The General Data Protection Regulation (GDPR) was adopted in April 2016 by the EU Council and Parliament. As a regulation, the GDPR needs no implementation into national law. In this bulletin we summarise the key changes under the regulation and the impact these have on you as an organisation. We also look at cover available under a cyber policy and how to develop an incident response plan.
The EU GDPR will apply to all controllers and processors that reside within the EU, regardless of the outcome of Brexit. Its territorial scope is wider than the EU. The GDPR applies to the processing of personal data of data subjects who reside within the EU by both controllers and processors where they offer goods or services to people in the EU or monitor their behaviour.
In the event of a data breach, organisations will be subject to the regulation’s penalties and notification requirements from 25th May 2018,
Currently the Information Commissioner’s Office has the power to fine organisations up to £500,000 for a data security breach under the Data Protection Act 1998. The new GDPR will be far more prohibitive with a maximum fine of up to 4% of global turnover or EUR 20 million – whichever is the larger.
Failure to comply represents a substantial risk and will require data security to be addressed at board level.
Compulsory regulatory notification
The GDPR requires compulsory regulatory notification of personal data breaches likely to result in harm to data subjects within 72 hours. When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals the controller is required to notify the affected individuals “without undue delay.” Although the obligation to notify is conditional on awareness, burying your head in the sand is not an option as controllers are required to implement appropriate technical and organisational measures together with a process for regularly testing, assessing and evaluating the effectiveness of those measures to ensure the security of processing.
This is a significant break from the past where there was no requirement in the EU to inform the public of a data breach for the majority of organisations. A well documented incident response plan will be essential to ensure compliance.
New processor responsibilities
Under the GDPR, processors will have direct responsibility when handling personal data. Previously, only data controllers were accountable when working with personal data.
Organisations are advised to conduct a detailed review of existing contracts with third party suppliers providing data processing services ahead of the GDPR adoption. Organisations should make sure data processors only process information following instruction from a data organiser and they obtain assurance that these instructions are being met.
Extended rights for data subjects
One of the main ambitions of the European Commission in proposing a new data protection framework was to bolster the rights of individuals. This desire is clearly reflected in the strengthened rights of data subjects. These include, for example, the right to be forgotten, the right of access to personal data and its correction where it is inaccurate. There is also a right to restrict certain processing and a right to object to their personal data being processed for direct marketing purposes. Individuals can also ask to have their personal data sent back in a structured and commonly used format so that it can easily be transferred to another data controller (this is known as “data portability”).
The controller is obliged to permanently erase personal data under certain circumstances. This will require a review of both processes and technology solutions to ensure that both paper and electronic records can and are erased in accordance with retention requirements and requests for erasure.
Preparation for the new regulations
Considering the significant amount of work that needs to be undertaken to comply with the GDPR, organisations are advised to begin preparations now.
Download Technical & Legal Bulletin
For more information please email firstname.lastname@example.org