General Data Protection Regulation (GDPR)
Listen up business analysts’ things are about to change in the data protection world. You may have heard chatter around GDPR, but as the deadline get closer- how much do you really know about it and the impact it will have on your organisation? Don’t worry help is at hand, we have created a quick article about GDPR and the impact it will have on you and your organisation.
So, what is GDPR?
General Data Protection Regulation will come into force on 25th May 2018- less than three months’ time! GDPR is going to replace the outdated and archaic UK Data Protection Act 1998. GDPR has been ‘designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organisation across the region approach data privacy’ (EU website).
GDPR will apply to all organisations that offer their services within Europe, the services can range from commercial to charity. One of the great things about GDPR is that because it is part of EU regulations, all companies that offer any services to EU residents will be subject to the same rules. So, in a way it should it make easier for companies, as they will no longer need to understand each country’s data protection laws.
Another thing to be mindful of is that services providers, who processes any data on behalf of an organisation will also need to comply with GDPR. For example, if your company uses a cloud supplier to manage their timesheet for their employees – then both the company and the cloud supplier will need to comply with GDPR.
GDPR is designed with two purposes in mind:
EU wants to empower their residents in regards to how their personal data is being used.
EU also want to give organisation simpler and clearer guidelines to follow.
So, what is personal data?
Under GDPR, personal data can either be obtained directly or indirectly from an individual and can be in any format.
Personal data that falls under GDPR:
Name – both forename and surname
Online behaviour i.e. cookies
Trade union membership
Profiling and analytical data
If you think about the different products that you work with day in and day out, how many of those contain personal data. For example, if you are recruiting for a new business analyst in your organisation, you will have to deal with CVs that will contain personal data.
Companies must process personal data according to the six data protection principles:
Processed lawfully, fairly and transparently.
Collected only for specific legitimate purposes.
Adequate, relevant and limited to what is necessary.
Must be accurate and kept up to date.
Stored only as long as is necessary.
Ensure appropriate security, integrity and confidentiality.
One, more thing
Person’s right to what happens their data is also expanding under GDPR. The two key things to note here are:
People can ask organisation for access to their data at “reasonable intervals” (it is not clear, what this is). The regulation states that if an individual makes this request then the controllers and processors (we will talk about their role in more detail, below) will have to respond to the request within a month.
Under GDPR individuals have the right to access any information a company holds on them, and the right to know how that data is being processed, where and how long it is stored for.
People also have the right to demand that their data is deleted, if it is no longer needed for the purpose it was collected. For example, if you have joined a social media organisation but then decide that you want to withdraw your consent for the data to be collected. Then you demand that the organisation deletes all of your data.
What’s else is changing
The regulations states that organisations must be able to demonstrate compliance with the data protection principles. This will require an organisation to take a risk-based approach regarding data protection, while also ensuring appropriate policies and processes are in place to deal with people data. There is also a requirement for organisations to build a culture of data privacy and security.
The way you get consent from an individual is also changing. When companies obtain consent from individuals, they need to make it an active and affirmative decision that spells out clearly what and how the data will be used. Under the current regulations companies can get away with pre-ticked boxes or opt-outs- this is not going to be possible under GDPR.
There are two keys roles that companies need to fill under GDPR:
This individual will state how personal data is processed and the purposes for which it is processed. They are also responsible for making sure that third party suppliers/contractors comply to the GDPR regulations.
It is this individual responsibility to keep a record of how consent was obtained from a person.
Individual or group of people that maintain and process personal data records- this can be outsourced to a third party supplier.
What happens if you breach the guidelines?
If your organisation does not follow the regulations then there are two types of penalties that they can face:
If there has been a data breach then under GDPR an organisation has 72 hours’ window to inform the data protection authority of this. Those who fail to meet the 72-hour deadline can face penalty of up to 2% of their annual worldwide revenue, or €10 million, whichever is higher.
This will mean that an organization needs to have clearly defined plan to how and whom will report data breach.
If the organization does not follow the data principles of GDPR, then they could face penalty of up to €20 million or 4% of your global annual turnover, whichever is greater.
Both of these penalties are far greater, than anything under the current Data Protection Act.
What about Brexit?
You will be aware that UK is leaving EU, at the current moment UK has until March 2019 (or, maybe even longer) to exit EU – this will mean that UK will have to comply with GDPR. In 2017, the UK government put forward a new Data Protection Bill, which essentially replicates the requirements of GDPR into UK Legislation.
What do I need to do?
It your responsibility to make sure that you understand what the impact of GDPR are going to be for the data that you work with. There is no doubt that this is going to shake things up in the data protection world for both organisations and individuals. We will publish another blog that will tell you what steps as a business analyst you need to make sure that you and your organisation do not breach GDPR regulations.