Tag Archives: EU data protection regulation

GDPR is here – Data Protection is Changing

Leave a reply

shutterstock_128215814The General Data Protection Regulation (GDPR) will become law on 25th May 2018.  This is the biggest data protection shake-up for twenty years and impacts every organisation in the world that processes the personal data of UK and European citizens.

GDPR is designed to strengthen individuals’ rights and give them greater control over their data.  Data breaches and data theft … and the catastrophic publicity that goes with them … are now everyday events.  Just ask Morrisons, Talk Talk, eBay, Altzheimers Society and VTech. Under GDPR, these, and all other organisations will face fines of up to 4% of worldwide turnover or 20 million euros (whichever is higher).

The onus is on Boards, individual directors and management to understand and comply with the Regulation, and to make the critical changes required to the way in which organisations handle personal data.  And the clock is already ticking – there are only 24 months available to make the vital procedural, technical and resource changes required for compliance.

shutterstock_14154718The first issue is to understand exactly what personal data you hold.  This is not always simple. Data’s a bit like a river, and sometimes the flow can just be too fast to control. It may flow down the main stream, pause in a deep pool, join another river at a junction,  then wander off down tributaries, streams and burns, and disappear – only to bubble up unexpectedly in the middle of an isolated moor.  Like a river, data can be full of good and exciting things, or stagnant and disgusting.

 

It is essential to know what personal data you hold, where it is held, where it came from, how it was collected, what evidence you have that it has been collected and processed legally, with whom it has been shared (internally and externally), on what terms it has been bought or licensed, whether and where it has been archived or deleted, and who is responsible for its safekeeping.

Until all that information is in place, there is no chance that you can keep it clean, up-to-date and protect it from external or internal threats.  And there’s absolutely no chance you can comply with the Data Protection Act as it stands now – let alone GDPR.

Data Compliant has developed a quick GDPR Compliance Checker – if you’d like to know more about where you are compared to where you need to be for GDPR compliance, just click here, answer the questions, and we’ll send you a free report, including:

–  your topline level of compliance by category
–  a benchline summary of how you compare with other UK organisations
–  a summary of the key steps you need to take to become compliant
Remember, enforcement begins on May 25th, 2018 – now’s the time to start to get ready.

EU DPA Regulation – 7 Key Changes

1 Reply
EU balance

A good balance between business needs and individual rights

Talks on ensuring a high level of data protection across the EU Marketers are now complete and draft text was agreed on Wednesday 16th December 2015.  Marketers are delighted with the “strong compromise” agreed by Parliament and Council negotiators in their last round of talks.

The draft regulation aims to give individuals control over their private data, while also creating clarity and legal certainty for businesses to spur competition in the digital market.  Back in September Angela Merkel appealed to the European parliament to take a business view rather than simply look at the Regulation from a data protection perspective  lest the legislation hold back economic growth in Europe.  At the same time she described data as the “raw material” of the future and expressed her belief that it is fundamental to the digital single market.

The regulation returns control over citizens’ personal data to citizens. Companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned.

EU DPA Regulation – 7 Key Changes

  1. 4% Fines:  The Council had called for fines of up to two percent of global turnover, while the Parliament’s version would have increased that to five percent.  In apparent compromise, the figure has been set at four percent, which for global companies could amount to millions.
  2. Data Protection Officers (DPOs):  Companies will have to appoint a data protection officer if they process sensitive data on a large scale or collect information on many consumers.  These do not have to be internal or full-time.
  3. Consent:  to marketers’ relief, consent will now have to be ‘unambiguous’ rather than the originally proposed ‘explicit’ which provides a more business-friendly approach to the legislation. In essence this means that direct mail and telephone marketing can still be conducted on an opt-out basis.  Nonetheless, businesses will be obliged to ensure that consumers will have to give their consent by a clear and affirmative action to the use of their data for a specific purpose.
  4. Definition of Personal Data – the definition has been  expanded in particular by reference to an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
  5. Online identifiers -whether cookies and ISPs are personal data has been the subject of discussion for some months.  James Milligan of the DMA has expressed the view that a compromise has been reached “Whether or not online identifiers such as cookies fall into the definition of ‘personal data’ will depend on where they are placed in the online ecosystem. For example, a cookie placed by my internet service provider will be classified as personal data as it could identify me, whereas a cookie placed by an advertiser lower down the online ecosystem and cannot be linked to my email address or anything else which could identify me, is unlikely to be considered as personal data.  This represents a sensible compromise as it was feared that all online identifiers would be considered as personal data. This separation means non-identifiable, ‘blind’ data can be more widely used than identifiable personal data.”
  6. Profiling – Profiling has now been included under the term ‘automated decision making’.  Individuals have the right not to be subject to the results of automated decision making, so they can opt out of profiling. It will be necessary to implement tick-boxes or similar mechanisms to secure the data subject’s positive indication of consent to specific processing activities related to Profiling.
  7. Parental consent – Member states could not agree to set a 13-year age limit for parental consent for children to use social media such as Facebook or Instagram. Instead, member states will now be free to set their own limits between 13 and 16 years.

