For consumers, new data protection legislation offers increased privacy, but how will GDPR affect your business? The Information Commissioner’s Office explains
The General Data Protection Regulation (GDPR) builds on the previous Data Protection Act, but provides more protections for consumers and more privacy considerations for organisations. It brings a more 21st Century approach to the processing of personal data and it puts a responsibility on businesses to change their entire ethos on data protection.
The GDPR gives consumers more control over their data. Consumers and citizens have stronger rights to be informed about how organisations use their personal data. They’ll have the right to request that personal data be deleted or removed, if there’s no compelling reason for an organisation to carry on processing it. They’ll also have the brand new right to data portability: To obtain and port their personal data for their own purposes across different services.
The GDPR will include new obligations for organisations. Businesses will have to report data breaches that pose a risk to individuals to the ICO, and in some cases to the individuals affected. They’ll have to ensure that specific protections are in place for transferring data to countries that haven’t been listed by the European Commission as providing adequate protection, like Japan and India. Consent will need to be freely given, specific, informed and unambiguous, and businesses will need to be able to prove they have it if they rely on it for processing data.
Increased power for regulators
For the most serious violations of the law, the ICO will have the power to fine companies up to €20m or 4% of a company’s total annual worldwide turnover for the preceding year. The GDPR gives regulators the power to enforce in the context of accountability too – data protection by design, failure to conduct a data protection impact assessment, DPOs and documentation. If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation.
Under the GDPR, you must appoint a data protection officer (DPO) if you:
- Are a public authority (except for courts acting in their judicial capacity);
- Carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- Carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
The DPO’s minimum tasks are defined in Article 39:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
The DPO should report to the highest management level of your organisation – i.e. board level. You can allocate the role to an existing employee, as long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.
The ICO remains committed to helping organisations to improve their practices and prepare for the GDPR. We’ve recently published an update setting out what guidance organisations can expect. It’s essential reading, as it will help you plan what areas to address across the next 12 months.
The Article 29 Working Party and new guidelines
Consistency across the EU is one of the key drivers of the GDPR, and the Article 29 Working Party – the body that currently brings together data protection authorities across Europe – is leading the way in developing guidelines on some of the key aspects of the law. As the UK is a member of the Article 29 Working Party, we’re contributing to this process and taking a lead role on a number of priority guidelines aimed at organisations.
In December, the Article 29 Working Party published guidelines on the role of the Data Protection Officer, the new right of data portability, and how to identify an organisation’s main establishment and lead supervisory authority.
The central pillar to our guidance is the ‘Overview of the GDPR’. We are developing the Overview as a living document, adding content on different points as more guidance is produced by us and Article 29.
If you want to stay updated on new guidance, our e-newsletter is a good place to start. More information, help and advice is available on our website or you can contact the ICO helpline on 0303 123 1113.