6 Key Points of European General Data Protection Regulation (GDPR) for Action

GDPR is the European General Data Protection Regulation. It came into force on 25th May 2018. It is the most recent and significant change to data protection law.

There are 6 key points for organisations to consider:

1. Privacy notices
2. Consent
3. Lawful basis for processing personal data
4. Data Breaches
5. 3rd Party service agreements
6. Information Security

Privacy Notices

You must review your existing privacy notices and update them in line with the new requirements. A privacy notice should include:

• The reason(s) and the lawful basis (or bases) which you are relying on to process personal data.
• Data retention periods or criteria for how long data will be held.
• Information about data subjects’ rights including the right to complain to the ICO where individuals think there is a problem with the way their data is being handled.
• All notices must be concise, transparent, intelligible, and easily accessible.

Consent

The rules regarding consent are much tighter under GDPR than before this was in place. For example, in the UK the 1998 Data Protection Act was in place to protect personal data. However, time and technology have moved on and now the threshold for what constitutes valid consent is much higher. You must be able to evidence how consent was obtained by keeping a record of it and have a mechanism in place to stop processing if consent is withdrawn. It must be clear to individuals what they are providing consent for. If you are asking individuals to consent to more than one thing via a single form the consent must be granular setting out each processing activity.

To meet the GDPR standard consent must be:

• Explicit
• Specific
• Granular (separate consent for separate things)
• Informed
• Freely given
• Based on a positive opt-in
• Unbundled from other terms and conditions.

Individuals have the right to withdraw consent. You must make them aware of this and make it as easy to withdraw consent as it is to provide consent. You should keep a record of how and when consent was obtained and have a mechanism in place to stop processing if consent is withdrawn. If you would still process the personal data without consent, then consent is not the correct lawful basis for processing.

Lawful Basis for Processing Data

You must identify lawful basis for data processing at the outset This information must be included in your privacy notice. If controllers rely on consent, the data subjects will generally have stronger rights, including a right to have their data deleted.

Data Breaches

A personal data breach is described by the Information Commissioner’s Office (ICO) as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service”.

There will be a new mandatory requirement for controllers to notify data breaches to the ICO where it is likely to result in a risk to the rights and freedoms of individuals (e.g. where a breach could result in discrimination, damage to reputation or financial loss). Notifications must be made without undue delay and, where possible, within 72 hours of becoming aware of the breach.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must also notify the individuals concerned directly without undue delay. Failure to notify can result in a fine of up to the higher of €10 million or 2% of annual worldwide turnover.

Separately, higher fines may be imposed for the breach itself, which could be up to the higher of €20 million and 4% of annual worldwide turnover (a significant increase to the current maximum fine of £500,000). Controllers’ potential liability is therefore greatly increased.

Privacy by Design

A Data Protection Impact Assessment (also known as Privacy Impact Assessments or DPIAs) can help:

• identify privacy risks,
• determine the most effective way to comply with their data protection obligations and
• meet individuals’ expectations of privacy when processing personal data.

An effective DPIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation, which might otherwise occur. DPIAs is a key part of being able to demonstrate compliance with the GDPR principles as part of the ‘accountability’ requirement and to ensure a Privacy by Design approach.

Information Security

All personal data must be processed in a manner that ensures appropriate security of the personal data. Information and IT security are vital.

Being aware of the risks can help to avoid becoming a victim of crimes such as identity theft and fraud. Organisations have to ensure the appropriate confidentiality, integrity, and availability of all of its information and systems. You should adopt an Information Security policy for your organisation.