On May 25th, 2018, the EU’s General Data Protection Regulation (GDPR) became enforceable and forms the basis of rules that we use in the UK`s data protection act 2018.
All companies now have to consider how they process and store data.The aim of the General Data Protection Regulation is to reinforce the data protection rights of the individuals, facilitate the free flow of personal data in the digital single market and reduce administrative burden.
The ICO (Information Commissioner's Office) which is the Government organisation that enforces the Data Protection Act , Find nine simple steps to guide you through the GDPR rules, the information throughout this page aims to share information and workflows to support your reviews and planning.
Table of contents
Awareness: There have been rules in place to protect consumers since the Data Protection Act 2018 the key points to review in the rules are
- Higher sanctions – up to 20 million euros – 4% of Global turnover
- Consent defined
- Must notify of breach within 72 Hours
- Clarity on the role of a Data Protection Officer
- Controllers and processors jointly liable
- Right to be forgotten
- Right to amend details
- General right not to be “profiled”
- Privacy by design introduced
- Data protection impact assessments must be prepared
- Right to restrict (freeze) processing
Reinforce the Rights of the Individual
Defined as a “natural person” individuals have data rights.
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
The information on the regulation can be found in the rule book
11 chapters – 99 Articles
- Chapter 1 (Art 1 – 4) - General Provisions
- Chapter 2 (Art 5 – 11) - Principles
- Chapter 3 (Art 12 – 23) - Rights of the data subject
- Chapter 4 (Art 24 – 43) - Controller and processor
- Chapter 5 (Art 44 – 50 - Transfer of personal data to third countries
- Chapter 6 (Art 51 – 59) - Independent supervisory authorities
- Chapter 7 (Art 60 – 76) - Cooperation and consistency
- Chapter 8 (Art 77 – 84) - Remedies, liability and penalties
- Chapter 9 (Art 85 – 91) - Provisions relating to specific processing situations
- Chapter 10 (Art 92 – 93) - Delegated acts and implementing acts
- Chapter 11 (Art 94 – 99) - Final provisions
NON Compliance Higher level Fines: Article 83
The ICO have made the point in recent communications that GDPR is not just about fines, companies need to review and understand how they process and gain specific consent for the use of an individual’s data.
The Higher sanctions – up to 20 million euros – 4% of Global turnover, these relate to
- 5: Principals relating to the processing of personal data
- 6 : The Lawfulness of processing
- 7: Conditions for consent
- 9: Processing special categories of personal data (i.e. sensitive data)
- 12 – 22 : Data subjects rights to information access, rectification, erasure, restriction of processing, data portability, object, profiling
- 44 – 49 : Transfer to third countries or international
- 58(1) Requirement to provide access to supervisory authority
- 58(2) : Orders or limitations on processing or the suspension of data flows
The questions companies should therefore consider are
- How can I minimise the risk and protect my business?
- How can my business implement a technical framework to collect specific consent and lawfully collect data?
- How can my business handle different data streams?
- How can my business uphold the new regulations and define data collection and storage?
- How can my business ensure the security and protection of personal data?
Data Protection by Design
The implantation of appropriate technical and organisational measures to show you have considered the integration data protection into your processing activities
You need to have an understanding of the
- Integration of Data Protection
- Implementation planning for GDPR
- Data Risk Management
- When a Data risk assessment is necessary
- An understanding of the data architecture
Protection by Design: Data Transparency
- Your approach to information when collecting data under the GDPR
- Clearly understand how the data might be used
- Information must be concise, easily accessible and in clear and plain language
- Data Controller will have to provide mandated information, access, restrict, and port their data
- Notices addressed to children must be child-friendly
- Consider the use of layered policies, immediate and available information
- Common use of Icons throughout workflows to aid key information points
Information you hold: Practical Data Audit
Where are your data sources?
If you process high volumes of sensitive data there is a legal requirements to document the data you hold and carry out and confirm a Data Protection impact assessment
- A description of processing and purposes of data
- Confirm the Legitimate interests pursued by the controller
- An assessment of the necessity and proportionality of the processing
- An assessment of the risks to the rights and freedoms of data subjectsThe measures envisaged to address the risks
- All safeguards & security measures to demonstrate compliance
- Indication of any data protection by design and default measures
- A list of recipients of personal data
- Compliance with approved codes of conduct
- Whether data subjects have been consulted
Data Protection Officer (DPO)
What does a Data Protection Officer do?
- Informs and advises on DP obligations
- Monitors the implementation and application of policies
- Staff training
Appointing a DPO:
- Designation of a single DPO for several Organization
- DPO should be accessible
- DPO should have the relevant expertise and skill and no conflicts of interest
- DPO can be appointed on the basis of a service contract
DPO : review Data Controller or Data Processor - Contracts
Audit will be required for contracts with third party processors to asses the compliant and lawful processing and storage of data
Controllers and processors equally responsible
- Review data sharing arrangements - responsibilities
- Review contracts where you appoint data processors
- Direct obligations include testing the robust protection of data
- Review your contracts where you are a data processor
- Controllers right to audit
- Review third party data security – Breech reporting – Service levels