not legal experts. Don’t use this article or checklist as legal advice, Don’t use this article or checklist as legal advice, as every company’s data situation is unique. It’s always best to check with an attorney to understand your company’s individual compliance needs.
Be aware of these changes
Changes to what constitutes clear consent
While Article 6 of the GDPR does not require companies to gather consent, clear and unambiguous consent is one of the 6 legal grounds for processing data under the GDPR (in addition to contract, legal compliance, protecting the individual or public interest, and the company’s legitimate interests).
This notice of consent must clearly state the way that data will be used once its given over. Clear and unambiguous consent means that pre-checked boxes, inaction, and other implied consent means of collecting data will not suffice. The UK’s Information Commissioner’s Office put together a guide to GDPR consent that includes loads of helpful information.
Ensure portability of data
Check to make sure that your data is available for transfer to other controllers or processors in a consumable, interoperable, and machine-readable format. The new regulations allow individuals to request their data be transferred to another entity, and failure to comply because of unclear or incompatible electronic data storage systems will not be tolerated.
Right to be forgotten
Under the DPA of 1998, individuals could request to have their data corrected, blocked, or accessed in most cases. GDPR extends those rights to allow the individual to request that their data be completely deleted and forgotten if the individual
- Objects to the company’s processing compliance with GDPR
- Withdraws consent
- Objects to the necessity of the collection or processing of the data
- Objects to the use of the data
- Or the company-set data retention period expires
Age of consent
The GDPR sets the EU age of consent to 16 in most cases. However, individual member states can lower the age of consent to 13 by passing state-specific laws. This is especially interesting for social media software and apps that connect to social media. Check your privacy and consent notices for clarity of consent as it pertains to this age range.
✅ Data Protection Officer (DPO)
Designate an individual who checks and ensures compliance for the company and will establish a relationship with the local supervisory authority. This is necessary for companies who collect and process large amounts of personal data or has complicated collection and processing measures. Check with local authorities if you’re unsure about what constitutes large amounts of data or complicated procedures.
✅ Current data assessment
The DPO and data stakeholders within the company should conduct a thorough assessment of the current conditions surrounding the collection and processing of personal data. This assessment should seek to understand how data is currently collected, the manner in which the company gains consent from individuals, the security measures taken to protect the data at rest as well as during processing and transfer to other entities, and any measures that should be tightened before GDPR takes effect on May 25, 2018.
✅ Local supervisory authorities
Know where your country’s GDPR supervisory authority is located and collect contact information for the authorities. Ensure the DPO has access to this information. The country’s supervisory authority must be notified of breaches within 72 hrs.
✅ Plan for a Data Privacy Impact Assessment (DPIA)
A DPIA is a plan for assessing and understanding how current and future technology resources will interact with current and future data stores. Poland has published a list of proposed actions that will trigger the need of a DPIA. Any new technology built or implemented by controllers or processors must include “privacy by design”–meaning that data privacy and security should be considered early in the development stage and throughout the product’s lifecycle, but this does not preclude the need for a DPIA plan.
✅ Accountability plan
Plan how often your data, systems, and processes will be reviewed, and how the DPO will demonstrate accountability to the supervisory authority.
✅ Data transfer protocol
GDPR requires companies to take appropriate protection and security measures for data that will be transferred outside of the EU. Ensure that the company has a legitimate reason to transfer data out of the EU and appropriate security measures in place to avoid penalties.
Check with an attorney
This article is by no means a comprehensive breakdown of the GDPR and its requirements, and every company should check with a qualified attorney for official legal advice on the implications of GDPR. These items should be overseen by the DPO and double-checked by an attorney.
✅ Assess possible liability for current processes
Once your team has completed the compliance assessment of current data and processes, follow up by assessing the liability of those processes. Then fix known and fixable issues, or reassess your insurance.
GDPR doesn’t have to mean the end for data processors and controllers. A little due diligence now can protect your company from fines and penalties later, and protect your users from exposed personal data. You can also check out the TechnologyAdvice Product Selection Tool for reviews and recommendations on the top IT security software available on the market.