The European Union’s General Data Protection Act (GDPR) is a new data authority coming into force on 25 May 2018. It replaces the current Data Protection Directive 95/46/EC, while extending the remit to include the export of personal data outside the EU. It aims to give EU citizens and residents living there more control over their personal information. It also hopes to make regulatory compliance simpler for participating businesses.
The Broad Implications for Business
The GDPR puts another layer of accountability on businesses falling within its remit. It requires them to implement ‘comprehensive but proportionate governance measures’ including recording how they make decisions. The long-term goal is to reduce privacy infringements. In the short run, businesses without good governance may find themselves writing new policies and procedures.
Article 5 of the European Union’s General Data Protection Act lays down the following guidelines for managing personal data. This shall be …
• Processed transparently, fairly, and lawfully
• Acquired for specific, legitimate purposes only
• Adequate, relevant and limited to essentials
• Not used for any other, incompatible purpose
• However it may be archived in the public interest
• Kept up to date with all inaccuracies corrected
• Ring-fenced when the information becomes irrelevant
• Adequately protected against unauthorised access
• Stored in a way that prevents accidental loss
Furthermore, affected businesses shall appoint a “controller responsible for, and able to demonstrate, compliance with the principles.”
Implementing Accountability and Governance
The UK Information Commissioner’s Office has issued guidelines regarding provisions to assure governance and accountability. These are along the lines of the ‘don’t tell me, show me’ management approach the office has generally been following. In summary form, a business, and its controller must:
• Implement measures that assist it to ensure demonstrated compliance
• Maintain suitable, relevant records of personal data processing activities
• Appoint a dedicated data protection officer if scale makes this appropriate
• Implement technologies that ensure data protection by design
• Conduct data protection assessments and respond to results timeously
Implementing the General Data Protection Act in Ireland
The Irish Data Protection Commissioner has decided it is unnecessary to incorporate the GDPR into Irish law, since EU regulations have direct effect. The office of the Commissioner is working in tandem with data practitioners, and industry and professional bodies to raise awareness in business through 2017. It has produced a document detailing what it considers the essentials for business compliance. Briefly, these pre-requisites are:
• Ensure awareness among key personnel, and make sure they incorporate the GDPR into their planning
• Conduct an early assessment of quality management gaps, and budget for additional resources needed
• Do an audit of personal data held, to determine the origin, the necessity to hold it, and with whom shared
• Inform internal and external stakeholders of the current status, and your future plans to implement the GDPR
• Examine current procedures in the light of the new directive. Could you ‘survive’ a challenge from a data subject?
• Determine how you will process requests for access to the data in the future from within and outside your organization
• Assess how you currently obtain customer consent to store their data. Is this “freely given, specific, informed and unambiguous”?
• Find how you handle information from underage people. Do you have systems to verify ages and obtain guardian consent?
• Implement procedures to detect, investigate, and report data breaches to the Data Protection Commissioner within 72 hours
• Implement a culture of always assessing the effect on individual privacy before starting new initiatives
So Is the GDPR Good or Bad for Business
The GDPR should be good news for business customers. Their personal data will be more secure, and they should see their rate of spam marketing come down. The GDPR is also good news for businesses currently investing resources to protect their clients’ interests. It could however, be bad news for businesses that have not been focussing on these matters. They may have a high mountain to climb to come in line with the GDPR.
Disclaimer: This article is for information only and not intended as a comprehensive guide.