The General Data Protection Regulation (GDPR) is one of the most significant changes to legislation in recent years. In April 2016 the European Parliament voted to adopt a new data protection law for Europe with regulation coming into effect on 25 May 2018, giving businesses a matter of months to comply with a range of these regulations.
This new legislation is designed to allow individuals to manage their personal data as well as allow businesses to better access a digital single market with a unity of regulations throughout.
What you need to know
GDPR regulation is being designed to strengthen the obligations on those who use personal data, and enhance the rights of individuals and:
- Applies to every company processing personal data of European Union citizens,
- Imposes a 72 hour window for companies to report a breach if there is risk to affected individuals
- Requires individuals to give unambiguous and informed consent for their data to be processed
- Affords individuals the ‘right to be forgotten’ and the right to access their personal data Implements ‘privacy by design’ – privacy can no longer be an afterthought when developing new products
- Applies the same rules to data processors as well as data controllers
- Sets up a ‘one stop shop’ – companies only have to register with one data protection agency
- Requires companies who systematically process data to appoint a Data Protection Officer (DPO)
- Enforces fines of up to €20 million or 2-4% of global turnover, whichever is greater
What is Personal Data?
The definition of ‘personal data’ under GDPR is the same as the U.K. Data Protection Act: namely information that allows an individual to be identified, either directly or indirectly. However, what can be classified as an ‘identifier’ is more detailed; now including online identifiers such as IP address, location data and genetic data.
Appointing a Data Protection Officer
Companies must appoint a Data Protection Officer (DPO) who will need to:
- Inform and advise employees and organisations on their GDPR obligations
- Monitor compliance and manage data protection activities; including data protection impact assessments, staff training and audits
- Interact with authorities and individual data subjects
The role of the Data Protection Officer should be taken seriously. It is not a nominal position to satisfy regulation and it must extend beyond the realm of IT.
DPOs should be well-versed in data, risk, law and compliance but also able to adapt to the ever changing risk landscape of a modern digital world.
The Information Commissioner’s Office also recommends that the DPO reports at board level and is provided with adequate resources to meet all obligations. The GDPR further specifies that the DPO must have ‘expert knowledge of data protection law and practices.
Fines
Implementation of GDPR will allow regulators to have the authority to issue fines and penalties equal to 2% of a business global revenue for any violation against security, record-keeping and privacy impact assessment obligations. In addition, violations related to data subject rights and cross-border data could result in fines of 4% of the businesses global turnover.
The financial price of getting GDPR wrong is well documented: losing 4% of turnover would undoubtedly be a board level issue. Mandatory reporting requirements also add new elements of risk: reputational damage and class actions. It will now be easier for traditional and social media channels to publicise failings so transportation companies must be prepared to face the stark glare of media and customer scrutiny if they are found to be non-compliant with GDPR.
Data breaches inevitably can and will happen, but if an organisation has implemented proactive risk management they may be looked on favourably by regulators and protect their reputation. While it may be easy to think of the GDPR as yet another compliance burden, it should be viewed as a means by which to bring your organisation up to speed with the modern digital world.
