As Data Protection specialists, we put together this comprehensive guide explaining how the EU GDPR changes the landscape; and everything you need to know about it.

The General Data Protection Regulation (GDPR) will go into effect on May 25, 2018. In about eight months, Europe’s current data protection regulations will experience their most significant changes in over 20 years. Since the inception of the regulations in the early 1990’s, the digital world has significantly changed and our digital storage needs have increased exponentially. The old rules no long apply.

The upcoming GDPR will drastically change the way that both public and private businesses can handle digital information for their consumers. In light of the upcoming changes, a number of GDPR experts have emerged to guide organisations through the changes—all for a hefty price tag.

Businesses who are already complying with current data protection regulations should not see these new regulations as radical but as merely an update of old regulations. The UK’s information commissioner, Elizabeth Denham, is making efforts to downplay the scare tactics that she feels are being employed by some organisations hoping to drum up business for their consulting firms by scaring customers needlessly about the new regulations. She stresses that the new regulations are simply the logical next step and should not be seen as revolutionary.

At ISRC Consultants, Ltd, we are offering GDPR training courses by our certified trainers. These courses will train your business delegates on the the GDPR changes to ensure you are in compliance with all new regulations. Our sessions will also drive awareness around Data Protection and Data Privacy for your organisation.

Despite reassurances from Elizabeth Denham of the ICO, many business heads are still fearful of failing to comply with the new GDPR. Use our comprehensive GDPR guide to answer all of your questions and ease your fears!

Overview of the GDPR

Commonly known as the GDPR, the General Data Protection Regulation, is Europe’s new agenda for data protection regulations. The original regulation was founded in 1995, and the upcoming May 2018 iteration will replace the 1995 data protection ruling. The 1995 law is currently in place for data protection.

According to the European Union GDPR’s website, the new law is intended to provide data protection consistently throughout Europe, with the aim of protecting the rights of individuals. Under the new legislation, there are also several amendments outlining regulations for businesses that deal with personal information.

In April 2016, the new GDPR was agreed upon by both the European Council as well as European Parliament after more than 4 years of discussion and deliberation. The detailed instructions on how GDPR changes affect organisations were published a few weeks later.

In May 2016, the new GDPR was published in EU’s official journal but does not take effect until May 25, 2018. This will allow for a two-year grace period for businesses to make any necessary changes to their practices under the new regulation.

What about existing data protection laws?

Every state in the European Union is currently operating under the data protection law of 1995. Each state has its own national laws and the Data Protection Act of 1998 details how various businesses and government organisations can use individuals’ personal data.

The new GDPR also modifies how individuals’ data may be used. In the UK, the new regulations will be under the umbrella of the new Data Protection Bill for Brexit, which the government has published. The data protection plan put in place by the UK includes all provisions within the GDPR with only a few slight changes.

Data Protection in the UK

On September 14, 2017, new legislation on data protection was published by the UK government. This legislation will implement most of the regulations in the GDPR. Before becoming law, the bill must also pass through both the House of Commons and the House of Lords.

According to the government, the UK bill includes a few exemptions from the GDPR for journalists, anti-doping organisations and researchers who handle personal data.

How will my organisation be affected?

Any company, business or individual that processes or controls personal data must follow the new GDPR. Those individuals or businesses who currently follow the DPA (Data Protection Act) will also be required to follow the GDPR. More details on the way GDPR changes the playing field, will be provided by our data protection specialists during our training sessions.

Additionally, GDPR covers both personal data as well as sensitive personal data. Personal data basically includes all data which could be used to identify a person such as name, home address, IP address, phone number, etc. Sensitive personal data includes information pertaining to gender, sexual orientation, genetics, religious view, political leanings and more.

Both types of data are currently protected under present data protection laws because both types include information that can be obtained through automation. However, the GDPR also includes data protection for those individuals who may post information under a pseudonym.

GDPR Changes

The GDPR contains 99 articles in total, all of which are designed to protect the rights of individuals and detail the obligations of various organisations. Some of these 99 articles include the right of individuals to have easier access to information obtained about them by companies, a new fine structure, and a much clearer regulation for businesses to obtain consent from individuals before accessing personal data about them.

