The EU General Data Protection Regulation (GDPR) replaces the existing UK Data Protection Act and comes into force throughout the 28 countries of the European Union (EU) on 25th May 2018.  Following Brexit, it is highly likely that a closely-aligned UK equivalent of GDPR will be implemented to provide for legal certainty for citizens and protect trade between UK and EU businesses.

GDPR is a regulation which strengthens and harmonises the data protection rights for individuals throughout the EU and harmonises existing regulatory controls across each of the component countries.

The Information Commissioner’s Office (ICO) has provided information about GDPR which can be found here. Alternatively, view our presentation entitled Cloud’s silver lining for GDPR? here.

Download our “UKCloud and the EU GDPR” Whitepaper

Why is GDPR Required?

Currently, there are 28 Member States within the European Union, each with its own framework for the protection of personal data. GDPR makes data protection relevant to the current digital age, providing citizens with more comprehensive rights and controls over their personal data than they have currently.

GDPR significantly expands the definition of what constitutes personal data, which now additionally includes CCTV imagery, technical records (e.g. IP addresses), biometric and genetic data, cultural and social identifiers, amongst others.

At its heart, GDPR requires good information governance. It also requires data processing organisations to declare the legal basis for the processing of personal data, and to ensure that “privacy by design and default” is adopted as a principle within all personal data processing activities.

Strengthening the Rights of the Individual

Data privacy affects everybody regardless of their age, status or location. Under GDPR, clear explanations of personal data processing need to be provided in advance, for example within Privacy Notices. If individuals are required to provide consent for the processing of their personal data, this will be subject to meeting stronger criteria than before. They will also have rights to request details of their personal data, to have incorrect or out-dated personal data corrected, to move their personal data to another data processing organisation, and to require their personal data to be deleted in certain circumstances, for example when it is no longer required and there is no other reason for it to be retained.

Earlier in 2017, UKCloud Health conducted a survey which identified that 72% of UK adults are concerned about the protection of their personal data and 82% believe that their permission should be obtained before organisations are permitted to store their data outside of the UK.

Demonstrating GDPR Compliance

Any organisation which processes personal data will be required to fully comply with GDPR’s many requirements. To demonstrate “privacy by design and default”,  a Data Protection Impact Assessment (DPIA) should be undertaken to validate that appropriate organisational, personnel and technical controls have been implemented to ensure that personal data is being securely managed, processed and stored. There are also requirements which introduce data minimisation, only requiring the minimum set of personal data to complete a processing activity, and keeping it for only as long as is necessary.

Data processing organisations will need to implement an effective GDPR training and awareness programme for their personnel, ensuring that they understand the risks to personal data, and can fully co-operate to the organisations compliance with the Regulation. Updates to existing contracts with customers and suppliers will be required, and validating the GDPR-readiness of the supply chain will also be necessary.

Organisations will need to implement processes which can effectively deliver the increasing data subject rights within the specified time periods which GDPR introduces. Some organisations, including public authorities and those who undertake large-scale processing of personal data (such as UKCloud), will also be required to recruit or train a Data Protection Officer to provide comprehensive to the organisation and effective guidance on GDPR matters.

GDPR places strict timescales (within 72 hours) on the identification and reporting of any security breach which affects personal data, and all organisations will need to implement effective monitoring and alerting activities to ensure that timely notifications of such issues are available and promptly reported to the ICO (as Supervisory Authority) and also affected data subjects.

GDPR and Cloud Services

With the increasing use of cloud services, organisation should take special care to understand the precise nature of their use of such services. Whether that includes the provision of cloud services by an organisation to citizens (for example a local authority or healthcare trust), or the occasional use of cloud utilities such as Dropbox or Google Drive by its personnel, a thorough assessment of the GDPR-compliance of each supplier is essential.

Care should be taken to identify where cloud services are being delivered and supported from – which may not be immediately obvious. For example, many global cloud service providers are not headquartered within the European Union regardless of whether or not they have chosen to locate data centres in the EU. Special attention needs to be paid to their applicable data protection framework, ability to comply with the requirements of GDPR and whether specific data subject consent to move their personal data off-shore is required to be obtained. Working with UK-sovereign cloud services removes these challenges.

The Cost of Getting It Wrong

Perhaps the most significant change accompanying the introduction of GDPR is the considerable increase in financial penalties for those who do not comply, whether evidenced by personal data security breaches or non-compliance with the Regulation. Whilst the maximum fine under the current UK Data Protection Act is £500,000, GDPR has maximum penalties of €20m, or 4% of annual, global turnover. Even for less serious contraventions, the maximum penalty is €10m, or 2% of annual, global turnover. And that doesn’t include any civil claims for compensation from data subjects affected by the issue.

Time to Prepare

With an ever-reducing amount of preparation time for GDPR ahead of 25th May 2018, the time is now for every organisation to understand what is required, assign implementation responsibilities to competent personnel, and closely manage the project to ensure completion in good time. This approach will help to protect the organisation from the financial consequences, negative publicity and ultimate business survival that falling foul of GDPR penalties will bring. Conversely, preparing early and demonstrating that an organisation can be trusted to securely manage personal data is an extremely positive message that will help to differentiate offerings and attract new customers.

