What is GDPR?
The EU General Data Protection Regulation (GDPR) replaces the existing UK Data Protection Act and comes into force throughout the 28 countries of the European Union (EU) on the 25th May 2018. Following Brexit, it is highly likely that a closely-aligned UK equivalent of GDPR will be implemented to provide for legal certainty for citizens and protect trade between UK and EU businesses.
GDPR is a regulation which strengthens and harmonises data protection rights for individuals throughout the EU and harmonises existing regulatory controls across individual countries.
Why is GDPR Required?
Currently, there are 28 Member States within the European Union, each with its own transposition of the existing EU data protection regulations. GDPR makes data protection relevant to the current digital age, providing citizens with more comprehensive rights and controls over their personal data than they have currently. At its heart, GDPR requires good information governance.
Strengthening the Rights of the Individual
Data privacy affects everybody regardless of their age, status or location. Under GDPR, individuals will be required to provide explicit consent for the processing of their personal data in many cases. They will also have rights to request details of their personal data, to have incorrect or out-dated personal data corrected, to move their personal data to another organisation, and to require their personal data to be deleted in certain circumstances.
GDPR also significantly expands the definition of what constitutes personal data, which now includes online, physical, physiological, genetic, mental, economic, cultural or social identifiers.
Earlier in 2017, UKCloud Health conducted a survey which identified that 72% of UK adults are concerned about the protection of their personal data and 82% believe that their permission should be obtained before organisations are permitted to store their data outside of the UK.
Demonstrating GDPR Compliance
Any organisation which processes personal data will be required to comply with GDPR’s many requirements. At the heart of their preparations should be “Privacy by Design”, which ensures that a Data Protection Impact Assessment (DPIA) is produced and that appropriate organisational, personnel and technical controls are implemented to ensure that personal data is being securely managed, processed and stored. This assessment also records the legal basis for which personal data is being processed – for example for legislative purposes, legitimate interests or with the data subject’s explicit consent. There are also requirements which require data minimisation, only requiring the minimum set of personal data to complete an activity, and keeping it for only as long as is necessary.
Supporting an effective DPIA, organisations will be looking to implement an effective GDPR training and awareness programme for their personnel, ensuring appropriate updates to existing contracts, and validating the GDPR-readiness within their supply chain. They will also need to implement processes which can deliver the increasing data subject rights which GDPR introduces. Some organisations, including public authorities and those who undertake large-scale processing of personal data, will also be required to recruit a Data Protection Officer to provide comprehensive and effective guidance on GDPR matters.
GDPR places strict timescales (72 hours) on the identification and reporting of any security breach which affects personal data, and all organisations will need to implement effective monitoring checks to ensure that timely notifications of such issues are available and promptly reported to the national supervisory authority.
GDPR and Cloud Services
With the increasing use of cloud services, organisation should take special care to understand the precise nature of their use of such services. Whether that includes the provision of cloud services by an organisation to citizens (for example a local authority or healthcare trust), or the occasional use of cloud utilities such as Dropbox or Google Drive by personnel, a careful assessment of the supplier is essential.
Care should be taken to identify where cloud services are being delivered from – which may not be immediately obvious. Many global cloud service providers are not headquartered within the European Union regardless of whether or not they have data centres in the EU.
Special attention needs to be paid to their applicable data protection framework, ability to comply with the requirements of GDPR and whether specific data subject consent to move their personal data off-shore has been obtained. Working with UK-sovereign cloud services removes all of these challenges.
The Cost of Getting It Wrong
Perhaps the most significant change accompanying the introduction of GDPR is the considerable increase in financial penalties for those who do not comply, whether evidenced by personal data security breaches or otherwise. Whilst the maximum fine under the current UK Data Protection Act is £500,000, GDPR has maximum penalties of €20m, or 4% of annual, global turnover. Even for less serious contraventions, the maximum penalty is €10m, or 2% of annual, global turnover.
Time to Prepare
With an ever-reducing amount of preparation time for GDPR ahead of 25th May 2018, the time is now for every organisation to understand what is required, assign implementation responsibilities to competent personnel, and closely manage the project to ensure completion in good time. This approach will help to protect the organisation from the financial consequences, negative publicity and ultimate business survival that falling foul of GDPR penalties will bring. Conversely, preparing early and demonstrating that an organisation can be trusted to securely manage personal data is an extremely positive message that will help to differentiate offerings and attract new customers.
Help and advice on GDPR is widely available, including from the Information Commissioner’s Office website. Within the context of cloud services, more detailed information is available within our whitepaper.