 

Next Steps

The provisional agreements on the package will be put to a confirmation vote in the Civil Liberties Committee today (Thursday 17 December) at 9.30 in Strasbourg.

If the deal is approved in committee it will then be put to a vote by Parliament as whole in the new year, after which member states will have two years to transpose the provisions of the directive into their national laws. The regulation, which will apply directly in all member states, will also take effect after two years.

Written by Michelle Evans, Compliance Director at Data Compliant Ltd.

If you would like further advice on how the EU Regulation will affect your business, just call Michelle or Victoria on 01787 277742 or email dc@datacompliant.co.uk

 

 

EU Data Protection Regulation – Getting closer?

Leave a reply

EU dpaThe EU Regulation is designed to replace the current multiplicity of EU data protection laws with a single set of rules to be applied throughout all Member States.  Time is moving on so it’s important to keep on top of the discussions and updates being published.

Last month’s proposed revisions to Chapter IV (which deals with data controller and data processor obligations) are summarised below.  However, it is worth remembering that “nothing is agreed until everything is agreed” in relation to the Regulation.

Greater discretion for data controllers – risk-based compliance

Businesses will be relieved to see greater discretion for data controllers in complying with the legislation as recent Chapter IV discussions in Europe have moved towards a risk-based approach to compliance.

A balance between privacy and entrepreneurship

EU balanceThe proposed amendments to Chapter IV suggest that data compliance obligations should be proportional to the organisation’s specific data processing activity and associated risks.

Once these activities and risks have been assessed, appropriate privacy and data protection tools should be instigated by the organisation.

Different activities, even where the same data is involved, may quite often have different consequences, requiring different levels of protection. The risk-based approach allows data controllers a more flexible approach in assessing their data compliance responsibilities within the context of their own particular business.

It appears that most countries welcome the risk-based approach, which they view as providing a good balance between protecting personal data and safeguarding businesses and entrepreneurship.

Chapter IV Proposed Revisions 

Below are some examples of the revisions proposed by the EU Council:

  • Data protection impact assessments are only required where “high” risk (for example identity theft, fraud or financial loss) to the rights and freedoms of individuals is involved
  • The appointment of Data Protection Officers is voluntary (unless individual Member State legislation states otherwise)
  • Only data breaches that are likely to result in “high risk for rights and freedoms of individuals” need be reported
  • If stolen or breached data is encrypted or protected in such a way that the data remains indecipherable, there is no requirement to report the breach.
  • Required levels of security measures will be established by considering multiple factors, including the nature, scope, context and purpose of the data processing to be undertaken, in combination with the cost of implementation and the technology available.
  • Only where a data privacy impact assessment indicates that data processing would result in “high risk” to the rights and freedoms of individuals, the supervisory data protection authority should be consulted prior to the start of such processing

There is also a suggestion that data controllers may use “adherence of the processor to an approved code of conduct or an approved certification mechanism” to demonstrate compliance with the obligations of a controller.  So organisations may find it well worth considering selecting only those data processors who have appropriate data security certification such as ISO 27001 or DMA DataSeal.

If you have any concerns about your data compliance in general or the impact of EU changes in your business, contact us on 01787 277742.  Or email victoria@datacompliant.co.uk

Services