Help and advice on GDPR is widely available, including from the Information Commissioner’s Office website. Within the context of cloud services, more detailed information is available within our whitepaper.

Why is GDPR Required?

Currently, there are 28 Member States within the European Union, each with its own framework for the protection of personal data. GDPR makes data protection relevant to the current digital age, providing citizens with more comprehensive rights and controls over their personal data than they have currently.

GDPR significantly expands the definition of what constitutes personal data, which now additionally includes CCTV imagery, technical records (e.g. IP addresses), biometric and genetic data, cultural and social identifiers, amongst others.

At its heart, GDPR requires good information governance. It also requires data processing organisations to declare the legal basis for the processing of personal data, and to ensure that “privacy by design and default” is adopted as a principle within all personal data processing activities.

Strengthening the Rights of the Individual

Data privacy affects everybody regardless of their age, status or location. Under GDPR, clear explanations of personal data processing need to be provided in advance, for example within Privacy Notices. If individuals are required to provide consent for the processing of their personal data, this will be subject to meeting stronger criteria than before. They will also have rights to request details of their personal data, to have incorrect or out-dated personal data corrected, to move their personal data to another data processing organisation, and to require their personal data to be deleted in certain circumstances, for example when it is no longer required and there is no other reason for it to be retained.

Earlier in 2017, UKCloud Health conducted a survey which identified that 72% of UK adults are concerned about the protection of their personal data and 82% believe that their permission should be obtained before organisations are permitted to store their data outside of the UK.

Demonstrating GDPR Compliance

Any organisation which processes personal data will be required to fully comply with GDPR’s many requirements. To demonstrate “privacy by design and default”,  a Data Protection Impact Assessment (DPIA) should be undertaken to validate that appropriate organisational, personnel and technical controls have been implemented to ensure that personal data is being securely managed, processed and stored. There are also requirements which introduce data minimisation, only requiring the minimum set of personal data to complete a processing activity, and keeping it for only as long as is necessary.

Data processing organisations will need to implement an effective GDPR training and awareness programme for their personnel, ensuring that they understand the risks to personal data, and can fully co-operate to the organisations compliance with the Regulation. Updates to existing contracts with customers and suppliers will be required, and validating the GDPR-readiness of the supply chain will also be necessary.

Organisations will need to implement processes which can effectively deliver the increasing data subject rights within the specified time periods which GDPR introduces. Some organisations, including public authorities and those who undertake large-scale processing of personal data (such as UKCloud), will also be required to recruit or train a Data Protection Officer to provide comprehensive to the organisation and effective guidance on GDPR matters.

GDPR places strict timescales (within 72 hours) on the identification and reporting of any security breach which affects personal data, and all organisations will need to implement effective monitoring and alerting activities to ensure that timely notifications of such issues are available and promptly reported to the ICO (as Supervisory Authority) and also affected data subjects.

GDPR and Cloud Services

With the increasing use of cloud services, organisation should take special care to understand the precise nature of their use of such services. Whether that includes the provision of cloud services by an organisation to citizens (for example a local authority or healthcare trust), or the occasional use of cloud utilities such as Dropbox or Google Drive by its personnel, a thorough assessment of the GDPR-compliance of each supplier is essential.

Care should be taken to identify where cloud services are being delivered and supported from – which may not be immediately obvious. For example, many global cloud service providers are not headquartered within the European Union regardless of whether or not they have chosen to locate data centres in the EU. Special attention needs to be paid to their applicable data protection framework, ability to comply with the requirements of GDPR and whether specific data subject consent to move their personal data off-shore is required to be obtained. Working with UK-sovereign cloud services removes these challenges.

The Cost of Getting It Wrong

Perhaps the most significant change accompanying the introduction of GDPR is the considerable increase in financial penalties for those who do not comply, whether evidenced by personal data security breaches or non-compliance with the Regulation. Whilst the maximum fine under the current UK Data Protection Act is £500,000, GDPR has maximum penalties of €20m, or 4% of annual, global turnover. Even for less serious contraventions, the maximum penalty is €10m, or 2% of annual, global turnover. And that doesn’t include any civil claims for compensation from data subjects affected by the issue.

Time to Prepare

With an ever-reducing amount of preparation time for GDPR ahead of 25th May 2018, the time is now for every organisation to understand what is required, assign implementation responsibilities to competent personnel, and closely manage the project to ensure completion in good time. This approach will help to protect the organisation from the financial consequences, negative publicity and ultimate business survival that falling foul of GDPR penalties will bring. Conversely, preparing early and demonstrating that an organisation can be trusted to securely manage personal data is an extremely positive message that will help to differentiate offerings and attract new customers.

Help and advice on GDPR is widely available, including from the Information Commissioner’s Office website. Within the context of cloud services, more detailed information is available within our whitepaper.