EU data protection law is changing. The General Data Protection Regulation (GDPR) comes into force in the UK on 25 May 2018 replacing the Data Protection Act 1998. The regulation has been law since 2016 but its only now, as the enforcement deadline approaches, that a lot of us are waking up to the fact that we need to do something.
GDPR will compel organisations to secure very clear and unambiguous consent for using people’s personal data, and will introduce very tough fines for failing to protect that data. The previous post in this series introduced some of the basics of the GDPR. This post is going to explore the regulation in a little more detail and ask how does it affect businesses.
The spirit of the GDPR is about protecting the personal data of the individual (known in GDPR language as the “Data Subject”), this will be achieved by a combination of endowing various rights to the individual, by applying constraints on the people or organisations who hold the data (known in GDPR language as “data controllers”) and the people or organisations who process the data on behalf of the data controllers (known in GDPR language as “data processors”).
The fact that data processors are now in scope within the regulation is new and very important. Previously, the legislation has placed sole responsibility on the data controllers rather than the processors. Any constraints on the processors were just those put in place by means of a contract between themselves and the data controller. Which means that now a lot more organisations are affected by the new regulations than ever were before.
Data Controller or Data Processor…where do I fit ?
Your answer to the two questions below will give you a big clue as to where your organisation fits into the GDPR model. It may well be that you fall into both categories;
- Do you keep data about anyone living within the EU?
- Do you provide a service similar to the following:
a. A service provider undertaking outsourced customer services.
b. A cloud provider storing or gathering personal data.
c. A third party service provider who has access to personal data being held by a customer.
d. A third party providing data processing services to a customer such as data cleansing, analysis, report writing or email marketing.
- If the answer to question 1 is “yes”, then you need to comply with regulations regarding the data controller.
- If the answer to question 2 is “yes”, then you need to comply with regulations regarding the data processor.
Imagine a scenario where a small business owner (Sarah) has a CRM database of her customers, leads and prospects. Sarah owns the database so is the data controller. Sarah then employs an agency (XYZ marketing) to cleanse, sort and send out some mailings to her database. XYZ is acting as the data processor.
In another example, a larger organisation named ABC Corporate decides it wants to collect some data for a new project. The organisation determines what type of client it wants to collect data on and what it wants to do with the data. The organisation then engages a third party consultancy (3P Ltd) to determine how to collect and store the data and to put security in place. 3P Ltd is the data processor in this example because they are “processing” the data on behalf of ABC Corporate.
In a nutshell, you can see that the data processor has the freedom to carry out activities with the data using its own technical knowledge and independently of the data controller.
Other examples might be:
- An online retailer who is using a 3rd party payment provider.
- An employer using an external accountant or payroll company to process the pay of its workers.
- A Microsoft Dynamics 365 customer using a 3rd party solution such as ClickDimensions for sending out email marketing.
Responsibility of the data processor
It is the responsibility of the data controller to prove due diligence in the selection of a data processor and that a suitable contract is in place outlining the duration, nature and purpose of the processing. If you approach a data processor who isn’t aware of GDPR you should be hearing very loud alarm bells ringing. In turn the data processor must demonstrate that it complies with GDPR in all aspects. The data processor must inform the data controller of any sub-contracting that will take place, in advance of the service as the data controller has the right to object).
Data Protection Officer
If applicable, you may need to designate a data protection officer (DPO) within your organisation. This person has designated responsibility for data protection within the organisation. Not every organisation needs to appoint a DPO.
The three types of organisation that need a DPO are:
- Government Services such as council authorities, however, it is also advised that private companies offering similar functions also nominate a DPO (e.g. housing associations or utility suppliers).
- If large scale data is at the core of your business such as banks, web analytic companies and hospitals).
- If your business handles a lot of sensitive data
Data Breach Notification
Under GDPR ,in the event of a data breach the controller has 72 hours (depending on severity) in which to inform the regulator (in the UK this is the ICO) and if the breach is substantial, also the data subject(s). If the breach is discovered by the data processor, they must inform the data controller without undue delay, which then triggers the start of the 72 hours period for the data controller. Penalties for failing to comply with this are set to be very tough, not to mention the bad publicity that could lead to a severely damaged reputation. Some larger companies are taking it very seriously. Recently, UK based pub chain JD Weatherspoon deleted it’s entire email database after deciding that holding all that personal data was too big a risk to carry.
What constitutes a Data Breach?
A data breach in GDPR is defined as “…the theft of data or any breach that leads to unauthorised destruction, loss, alteration, disclosure of or access to personal data.” So when it comes to data breach, don’t just think of malicious hacking or theft. A data breach is also about inappropriate access to data. Imagine a scenario where a 3rd party contractor accesses a patient’s medical records within a doctor’s office. Data breaches will only need to be reported to the supervisory authority when they are likely to pose a risk to the rights and freedoms of natural living persons.
GDPR and Data Collection
In terms of data collection, GDPR flies in the face of current data collections trends. In recent years, the tendency has been to capture as much data as possible so that it can be used to effectively target individuals and/or provide a very personal level of service. GDPR will mean that only the data that is necessary to fulfill a specific purpose and even then, only with full permission can be collected.
Companies are going to have to examine all of their processes that involve personal data and ask the who, what, where, when, why type of questions to ensure they comply and in some cases this will need to be documented in a data protection impact assessment document (DPIA). In all cases, it is advisable to document the findings and decisions of these investigations as a way to demonstrate an attempt to comply with GDPR.
In the final 2 posts of this short series (Parts 3 and 4), we will look at how you can start to prepare your organisation for GDPR and how to implement appropriate security measures using the out of the box features of Microsoft Dynamics 365.
More information on GDPR can be found at the Information Commissioners Office Website