The General Data Protection Regulation comes into effect in 2018, and it is clear that there are many myths surrounding the EU regulation. At a recent conference an audience of technology leaders were asked whether they have a GDPR related project on their books, and of the 50-60 attendees only one confirmed that they are working on the implementation of GDPR.
As an IT consultancy we get asked lots of questions on a variety of subjects, and instincts tell us that not enough is understood about the potential impacts of GDPR.
We will answer questions about specific GDPR related subjects on other web pages.
So, here are a sample of the Q & A that we have come across…
When will the GDPR come into force?
25th May 2018
Won’t it just go away after Brexit?
No. The UK signed up to the regulation and so it will apply whilst we are still a member of the EU. It also applies to non EU countries that control and process the data of EU citizens.
Will my organization be affected?
If you are currently impacted by the DPA it is almost certain that you will be impacted by GDPR. If you are not impacted by the DPA, there is still a strong possibility that you will be impacted by GDPR. It also applies to organizations outside the EU that offer goods or services to individuals within the EU.
Who are the experts?
At the moment there are no experts. The lawyers may have pored over the small print, but this is new. No one has been through the implementation of GDPR, and there is no certificate to say that you are compliant, as there was to some extent in the case of, for instance, PCI.
What are Controllers and Processors?
The GDPR defines the roles of controllers and processors. Generally, the controller stipulates the how and why personal data is stored and processed, and the processor executes the stipulations. Contracts between controllers and processors must be GDPR compliant, and it is the controller’s responsibility to enforce this compliance.
My data is encrypted so will I be compliant?
GDPR relates to process as well as data storage. It also deals with third parties, so you, as data controller, need to ensure that their policies and processes are compliant too.
Isn’t this just the same as the Data Protection Act (DPA)?
Whilst there are similarities the GDPR is generally seen to go significantly beyond the protection afforded by the DPA.
Won’t the UK need to pass legislation for it to become law?
No. The GDPR will automatically be adopted on the date stated above.
What are the penalties for non compliance?
Penalties are severe, potentially up to 2% of global turnover or 10 million Euros for functional breaches or 4% of global turnover or 20 million Euros for more fundamental breaches. Any breaches must be reported within 72 hours of an organization becoming aware of the breach.
What does GDPR class as personal data?
Personal data is any information relating to an individual, and covers private, professional and public identities. It can be a name, a photograph, an email address, bank details, names on social media (eg Twitter name), social media and forum posts, medical information, computer IP address, etc. However, much of this does not apply to law enforcement or national security – this is covered by a separate directive.
What is the intent around automated individual decision-making?
One of the intentions of the GDPR is to prevent individuals being adversely impacted by a potentially damaging decision taken without intervention, for instance where it is based on algorithms. Again, this requirement is broadly the same under the DPA.
To be specific, an organization must allow for human intervention, must allow for a response from an individual, and must provide an explanation of the decision along with the opportunity and means to challenge it.
What is meant by Privacy By Design and Privacy By Default?
In their simplest terms these mean that the collection and usage of data must be actively sanctioned. The need to tick a box to opt in will no longer apply. Privacy settings must be set to ‘High’ by default.
Will I need a Data Protection Officer (DPO)?
A DPO must be appointed for public organizations, or if the core activities of the organization involve regular and systematic monitoring of data subjects on a large scale. So, this could fall down to your interpretation of ‘regular and systematic’ and ‘large scale’.
What is the role of the DPO?
The role of the DPO is to ensure compliance within the organization. The profile of the DPO is one with expert knowledge in data protection best practices, IT processes, and data security, taking account of the processing of personal data in situations of business as usual and business continuity. The DPO should report at board level and should effectively act as the organization’s internal GDPR regulator.
What is required in terms of consent?
Valid consent must be explicit for the data that is collected and the purposes for which that data is used. This means that silence, pre-ticked boxes or inactivity does not constitute consent. It must be able to be proven that consent was given as opposed to being implied, and so it should be recorded how and when consent was given. It must also be possible to action the withdrawal of consent. Consent for children must be given by the child’s parent or guardian, and must be verifiable as such.
What about consent that I have already obtained?
If you already have consent based on the DPA or the EC Data Protection Directive this will remain in place if the standard used to collect that consent meets the requirements of the GDPR. If you cannot reach this standard then new consent must be sought, and any processing based on the previous consent must be discontinued.
What is the right to erasure?
Right to erasure means that any citizen can request that the data that you hold in relation to them can be erased on any one of a number of grounds, where the rights of the individual can legitimately take precedence over the rights of the organization.
What about data transfer?
The GDPR states that a person should be able to transfer their data from one system to another. It is not a requirement that an organization maintains systems that are compatible with everyone else’s. However, an organization should be able to provide a person’s data in a structured and commonly understood format, for instance, a CSV file. This should be provided free of charge. It has also been suggested that individuals should be able to access this data in a secure manner via an electronic portal, but this is not currently a requirement.
Does it cover all data?
