GDPR is fast approaching and the data protection rules in Europe will face their biggest change in 20 years. With the GDPR looming, the more organised amongst us have already started making positive steps towards preparing for the 25th May 2018, when the new rules will come into force. But, don’t worry if you haven’t started yet – there is still time to get your company into shape. Here, we’ve created a refresher guide to clear up any confusion and to get you up to speed with what the GDPR might mean for your organisation.
First things first, let’s take it back to basics. The General Data Protection Regulation (GDPR) is a new data protection framework for Europe. Its role is to standardise data rules across Europe and replace the UK’s current 1998 Data Protection Act. By introducing a series of changes to current data protection acts and duties, it will impact the way businesses store, move and manage data. The regulation is said to address the changes that the rapid development of technology has brought about on the handling of personal data. The main reasons behind the introduction of GDPR are clear: it strengthens, simplifies and unifies previously disparate data protection regimes across Europe.
The rights of individuals are at the forefront of the changes with regards to consent, their access to and maintenance of their own personal data. To put things simply, the old regime that was created in the 1990s is no longer sufficient when it comes to the huge amounts of data we collect and store today.
The GDPR will change how all organisations and businesses will handle personal data, and as a result those active in the EU have been preparing for its implementation since April 2016. Failure to comply and data breaches will result in tougher fines and harsh punishments, so it is crucial to ensure every aspect of your business is up to scratch. These new rules will be enforced in the UK by the Information Commissioner’s Office.
So before we start, we will go through some key terms which relate to GDPR – giving you the power to break down GDPR jargon to fully understand the implications for your company.
Data: Information that is stored electronically or paper-based into a filing system.
Data controllers: The person who is legally responsible for the purposes and means of processing personal data.
Data processors: The person who legally processes an organisation’s data on behalf of the data controller.
Personal data: Any information that relates to an identified or identifiable living individual.
Sensitive personal data: Personal data that reveals information about an individual’s physical or mental health, ethnic origin or political opinions and more.
Processing: Any act of obtaining, handling or recording data or to carry out a process which involves personal data. This can include organising, storing, consulting and restricting – whether this is automated or not. Processing also includes disclosing data and erasing it.
GDPR applies to any organisation, public or private – anyone holding or processing data on EU citizens including companies outside of Europe. Also, if your business offers services or goods to EU citizens, then you must also abide by GDPR.
All business that work with personal data should appoint a data controller who is in charge of GDPR compliance. A data controller is responsible for stating how and why data is processed. The data processor is the body in charge of doing the actual processing. This means that anyone outsourcing the management of personal data they process needs to ensure that contractual arrangements are updated and that responsibilities and liabilities are clearly stated.
For those who don’t comply with GDPR, there will be tougher penalties than previous years. GDPR fines could be as high as 4% of your annual global revenue or €20 million, whichever is greater. Damage to businesses’ reputations would also be irreparable.
There has been some confusion surrounding the relationship between Brexit and GDPR. Unfortunately for UK businesses, Brexit has made no difference and they must still work towards compliance despite leaving the EU in 2018. The legislation in GDPR applies to all businesses operating within the EU and using EU data.
Latest thinking suggests that the UK could replace the Data Protection Act (1998) with legislation that replicates the GDPR, allowing the UK to achieve free data flow after Brexit. However, our government has stated that it may take up to three years for the European Council to decide whether the UK has sufficient data protection to match the GDPR.
In simple terms, if your organisation operates within the UK or anywhere else in Europe, you must meet the GDPR obligations when it comes into force. Remember the deadline is 25th May 2018.
The full regulations of GDPR consist of 99 articles that establish the rights of individuals and the obligations that organisations must meet. However, we have picked out the key parts you need to know and the most important changes for your business.
Data controllers and data processors: The GDPR sets out responsibilities for controllers and processors of data. More in depth guidelines for data controllers and processors from the ICO can be found here.
Data protection officers: Organisations are required to appoint a data protection officer (DPO) in some circumstances. The Regulation sets out specific provisions a DPO should carry out. Employers also have duties set out for them in the Regulation in respect to the DPO.
Accountability: The GDPR places more importance on organisations and their data controllers to demonstrate their accountability. The Regulation states that any breach of or destruction, loss, alteration, unauthorised disclosure of, or access to individuals data, must be reported to the UK’s data regulator – (ICO) – if the breach could have a damaging impact on the individual’s rights.
Data breach notification: In the occurrence of a personal data breach, data controllers must notify the breach to the Information Commissioner’s Office (ICO) no later than 72 hours after breach unless the breach is unlikely to result in a risk to the rights and freedoms of the data subject.
Lawful basis for processing data: To process data lawfully under the GDPR, businesses need to identify a ‘lawful basis’ before processing personal data and this should be documented. This differs to the current law as the GDPR has changed the data subject rights.
Data protection by design and default: Systems and processes must have data privacy built in from the beginning going forward and data should only be collected to fulfil specific purposes and discarded when no longer needed. In an age where storage is both plentiful and relatively cheap, the tendency in recent years has been to keep everything ‘just in case’ – this mind-set will need to change.
Data erasure: The ‘right to be forgotten’ AKA ‘data erasure’ is an individual right set by the GDPR. This means that EU residents have the right to request that personal data relating is erased.
Right to access: Under the GDPR data subjects have the right to access their own personal data and information. The right to access allows data subjects to be aware of and verify the lawfulness of the data processing.
Consent: A higher standard of consent is set by the GDPR. This puts the individual’s rights first by putting them in control. Under the Regulation, consent requires a positive opt-in and requires organisations to give a very clear and specific statement of consent.
With all this in mind the key priorities for organisations operating in the EU and processing data from EU residents over the coming 6 months will be:
While the GDPR will no doubt cause a major shakeup of the data protection regime in the EU, it is also an opportunity for organisations to demonstrate best practice in data and document management and use this to enhance trust in their business and processes.
With less than 6 months before 25th May 2018, it is time to seriously start making steps towards compliance. The threat of tougher fines that could risk any organisation regardless of size, is reason enough to hit the ground running.
It is time to get the basics in place. If you need assistance in document managing, please do contact us or explore our document scanning and digitisation services here.
Get our expert knowledge delivered straight to your inbox, and keep up-to-date with the latest goings on in your industry.
The vast amount of data your organisation holds has the potential to revolutionise patient care. Once your medical records have been digitised the benefits are endless. Read the rest of the article to...
Read blog post >
Norfolk and Norwich University Hospitals NHS Foundation Trust (NNUH) has announced a major contract with EDM Group to scan and digitise new and existing paper medical records.
Read blog post >
Copyright © 2018 EDM Group Limited. All Rights Reserved.