By Stephanie Perry
After the UK voted to leave the EU in the referendum vote last year, many people questioned whether the UK needed to worry about the potential impact of the General Data Protection Regulation (GDPR). However, regardless of how far the Brexit negotiations have progressed, the government has confirmed that the decision will not affect the new regulations and that it will still be passed into UK and European law on 25th May 2018.
GDPR is a big leap forward in data protection law for both individuals (data subjects) and organisations who store, process or transmit data (data controllers and processors). Although it has taken some years to negotiate, this new piece of legislation will finally start to bring the legal and regulatory environment into alignment with how we conduct business in the digital age.
Acting as a one-stop-shop for businesses who operate in the multiple EU member states, the primary aim of GDPR is to give control of personal data back to European citizens and to simplify the regulatory environment for international businesses. The new legislation will place controls on how domestic and foreign organisations process the data of EU residents.
Currently organisations have to comply with multiple regulations depending on the countries and industries they operate within. This changes means that data controllers and data processors will now be answerable to the supervisory authority within the member state where they are primarily located. GDPR’s aim is to harmonise data protection laws across the EU and will be directly effective in each member state.
Although there will now only be one set of criteria for an organisation to adhere to, there will be increased regulation, obligations and high potential penalties for breaches in the law. This will affect businesses in numerous ways.
At the most basic level, if an organisation is currently subject to the Data Protection Act then they will be subject to GDPR. However, more specifically, GDPR will apply increasingly stringent control over ‘data controllers’ and ‘data processors’.
If you are a data controller, you will be required to comply with the requirements and will now also be obligated to ensure that your contracts with data processors also comply with the regulation.
If you are a data processor, you will now have to comply with a set of direct obligations and liabilities. For example, you will be required to maintain records of personal data and processing activities and you will have significantly more legal liability if you are responsible for a data breach.
GDPR has also expanded its territorial scope and will apply to processing carried out by organisations operating outside of the EU who offer goods and service to EU residents.
Summary of Key Changes
A full and detailed overview of GDPR and its impact for organisation can be found on the ICO’s website. However, we have highlighted some of the key points below that organisations may want to start to consider.
Lawful Processing and Consent
Under GDPR, data can only be processed lawfully where the individual in question (the data subject) has given their informed consent. Where this information is sensitive personal data, such as racial origins, religious belief or political affiliations, this consent must be ‘unambiguous’.
Controllers and processors must obtain the informed consent of the data subject for the use of the data, especially if the data is being moved outside of the EU.
GDPR also enshrines in law the ‘right to be forgotten’. This means that data processors must delete and erase data where it is no longer required for the purposes it was gathered for, and also where the data subject withdraws their consent. This could potentially be a significant undertaking for businesses as it will not only just apply to current data, but includes legacy data too. Companies will be required to identify relevant legacy data and classify where consent was originally given. Where it wasn’t, records will need to be deleted.
For lawful processing, organisations must establish and determine their legal basis for processing data and they must ensure that they document this. Consent, how and when it was given, must also be recorded.
Accountability and Governance
Organisations must build GDPR into their business practices in order to comply with the new accountability principle. There are a number of different ways in which an organisation can demonstrate that they comply including:
Under the new regulations, organisations have a duty to notify the supervisory authority of a data breach and possibly notify individuals in certain cases; this must be done without undue delay and in severe cases within 72 hours.
In September 2016, Sport Direct suffered a data breach that led to the personal details of 30,000 employees being released. According to the Register. ‘Sports Direct filed an incident report with the Information Commissioner’s Office after it became aware that its workforce’s information had been compromised, but as there was no evidence that the hacker had made further copies or shared the data, the company did not report the breach to its staff.’
Sports Direct staff have therefore been denied the opportunity to check their financial records or change passwords, giving potential rise to further attacks. Under GDPR Sports Direct would not achieve GDPR compliance; they would have been in line to receive a fine of up to 4% of global turnover totalling some £116 million.
Alongside the increased obligations and requirements listed above the Sports Direct case illustrates how GDPR will also increase an organisation’s liability and penalties for noncompliance. GDPR will introduce a maximum penalty of 4% of global turnover or up to 20 million Euros (whichever is higher) which will inevitably lead to significantly higher fines. For example, when Morrisons supermarket chain lost the payroll details of 100,000 staff members in 2014, if they had done so under GDPR their fine could have potentially been £680 million. Similarly, in the data breach that affected 40,000 Tesco account holders late last year, the company could have been fined £1.9 billion.
GDPR and Cyber Insurance
The changes in the data protection landscape and regulations are likely to have a knock-on effect on the cyber insurance market and the availability of insurance policies. It is likely that businesses will now seek increased insurance protection for data breaches under GDPR.
GDPR has introduced a provision for voluntary codes. These are industry agreed ‘best practice’ standards which business can adhere to in order to demonstrate willingness to comply with the GDPR requirements. It is quite likely that we will see insurers considering that adherence to these codes could warrant discounts on premiums to encourage participation.
The additional requirement for organisations to report data breaches could feasibly increase awareness in organisations for the need for cyber security and the impact of breaches. This will also mean that insurance companies will demand better and more vigorous risk management strategies to reduce the likelihood of breaches. Companies could also see increased premium where these measures are not in place. An example of a risk management strategy might be adherence to the aforementioned voluntary codes of practice or compliance with a Government backed cyber security standard like Cyber Essentials.
The lack of existing actuarial data is often given as a contributing factor to the slower-than-expected development of the cyber insurance industry in the UK. This is expected to change as the increased transparency around breaches will lead to a larger pool of data for insurance companies to measure risk and the potential for breaches within organisations of certain sizes, industries and technological make-up. This should result in a greater variety of insurance products on the market and create better value policies for organisation which are identified as low risk.
Sign up to our fortnightly SME Digest - http://marketing.pgitl.com/sme-digest
Call us now to discuss your requirements with one of our consultants.
Want to stay updated on the latest cyber-security news that can affect your organisation? Sign up now to our Cyber Insight Weekly delivered 1st day of every month.