Latest News and Event

Data Protection Laws are Changing, is your Business Ready for GDPR?

Posted on

The General Data Protection Regulation (GDPR) is the most significant change to data protection laws in the last 20 years. The European Parliament, Council and Commission have created these new regulations to strengthen data protection for all citizens of the European Union (EU) member states.

By addressing the export of EU citizen data outside of the Union, the main objective of GDPR is to give control of personal data back to individuals, and simplify the regulation of data by unifying processes across all member states.

GDPR will replace the 1995 Data Protection Directive (DPD) from 25th May 2018. DPD was developed over 22 years ago, before the internet and cloud technology created new ways for data to be exploited.

Who does GDPR affect?

Businesses that trade within the European Union will be subject to GDPR. All companies headquartered or based in the EU, as well as any company based outside of the EU that trades with EU member states, will be required to develop clear policies and procedures to protect personal data.


Technology Sales at Midshire®, Stuart Carruthers explains why UK based businesses need to pay attention: “GDPR will affect every UK organisation that processes the personal data of EU residents. If a company is adhering to the 1998 Data Protection Act, then their approach to compliance may still be valid under GDPR, but there are new regulations and elements that could have serious financial implications if they aren’t met.”

What has changed?

We are going to outline the current Data Protection issues, and explain the changes that GDPR will bring to solve the problems.

Before we start, there are a few keywords that need defining:

Data Controller – An organisation that collects the data from EU residents

Data Processor – An organisation that processes data, typically on behalf of the data controller

Data Subject – The individual that the data belongs to

Scope

The issue: The Data Protection Directive outlined who was liable to data protection regulations for EU citizens, however guidelines for applicability were vague, often allowing businesses to slip through the cracks.

The change: GDPR has created clear definitions and much wider parameters for who should adhere to the protection of EU resident data. GDPR is applicable 1) when a Data Processor or Data Controller is established in the EU, and 2) when a Data Processor or Data Controller is not based within the Union. These changes have also been created to include all member states, including the 14 countries that have joined the EU since DPD was introduced in 1995.

A Single Set of Rules

The issue: Both the DPD and the UK’s own 1998 Data Protection Act, which was passed to regulate how UK citizen data is used by businesses and government, were created at a time when technology was not as advanced as it is today. This means much of the legislation is obsolete in protecting citizens from today’s technology. Additionally, because of the ambiguity of DPD, the security measures of each individual EU member state had to be considered. Issues arise when data crosses a country’s borders, as each member state have different laws on data protection, making it difficult for businesses to know whether they are being compliant or not.

The change: GDPR is considered a ‘future-proofed’ initiative. It places responsibility with businesses by tackling how data is being used and stored, as opposed to trying to protect residents from a current technological threat at the time. Furthermore, the confusion brought about by the vagueness of DPD will end because data protection policies will be uniform across each member state under GDPR. The new regulation will also create a secure environment by establishing independent Supervisory Authorities in each member state, who will be the central point of investigation and administration for that country’s protection of data.

Consent

The issue: Consent under DPD is open to interpretation and is not clearly defined, often allowing companies to trick individuals into giving consent for their data to be used. This would lead to trouble when a person is made aware that their data is unknowingly being used. DPD also omits the mention of consent from a child.

The change: GDPR goes to great lengths to define what constitutes as valid consent:

”consent’ of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her’

Data Controllers are obligated to demonstrate that valid consent has been obtained under GDPR, and explicitly defines instances in which a child’s consent would be valid.

 

Data Protection Officer

The issue: Under the current laws, data is not well regulated and it is not mandatory to have an entity within each business that personally monitors: data processing, data usage, and data storage.

The change: GDPR will make it mandatory for businesses to appoint a ‘Data Protection Officer’ in the data processing part of their organisation. They will be required to regularly and systematically monitor large amounts of Data Subject information.

 

Data Breaches

The issue: Like consent, a data breach is not clearly defined in DPD and therein the issue lies. A company may feel that they are not in breach of data protection if the definition is not clear.

The change: Data breaches have been explicitly defined in GDPR, and outline how Data Processors and Data Controllers should respond to data breaches. Under GDPR, businesses will have to inform the supervisory authority of a personal data breach no later than 72 hours after becoming informed, providing reasons should there be a delay. The business must also inform the Data Subject immediately.

 

Right to Erasure

The issue: Under the current DPD, the ‘Right to Erasure’, or the ‘Right to be Forgotten’, gives data subjects the ability to request erasure of data only on the limited grounds of inaccuracy.

The change: GDPR will extend this right by providing seven more instances of where a data subject can request the right to erasure. It also defined five instances of when erasure will not be granted, helping the business know when they need to delete personal data or not.

Some examples of where erasure will be granted:

• When the data is no longer necessary to the purpose for which it was collected

• The data has been unlawfully processed

• The data must be erased for compliance with a legal obligation in member state law

Some examples of when erasure will not be granted:

• To exercise the right of freedom of expression or information

• In relation to public interest in public health

• For archiving purposes in the public interest, scientific or historical research purposes

 

Privacy by Design or by Default

The issue: Privacy is not, or did not need to be a universal concern for product manufacturers under DPD. This often led to attempts at software updates to correct faults once the product was launched to the public.

The change: Under GDPR, security measures are now required to be integrated into products at the manufacturing stage. The highest security settings are now required to be set as default on products to avoid breaches once a product is launched. A high-profile example of this is Samsung TV’s with cameras. These TV’s were being hacked into and people were being watched in their homes.

What can a company expect if they breach GDPR?

Following the implementation of GDPR, which comes into force on the 25th of May 2018, organisations found in breach of GDPR can expect:

A written warning in instances of first and non-intentional non-compliance.

• Regular and thorough data protection audits.

• Most repeat breaches will result in fine up to €10,000,000 or up to 2% of annual worldwide turnover, whichever is greater

• Breaches that the European Court has deemed more serious, for example breaches in consent or international data transfers, would result in a fine up to  €20,000,000 or up to 4% of annual worldwide turnover, whichever is greater.