By Tony Glass
With it being CyberSecMonth, it seems the perfect opportunity to talk about the new data protection regulations that, when they come into effect, will significantly change the way both businesses and public sector organisations manage their customer information.
First, in case you need a quick refresher, here’s a quick overview.
Back in April of 2016 both the European Parliament and the European Council adopted the General Data Protection Regulation (GDPR). Then to give everyone time to prepare for the considerable changes this new ruling would bring about, it was decided that enforcement would begin on 25 May 2018.
Is this the first of its kind?
No. This new ruling replaces the 1995 data protection directive, and if you are currently impacted by this directive, you will also be subject to the GDPR. In the UK, the Information Commissioner’s Office has been tasked with implementing the change. Elizabeth Denham, the UK Information Commissioner says the main focus of the GDPR is about giving people more control over their data, and that while “it may require an upfront investment in privacy fundamentals, but it offers a payoff down the line – not just in better legal compliance – but a competitive edge.”
After Brexit, the UK government has indicated it will likely implement equivalent or alternative legal mechanisms.
When the topic rears its head in conversations, most often what is focused on is that companies found to be in breach of the GDPR face being fined. And so far any discussion of this highlights just how hefty these fines will be; therefore it is extremely important to organisations – both private and public.
Here’s a brief synopsis, taken from the GDPR website, of the notable key differences. For the complete guide and explanation to the GDPR, I strongly encourage you to visit the website.
Now regulations will extend and cover all companies processing the personal data of the individuals regardless of the company’s location. This will include the processing of personal data even when the processor is not established in the EU and where the activities relate to offering goods or services to EU citizens irrespective of whether payment is required and the monitoring of behaviours that takes place within the EU. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.
If found in breach of GDPR companies face fines of up to 4% of annual global turnover or €20 million – whichever is greater. This is the maximum that can be imposed and there is a tiered approach to fines. It is also important to note that the rules apply to both controllers and processors making ‘clouds’ not exempt from GDPR enforcement.
Consent forms must use clear and plain language
Companies will no longer be able to use long illegible terms and conditions full of legalese as the request for consent must be given in easily accessible form, with the purpose of data processing attached to the consent form.
Right to Access
Individuals will now have the right to obtain the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose and the controller shall provide a copy of this data, free of charge, in an electronic format.
Data Protection Officers (DPO)
There are quite a few new rule changes here and DPO appointment will be mandatory in certain situations, however, in general, the idea is that there will be internal record keeping requirements and the DPO must be appointed on the basis of professional qualification and possess expert knowledge in data protection law and practices.
To help organisations prepare, the ICO has a number of resources, including a 12-step guide, a data protection self-assessment toolkit.
At Skillsoft, we’ve also been hard at work putting together course content that will assist you in understanding the GDPR and support your organisation’s compliance with the regulation. We hope to have something out soon, so stay tuned for updates.
Tony Glass is the General Manager and VP of Sales for Skillsoft EMEA.