The General Data Protection Regulation (GDPR) will apply from 25 May 2018, this new law applies to all companies that collect and process data belonging to European Union (EU) citizens. This includes companies with operations in the EU and/or a website or app that collects and processes EU citizen data.
It expands the rights of individuals to control how their personal data is collected and processed and places a range of new obligations on organizations to be more accountable for data protection.
The key elements of the GDPR
The GDPR applies to personal data. This is any information that can directly or indirectly identify a natural person and can be in any format. The Regulation places much stronger controls on the processing of special categories of personal data. The inclusion of genetic and biometric data is new.
Example: Name, Address, Email address, Photo, IP address, Location data, online behavior (cookies), Profiling and analytics data, Race, Religion, Political opinions, Trade union membership, Sexual orientation, Health information, Biometric data, Genetic data.
Here are GDPR requirements you must meet for 2018:
An awareness of GDPR is the first requirement, and no progress toward compliance will be made if the decision-makers in your company are not aware of the new laws.
Conduct regular training to ensure that employees remain aware of their responsibilities with regard to the protection of personal data and identification of personal data.
The information you hold (Accountability and governance)-
Under GDPR, if your business shares inaccurate personal data with another organization, you must notify the other organization of the inaccuracy.
You should document what personal data you hold, where it came from and who you share it with. You may need to organize an information audit
Across the organization or within particular business areas. The GDPR requires you to maintain records of your processing activities. By doing this you are complying GDPR’s accountability principle.
Communicating privacy information (Transparency and privacy notices)–
You should review your current privacy notices and put a plan in place for
Making any necessary changes in time for GDPR implementation. When you collect personal data you currently have to give people certain information, such as your identity and how you intend to use their Information. This is usually done through a privacy notice. Privacy notices must be provided in a concise, transparent and easily accessible form, using clear and plain language.
Under GDPR, all companies dealing with information of European citizens will need to provide more information to customers. You’ll need to clearly explain:
- Your lawful basis for processing EU citizens’ data.
- Your data retention period.
- That individual can complain to the ICO if there is a problem with your data handling.
The ICO’s Privacy notices code of practice reflects the new requirements of the GDPR.
StegoSOC GDPR is a platform where the Compliance and Incident response is automated that Cut time to detect threats and improve your response and visibility into entire cloud infrastructure, threats and vulnerabilities.
Data procedure covers individual rights (Privacy rights of individuals)-
When GDPR is introduced, individuals (your customers) will have more rights, and your data protection procedures must reflect that.
The GDPR includes the following rights for individuals:
- The right to be informed
- The right of access to personal data through subject access requests.
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- The right not to be subject to automated decision-making including profiling.
You’ll need to provide this data in a commonly used structure and machine-readable form. It must also be provided free of charge.
Subject access requests
Under GDPR, individuals have the right to receive a copy of the personal information held about them by a company. This is known as a subject access request.
In most cases, you will not be able to charge for complying with a Request.
- You will have a month to comply.
- You can refuse or charge for requests that are manifestly unfounded or excessive.
- If you refuse a request, you must tell the individual why and that they have the right to complain to the supervisory authority and to a judicial remedy.
You must do this without undue delay and at the latest, within one month.
If your organization handles a large number of access requests, consider the logistical implications of having to deal with requests more quickly.
You could consider whether it is feasible or desirable to develop systems that allow individuals to access their information easily online
The lawful basis for processing personal data
You must identify and document the lawful basis for any processing of personal data.People will have a stronger right to have their data deleted where you use consent as your lawful basis for processing.
You will also have to explain your lawful basis for processing personal data in your privacy notice and when you answer a subject access request. The lawful bases in the GDPR are broadly the same as the conditions for processing in the DPA.
It should be possible to review the types of processing activities you carry out and to identify your lawful basis for doing so. You should document your lawful bases in order to help you comply with the GDPR’s ‘accountability’ requirements.
The lawful bases are:
- Direct consent from the individual
- The necessity to perform a contract
- Protecting the vital interests of the individual
- The legal obligations of the organization
- The necessity for the public interest
- The legitimate interests of the organization.
GDPR sets a high standard for consent and could mean a major overhaul of how you obtain consent from your customers. GDPR is clear that an indication of consent must be clear and involve an affirmative action. Controllers must keep a record of how and when an individual gave consent, and that individual may withdraw their consent whenever they want.
There are stricter rules for obtaining consent:
- Consent must be freely given, specific, informed and unambiguous.
- A request for consent must be intelligible and in clear, plain language.
- Silence, pre-ticked boxes, and inactivity will no longer suffice as consent.
- Consent can be withdrawn at any time.
- Organisations must be able to evidence consent.
- Consent has to be verifiable and individuals generally have more rights where you rely on consent to process their data.
Data protection for children
GDPR will introduce special protection for children’s personal data. Businesses must start implementing systems to verify ages or obtain guardian consent for any data processing. If your organization offers online services (‘information society services’) to children and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully.
The GDPR sets the age when a child can give their own consent to this processing at 16. If a child is younger then you will need to get consent from a person holding ‘parental responsibility’. Remember that consent has to be verifiable and that when collecting children’s data your privacy notice must be written in language that children will understand.
Report data breaches
GDPR introduces a requirement for all organizations to report certain types of data breaches to the relevant governing body and your customers. You must notify the relevant stakeholders if your data breach will result in discrimination, damage to reputation, financial loss or loss of confidentiality of individuals.
Data breaches must be reported to the data protection authority within 72 hours of discovery. Individuals impacted should be told where there exists a high risk to their rights and freedoms, e.g. identity theft, personal safety.
Personal data needs to be secured against unauthorized processing and against accidental loss, destruction or damage. You will need to track the types of data you hold and document when you would be required to notify the ICO.
If you fail to report a breach, even by accident, you’ll be hit with a fine – 2 percent of global turnover or $11 million, whichever is higher. This is in addition to the fine you’ll pay for the breach itself.
Data Protection by Design and Data Protection Impact Assessments
There is a requirement to build effective data protection practices and safeguards from the very beginning of all processing:
- Data protection must be considered at the design stage of any new process, system or technology.
- A DPIA is an integral part of privacy by design. A profiling operation is likely to significantly affect individuals.
- The default collection mode must be to gather only the personal data that is necessary for a specific purpose.
If a DPIA indicates that the data processing is high risk, and you cannot sufficiently address those risks, you will be required to consult the ICO to seek its opinion as to whether the processing operation complies with the GDPR.
Data protection officer (DPO) – The appointment of a DPO is mandatory for Public authorities; Organisations involved in high-risk processing; and Organisations processing special categories of data.
A DPO has set tasks:
- Inform and advise the organization of its obligations.
- Monitor compliance, including awareness raising, staff training, and audits.
- Cooperate with data protection authorities and act as a contact point.
6 steps to GDPR compliance
To prepare for GDPR, organizations can use this six-step process:
- Understand the law
Know your obligations under GDPR as it relates to collecting, processing, and storing data, including the legislation’s many special categories.
- Create a roadmap
Perform data discovery and document everything — research, findings, decisions, actions and the risks to data.
- Know which data is regulated
First, determine if data falls under a GDPR special category. Then, classify who has access to different types of data, who shares the data, and what applications process that data.
- Begin with critical data and procedures
Assess the risks to all private data, and review policies and procedures. Apply security measures to production data containing core assets, and then extend those measures to back-ups and other repositories.
- Assess and document other risks
Investigate any other risks to data not included in previous assessments.
- Revise and repeat
Repeat steps four to six, and adjust findings where necessary.