GDPR has been heavily in the news recently and there is still a lot of confusion about what it means and what the implications, both on the consumer and supplier side, actually are.
Simunix, as a company, are fully committed to understanding our obligations under the new legislation and we will ensure our affiliated products – ukphonebook.com, Orbis and t2a.co – are fully compliant. We are not burying our heads in the sand about GDPR. This has been at the forefront of our minds for the last 12 months.
Firstly, we think GDPR is a great thing.
The general consensus is that GDPR will put the data industry into a tailspin. Certainly, some businesses that are heavily leveraged against consumer data may want to batten down the hatches and ride out the storm that is GDPR. We at Simunix don’t see it that way.
Firstly, we believe GDPR will be beneficial to individuals as they will now have more control over what data is held on them and they will have the right to have it withdrawn at any time (see details below).
It is also beneficial for Simunix and our products as we can be confident that the data we continue to supply is of high quality and fully compliant. There will never be any confusion or ambiguity over permissions, as our data is always sourced from compliant and opted in data controllers, as it has been since we started out as the first online directory enquiries service in 1997.
I will be attending further courses on GDPR over the next few days and I will update my findings and share them with you in due course.
For now, here is an overview of what GDPR is.
What is GDPR?
For those unfamiliar with it or those coming to it fresh, the EU General Data Protection Regulation (GDPR) is the most important change in data protection legislation in the last 20 years.
The legislation was approved by the EU on the 14th April 2016 and will be enforced from the 25th May 2018. On this day, GDPR will replace the current Data Protection Directive 95/46/EC.
The main thrust of the new legislation will be to standardise data protection laws across all EU states and enforce a new approach on how organisations handle personal data.
GDPR key changes;
Ultimately, the aim of GDPR is to protect EU citizens from privacy and data breaches in an increasingly globalised world where technological advances have allowed the sharing of data on an unprecedented scale. Although the key principles of data protection from the outgoing legislation are still relevant, many changes have been proposed to the regulatory policies. In brief, these are;
Increased Territorial Scope (extra-territorial applicability)
The biggest change that new legislation will introduce will be the extended jurisdiction of the GDPR, as it applies to all businesses who process personal data of subjects residing in the EU, regardless of the organisation’s location.
Under the new legislation, organisations in breach of GDPR can be fined up to 4% of their annual global turnover or €20 Million (whichever is greater). This is the maximum penalty that can be applied to an organisation that flouts the core directives. There will be a tiered system of penalties applied to lesser misdemeanours, but these penalties will still be severe.
The granting and withdrawal of consent will be improved for EU subjects. The granting of consent will no longer be camouflaged under legal jargon, buried within a data controller’s terms and conditions. The consent granted will be clearly cross referenced with the data for which it was requested. An EU subject will also have the ability to withdraw their consent from a data supplier without difficulty.
The rights of Data Subjects.
Under GDPR, an organisation will be expected to notify parties affected by a data breach within 72 hours of a data breach occurring.
Right to Access
As part of the expanded subject rights, an individual now has the right to view their personal data held by a data controller, complete with the original purpose for which that data was held.
Right to be Forgotten (data Erasure)
This allows a data subject to request that their data be erased by the data controller, not quite as draconian as demonstrated in the Arnold Schwarzenegger film ‘Eraser’, but similar in principle. This can potentially halt third parties from processing the data too. Personally, I’d like to seek clarification on this last point as I believe responsibility should lie solely with the data controller. It makes more sense for a record to be removed from the source.
GDPR introduces the right for a subject to retrieve the data held on them in a machine readable format. The subject then has the right to port this information over to another source if they desire.
Privacy by Design
The concept of privacy by design has been around for some time. GDPR places more responsibility on data controllers to assume the data subject wants to remain anonymous rather than them make their information available to the controller and affiliated 3rd parties.
Data Protection Officers
Article 29 of the GDPR states that in scope organisations must appoint a data protection officer (DPO). Organisations who require a dedicated DPO will be;
- Public authorities.
- Organisations that carry out large scale monitoring of individuals e.g. asset protection.
- Organisations that carry out processing of individual data relating to criminal activities.
The main tasks of the DPO are to;
- Inform their fellow employees of best practice regarding GDPR.
- Monitor compliance.
- Be the first point of contact for supervisory authorities.
The DPO does not need to have a specific qualification to fulfil this role.
Note – I can envisage little need for even large organisations to have a dedicated DPO. More likely there will be several ‘GDPR champions’ dispersed across the organisation.
As mentioned above, I will be attending some seminars on GDPR in the near future and I will post more soon.