The legislation describes personal and sensitive data. It covers all data that can be used to uniquely identify an individual. This includes pseudonymised data if it is presented with other data that can identify an individual, for instance, if a name is pseudonymised but an address and date of birth are not it is possible that the person can be definitively identified. It also covers manual records, for instance chronologically ordered sets of manual records containing personal data. This could have a significant impact on smaller organizations such as sports clubs, who will need to record changes to personal data, including the details of the changes (retaining the original data) and when those changes occurred. Sensitive data now includes biometric and genetic data.
Is there a recognised certification to show that I am compliant?
At present there is no such certification. The GDPR requires an organization to show how they comply with the principles.
What restrictions are there on data?
The data collected should be adequate, relevant and limited to what is absolutely necessary. So, do you really need that Date Of Birth, Gender, favourite football team? It should also only be retained for a period of time relevant to its use. There are no guidelines for this, but if someone sets up an online account to purchase a single item there should be a defined period of time when this data should no longer be kept. It should also be stored in a secure manner, and that includes protecting against hacks and other cyber attacks.
Is it just a form filling exercise?
No! It is important that you document the rationale for your usage of personal data. The DPO should then ensure that processes are adhered to and compliance is maintained.
What about data that is already in the public domain?
It is important that you only use information that has been explicitly consented to. For instance, a Twitter name would not necessarily identify a person, but could be used to do so in conjunction with other pieces of data.
What are the rules around children?
Where you communicate directly to a child, your privacy notice must be clearly written in a way that a child will understand it. If you target online services to children you will need consent from a parent or guardian to process the child’s data. In terms of the GDPR a child is aged 16 or under.
What information should I provide following a request from an individual under GDPR?
When providing information it should be clear, concise, easy to understand and easy to access. It should be provided free of charge (previously under the DPA a £10 fee was permitted.)
The scope of what must be provided is as follows:-
- Contact details (name, address, email address, telephone number) of the Controller and / or their representative within the organization. Where appropriate the contact details of the DPO should also be provided.
- The categories of data being processed and the reasons for the processing
- Any recipients of the data, including third parties, and what steps are in place to safeguard your data.
- How long you expect to retain the data and the reason for that timescale.
- The original source of the data, including which pieces came from public sources, if any.
- Any contractual requirements regarding the processing of the data and any consequences of not providing the data.
- Any automated decision making or profiling that the data has been used for, and the consequences of these processes.
- The rights of the individual in relation to the data:-
o The right to withdraw consent at any time, where relevant
o The right to lodge a complaint with a supervisory authority
o The right to object
How long do I have to action a request?
You will have a maximum of one month to provide the information, and you must verify the identity of the individual making the request.
What do I need to do if the data that I hold is inaccurate or incomplete?
If an individual challenges the personal data that you hold they are entitled to have the data rectified where appropriate. If the data has been disclosed, for instance to third parties, this data should also be rectified. You must also inform the individual to which third parties their data has been disclosed.
What is the right to erasure?
The right to erasure is not absolute and unconditional. However, an individual has the right to have personal data erased in the following circumstances:-
- The data is no longer necessary for its original purpose
- Consent is withdrawn
- The individual objects and you have no legitimate reason to challenge their objection
- The data or its processing is in breach of the GDPR
- Legal obligation
This is a significant change to the DPA right to erasure which was limited to processing that caused substantial damage or distress. If the data that you hold is subject to erasure you must also inform any third parties to which you have disclosed the data of the erasure.
What is the right to object?
An individual has the right to object to the processing of their data. Individuals must be informed of their right to object at the point of first communication and in your privacy notice. This information must be explicitly brought to the attention of the data subject and presented clearly and separately from any other information. Objections to direct marketing must be acted upon as soon as the objection is received, free of charge. There are no exceptions to this. It will be interesting to see how this is enforced in terms of ‘unsubscribe’ requests that often take up to three months to fully action. It should be noted that this requirement is broadly the same under the DPA, it has just been restated under GDPR.
What safeguards can I put in place?
There are certain pieces of best practice that will go some way to ensuring compliance with GDPR. These include:
- Implement processes across the organization to eliminate errors and enable inaccuracies to be rectified. Consider data protection and HR policies, staff training, audits
- Secure personal data proportionate to its content and usage
- Maintain relevant and up to date documentation on processing activities
- Appoint a DPO if this is appropriate to your organization
- Consider privacy by design and privacy by default in your processing
- Review previously obtained consent
- Review your obfuscation and pseudonymisation
- Review your data access policies including how frequently accesses are reviewed
- Consider using data protection impact assessments
- Consider signing up to and adhering to a code of conduct if such a code exists that covers your processing
- Ensure any third parties that you disclose data to are compliant
Will this affect data transferred outside the EU?
The GDPR limits the ability of an organization to transfer personal data outside the EU where the data protection is based on your own assessment. Authorisations made by the relevant authorities with regard to adequate data protection will remain valid until amended, replaced or repealed.
An excellent website to keep up to date with GDPR developments is:-
If you would like further information or you have other questions please get in touch. We do not profess to be experts, and we are not accredited to provide regulatory advice, but we have strong regulatory experience including within the fields of PCI compliance and data protection. The information provided above is, to the best of our knowledge, current at the time of publication.
Inevitably, understanding and interpretations will change up to and beyond the implementation date.
We strongly advise that you keep up to date with all things GDPR related.
Through our partners we can also provide extensive analysis of exactly where your personal and sensitive data is stored and used.