The GDPR low-down: How your business needs to change to comply with new data protection rules
Archant Norfolk 2015
With six months to go before the implementation of new European data protection legislation - which will continue to apply to the UK once it leaves the EU - David Higgins, founder of Norfolk Cyber Security Cluster and of internet security firm 4ITSec, advises businesses on what they need to do - and stop doing - to become compliant.
What will the General Data Protection Legislation (GDPR) change?
The new law will allow much greater security to individuals and their personal data, with greater rights associated with how their data is handled, stored and processed by businesses.
Businesses, on the other hand, will have to change their internal processes and procedures if they wish to hold and process personal data and remain inside the law.
How do I need to change my business’s operations?
• Establish what “personally identifiable data” you actually have, where it came from, why you have it, where is it, who has access to it, who you share it with, whether it is protected, and whether you still need it. If you have personal data stored, you are the controller and are responsible for that data. If you pass the data to a third party (e.g. through marketing) they are the processor – but you are both liable under GDPR.
• Create processes and procedures that cover subject access requests (SARs). A user has the right to: access the data you hold; have errors corrected; object to direct marketing; stop data profiling and automated processing; have their data erased completely; and move their data to another business. They may also request to know why you are processing their data, how long you will keep it for, and who else their data has been given to. All requests must be responded to within 72 hours.
• GDPR centres around consent. Here are some points to follow when you collect personally identifiable information (e.g. website sign-up forms):
o Consent must be freely given and must be specific to the task, informed and unambiguous; it can no longer be an open-ended, blanket format, pre-ticked box.
o The request for consent must be concise, transparent, intelligible, and in clear and plain language.
o You must inform that consent may be withdrawn, and inform of data subject rights and their rights to complain to Information Commissioner’s Office (ICO).
o You must be able to demonstrate that consent was obtained lawfully (for auditability and accountability).
• Where you process “high risk to privacy” details (e.g. medical, sexual, religious) you must conduct data protection impact assessments (DPIAs) which will specify how this type of data needs to be stored.
• By design, data protection brings specifics on data security (depending on the perceived risks) such as data pseudonymisation, encryption of data, fully tested back-up and restore procedures, and strict data access controls, thus ensuring ongoing data confidentiality, integrity and availability.
• The law requires that companies show data protection governance to demonstrate they take data protection seriously – a route here would be to employ a data protection officer to advise the business of its obligations, monitor company compliance, train staff and be available for enquiries from individuals about their data.
• Create a process so that, if you suffer a loss of personal data, you notify the ICO within 72 hours. You also need to notify each individual whose data has been compromised/lost.
What can my business do now to prepare?
• You can no longer buy a mailing list and use it without the explicit permission of each person on that list.
• You must classify all of your personal data and protect it according to that classification; you must encrypt data “at rest and in transit” if it’s assessed as being sensitive.
• Re-write all your privacy notices to encompass GDPR.
• Re-write all your opt-in forms and processes and make them easy to understand.
• Re-assess your business agreements in the supply chain (both in and out); if you give data to another business to process, you (as the controller) are still liable for the data protection, or if you receive data to process (you are the processor) you will still have to comply with GDPR.