25th May 2018 – the GDPR goes live – save the date.
Data protection laws will be overhauled for any organisation processing the personal data of any EU citizen. Although the scope alone makes enforcement sound unfeasible, I’ve not lost my marbles, it’s still happening.
Contrary to popular opinion that companies with fewer than 250 employees are exempt, small to medium businesses will be impacted. With fines ranging from 4% of turnover to €20mil – whichever’s higher – it’s no wonder people are running to their nearest solicitor’s office.
If, like me, you hate running down busy main roads, save yourself and read on.
There are two guiding principles to the new legislation being introduced:
- Giving EU citizens (data subjects) more control over how their data is processed and access to it.
- Streamlining data processing practices across the 28 EU member states. NB. the UK will still fall under the regulations up until the point of exiting the EU.
From these two principles, a number of key changes are to be introduced:
Consent – consent requests must no longer be hidden in long and difficult-to-decipher terms and conditions. It must be as easy to withdraw consent as it is to give it and each instance of data processing will now require a data subject’s consent.
Breach Notification – this is now mandatory and guidelines stipulate a 72 hour notification time frame dependent on the significance of the breaches impact. (We’re only at the second change, stay with me.)
Right to Access – think subject access request but with the obligation to provide an electronic copy of all data held on a data subject, free of charge (within limits).
Data Protection Officers (DPOs) – Public bodies and high-risk activity companies must appoint a DPO. As you can imagine, DPOs are a rare breed so there are probably not enough to go around. This has led to discussions on whether outsourcing the position is acceptable and it’s difficult to see how the ‘non-outsourcing’ camp’s argument holds up – millions of trading companies in the EU, only thousands of DPOs available. Whether or not you need one will need to be assessed.
Privacy by Design – a concept that’s been around for years but has only now been written into law. This includes a judgement on the necessity of pieces of data held on an individual and pseudonymisation. What a great word. Unfortunately, it’s not my word but for more information on pseudonymisation, don’t turn to Google or a dictionary (because you won’t find it there), turn to me – firstname.lastname@example.org.
Right to be Forgotten – Controllers and processors are required to erase subject data upon request. Furthermore, they’re now required to delete and cease dissemination of data that isn’t relevant to the original purpose of collection or has been held for too long without justifiable use. (We’re almost there, only two more changes to run through.)
Privacy Impact Assessments – documentation and assessment of whether processing impacts a data subjects’ rights is now legally required.
Awareness – From senior management all the way down the chain, everyone in a company must now be aware of GDPR and the implications of data processing. Exciting.
Now, it may seem that these changes are being enforced to keep a leash on the large, multi-national data controllers out there and to an extent, this is true. However, the ICO will still be auditing small to medium businesses for non-compliance in this area. With the amount of data processing that occurs in the recruitment industry, it’d be good practice to implement this prior to the go live date and there are some obvious reasons why it’s a better bet to get compliant. Enjoy my bullet points:
- 4% fine on global turnover or €20mil, whichever’s higher – we’ve already noted this but it’s worth reiterating. You don’t need me to tell you that a fine of that magnitude could cripple an SME, or at least seriously impact cash flow.
- Clients prefer compliance – as a client, you’d want to avoid the headache of having non-compliant suppliers. As a controller, they’re not just partly responsible for the way in which their processors treat data, they’re liable. Clients will very quickly stop working with SMEs who are found to be non-compliant.
- Improved customer/worker trust – now I’m sure you’ve already built great relationships with the people you work with and the customers you serve but being the company that respects personal data and takes privacy seriously can only strengthen that relationship.
- An opportunity to improve – GDPR doesn’t have to be a burden. It can be an opportunity to streamline and improve business practices. Things like ISO27001 can be great tools in not only improving your processes but in getting compliant.
Albeit a short overview of GDPR, if you weren’t aware of the changes, it’s a start. Of course, how the legislation will affect your business will need to be assessed and you’ll need to start preparations sooner rather than later. Despite the changes being seemingly far in the future, reviewing, implementing and fine-tuning your processes will take months.
Thanks for taking the time to read this short piece. For more information on GDPR and how Neuven could help through GAP analysis audits, training or ISO support, do get in touch.
email@example.com, 0161 437 4337