What is GDPR?
The GDPR is designed to protect the personal data of EU citizens, and to do so it regulates how such data is collected, stored, processed, and destroyed. The definition of “personal data” is extremely broad: It includes names, addresses, and bank details, but also data related to religion, race, mental or physical characteristics, and even IP addresses, web cookies, contacts, and mobile device IDs, if they identify an individual.
Data Controller vs Data Processor. Data Processing Agreement requirements.
Controllers are the main decision-makers – they exercise overall control over the purposes and means of the processing of personal data.
Processors act on behalf of, and only on the instructions of, the relevant controller.
It is common to see that:
- companies who communicate with individuals are controllers;
- companies who provide Software as a Service (SaaS) are processors;
- companies who provide cloud infrastructure (IaaS, for example, Microsoft Azure, Google Cloud, Amazon Web Services, IBM Cloud) are sub-processors.
It is crucial to know data flows end-to-end and understand your cloud infrastructure geographic regions. GDPR requires a few elements to be covered in the processing agreement between Controller and Processor:
- the subject matter of the processing;
- the duration of the processing;
- the nature and purpose of the processing;
- the type of personal data involved;
- the categories of data subject;
- the controller’s obligations and rights.
More GDPR terminology explained on ICO website at https://ico.org.uk/for-organisations/data-protection-advice-for-small-organisations/key-data-protection-terms-you-need-to-know/
GDPR UK and Data Privacy Act 2018
During the transition period the GDPR will continue to apply in the UK. At the end of the transition period the GDPR will be brought into UK law as the ‘UK GDPR’.
The GDPR will be retained in domestic law at the end of the transition period, but the UK will have the independence to keep the framework under review. So, in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.
Non-compliance fines. Major cases to know.
There may be significant fines and penalties for organisations who breach GDPR (depending on the nature of the incident). For more administrative breaches, fines may be up to almost £8m or 2% of a company’s global turnover (whichever is higher), with fines for more significant incidents up to £17m or 4% of global annual turnover.
There are cases when companies were fined for millions of pounds. The CMS.Law GDPR Enforcement Tracker is an overview of fines and penalties which data protection authorities within the EU have imposed under the EU General Data Protection Regulation https://www.enforcementtracker.com
Prioritised Approach to GDPR compliance. Easy steps to follow.
- Understand your personal data flows end-to-end including data collection, processing, usage, storage and disposal.
- Identify the lawful basis for personal data processing activities. Review how you record and manage consent, and whether you need to make any changes in privacy notices.
- Document the personal data elements that you hold. List your processors and sub-processors. Carry out Data Protection Impact Assessments (DPIA). To do this you may need to engage an independent auditor.
- Review your current privacy notices and make any necessary changes.
- Update your corporate policies and ensure you formalised processes to support your clients to exercise their rights under GDPR.
- Run training and testing programme to make sure that key personnel is aware of GDPR requirements and associated internal policies.
- Make sure you have procedures in place to detect, report, and investigate a personal data breach.
- Consider whether you are required to formally designate a Data Protection Officer.
- If you are multinational business ensure orchestration and communication protocols are efficient. Pay special attention to cross-border data transfer when it is absolutely necessary.
How we may help
As a management consulting company we may help you to achieve GDPR compliance and implement best practices in personal data protection through:
- mapping data flows
- understanding personal data elements you manage
- identifying your processors and sub-processors
- creating internal policies and procedures
- reviewing your data processing agreements
- developing Data Protection Impact Assessments (DPIA)
- conducting awareness and knowledge testing programmes
- building efficient organisational structures (roles and responsibilities)
- consulting on DPO role, DPO-as-a-Service offers and registration with ICO