According to Helen Dixon of the Data Protection Commission for Ireland, new regulations are necessary in order to improve the current law. She emphasizes that smaller companies will need more information and guidance on adhering to the new policies as larger companies will likely already be aware. Smaller businesses including start-ups are likely to need to make more changes, she says. Many start-ups were started with zero data protection at all, so these types of organisations will need to make more changes than others.

Responsibility and Compliance

Organisations and businesses which  fall under the GDPR will be responsible to a much greater degree for the handling of individuals’ personal data than they have been in the past. This will include better data protection policies for consumers as well as providing information about how the data is processed and the data protection impact.

In the last year alone, there have been very serious breaches of data within large well-established companies like LinkedIn, MySpace and Yahoo. Millions of consumers within these companies had personal information exposed.

Exposure of one’s personal data can lead to financial loss, slander to one’s reputation, identity theft, breaches of confidential information and more. A data breach can wreak havoc on one’s personal life. If a breach has happened, ICO must be informed of the breach within 72 hours of the organisation learning of the breach, and affected individuals must be informed within this timeframe as well.

Large companies (those employing at least 250 people or more) must provide documentation clearly explaining the need for data collection and outlining how the data will be used. The company must also describe detailed security precautions in place to prevent data breaches from happening.

In addition, companies who systematically or regularly monitor individuals using sensitive personal data must employ a Data Protection Officer. Many organisations making these changes under the new GDPR will need to hire an additional staff person to fulfil this role. Some larger companies may already have a Data Protection Officer on staff, but this change will impact many organisations.

In the role of Data Protection Officer, one must report to all senior staff members and be the contact person for all employees of the company as well as all customers. The DPO will also be responsible for ensuring that all GDPR standards are being carefully followed. In the past, data protection has never been a topic discussed in boardrooms, but with the changes brought on by the GDPR, that will all be changing.

An additional step has been added for those organisations who seek consumer consent for collecting and processing data—consumers must clearly agree to provide their data. It must be clear to the consumer that he/she has consented to provide personal data. There are many different methods for companies to process an individual’s data.

Personal data access

In addition to new regulations for obtaining data that is personal in nature, the GDPR also grants more authority to individuals who would like access to data about them in collection, making it easier for individuals to find out what information is currently known about them by various companies and organisations. Currently, a Subject Access Request (SAR) allows public organisations and businesses to charge £10 for individuals to learn what data is being held in collection about them.

With the GDPR, this process has been eliminated and now the request for personal information is free. Now when an individual or party requests information from a business about data, the business must provide the data within 30 days. All individuals have the right to access information being held about them. This new guideline will give more control to users of both big and small organisations.

GDPR changes individuals’ rights regarding automated data processing.. These rights will include data which was unlawfully obtained, data which is no longer being used for the originally stated purpose, and data for which consent has been withdrawn.

GDPR financial penalties

One of the most controversial GDPR changes is the right of regulators to fine companies who are not in compliance with regulations. Organisations can be fined for not employing a Data Protection Officer if required, for any data breach, or for processing an individual’s data incorrectly.

Penalties are financial in nature and will be determined by Denham’s office. Smaller issues of non-compliance can result in fines of up to €10 million or 2% of the firm’s global turnover, whichever is the greater sum. Organisations with more serious offenses will suffer more serious consequences and can be charged fines of up to €20 million or 4% of the firm’s global turnover, whichever amount is higher. These fines are greater than the current £500,000 penalty. According to experts, fines given out last year would be 79 times higher now under the new regulations.

Denham disputes rumours that her employees are looking to make an example out of large businesses by issuing them devastating fines. She says that large fines will be issued when necessary, but that her office is not looking to hand out large fines and would rather that businesses follow the regulations.

She also states that her office is not intending to change procedures for handling fines or the way it controls data protection in the UK. She says that ICO would much rather work with an organisation to improve its practices rather than act in a punitive manner.

Denham also explains that she believes rumours about her office being eager to hand out large fines are only being used as scare tactics by organisations who wish to profit off of fearful business owners. She says that her organisation will be much more lenient with companies who are obviously trying to implement GDPR changes to policies but happen to make an error than with those companies who are refusing to abide by regulations.

To learn more how GDPR changes will impact your organisation, register for one of our training sessions to ensure you are prepared to follow all of the regulations.