Common questions on GDPR answered, part 2.
The bar on protection of personal data has been raised and there will be severe penalties for non-compliance. Very few bodies do not store personal data of some description so this is legislation that affects us all. It’s important you are aware of what this means for your organisation.
Who does the GDPR affect?
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all organisations processing and holding the personal data of Data Subjects residing in the European Union, regardless of the organisation’s location.
What’s the biggest change?
It is the extended jurisdiction of the GDPR. It applies to all establishments processing the personal data of subjects residing in the EU, regardless of their location. Previously, territorial applicability of the directive was ambiguous. GPDR makes its applicability very clear – if data is stored or processed within or outside the EU, the monitoring of that behaviour is subject to GDPR. Non EU organisations will have to appoint a representative in the EU.
Can I leave this to my IT supplier?
A very important question. There is currently no formal obligation to have a contract in place with your chosen Data Processor. This will change. Under the GDPR it will be illegal not to have a formal contract or Service Level Agreement (SLA) in place with your chosen supplier. In addition, under the GDPR it will also be a criminal offence to choose an IT recycling partner/Data Processor who doesn’t hold the minimum competencies and accreditations for IT asset disposal (e.g. ADISA, Blancco, ISO 27001). You must be able to demonstrate that you are working with an accredited company when it comes to disposing of your data bearing end of life IT assets.
What if I’m not ready in time?
This is not an option. There are huge fines for non-compliance. Failure to comply under the GDPR could see fines of up to €20 million (or 4% of global turnover – whichever is greater). It is important to note that these rules apply to both Data Controllers and Data Processors -- meaning 'cloud data' will not be exempt from GDPR enforcement.
What’s the difference between a Data Controller and a Data Processor?
A Data Controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the Data Processor is an entity which processes personal data on behalf of the Data Controller. For example, a school may be a Data Controller and their IT contractor may be a Data Processor.
Do I need to seek consent to store personal data?
Yes. The conditions for consent have been strengthened. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language (not lengthy conditions in “legalese”). Consent must be specific i.e. it must be clear for what purpose data is being collected.
If more than one purpose is planned then the individual must be given “granular” choice” (the ability to consent to one purpose but not others). For example, if a local authority is processing data for various different purposes, it will need to get separate consent for each purpose. The regulation creates a presumption that bundling consents will render the consent invalid. It must be as easy to withdraw consent as it is to give it.
What if I discover a data breach?
Under the GDPR, breach notification will become mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data Processors will also be required to notify their customers (the controllers), “without undue delay” after first becoming aware of a data breach.
Part 3 tomorrow.