GDPR: What Has Changed?
GDPR came into force on the 25th of May, and replaced the Data Protection Act (1998) with the aim of bringing legislation into line with the ways in which data is currently being used, unforeseen at the time of writing the DPA. In this blog post, we will outline some of the key features and changes of the legislation update.
Defining "Personal Data"
In "legalese", the DPA defines “personal data” as the following:
Data that relates to a living individual who can be identified either from that data, from that data and other information that is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
It's a bit convoluted but it boils down to any data that relates to information about you or your beliefs.
Certain data is further categorised as “sensitive personal data”. This is defined as data that relates to the data subject’s racial or ethnic origin; their political or religious beliefs; their physical or mental health or condition; their sexual life; or their commission or alleged commission of any offence and the proceedings that followed.
However, due to the rapid advancement in computer technology since the DPA’s implementation in 1998, the type of data currently available to controllers and processors has substantially increased. As such, the definition of personal data has been expanded under the GDPR. In addition to the current types of information that is classed as personal data, such as names, dates of birth and home addresses, the definition now includes online identifiers such as IP addresses. The sub-category sensitive personal data has also been expanded to include genetic and biometric data. Biometric data refers to fingerprints, retinal and facial recognition information, commonly used as methods to unlock smartphones.
It is also important to note that where the ability to identify an individual relates to seemingly non-personal information, such as a unique reference code tied to an individual, that data would still be classed as personal data. This expanded definition means that companies who may not have breached the DPA may now be in violation of GDPR due to the way they handle the type of data that has only recently been defined as “personal data”. Therefore it is of the utmost importance for companies to be aware of exactly what subject data they hold, and how it is being processed.
Consent given by the individual to whom the personal data relates, the data subject, must now be specific and auditable. Consent must be actively given by the data subject with an affirmative action, in response to clearly worded information about how the personal data will be used. This means that pre-ticked consent boxes and opt-out methods are not compliant with the GDPR.
The new regulation also means that data controllers must keep an auditable record of how and when consent was given. Furthermore, the data subject must be able to withdraw their consent at any time, and has “the right to be forgotten” through the permanent deletion of their personal data.
Subject Access Requests
Data subjects have always been allowed to request information from the data controller about their personal data, this is called a subject access request (SAR). The subject is entitled to be told whether or not personal data is being processed, the type of personal data stored and the reasons for processing, as well as whether the data is being given to other organisations. Data subjects are also entitled to a copy of the information and given details of the data source. Under the DPA, data controllers may charge data subjects £10 for a SAR, or £50 for health records. However, under GDPR most access request are now free of charge, which means that companies can expect to be inundated with SARs from individuals who have previously been discouraged by the fee.
The time limit an organisation has to respond to access requests is also changing under GDPR. Data controllers used to be allowed 40 calendar days to respond to SARs under the DPA, but with the new regulation, controllers are obligated to provide the information immediately, with a maximum time limit of within one month of receiving the request. This may be extended to two months if the SAR is complex, although the data subject must be informed of this extension and the reasons behind it within the first month.
The implications of these changes mean that data controllers have been hit with a wave of SARs from people who were once discouraged by the fee. Controllers need to be aware of exactly what personal data they hold, where the data is stored, why the data is being processed, and who else has access to the data. Controllers must also be able to respond to requests quickly and efficiently, and have the ability to handle numerous requests at once.
Whilst no such requirement exists under the DPA, GDPR has brought in new disclosure requirements that an organisation must follow in the event of a data breach. Data controllers are obligated to report certain types of data breach wherein data subjects’ personal information is at risk to the ICO within 72 hours of the breach being identified, where feasible. Where a breach may adversely affect the data subjects’ rights and freedoms, they must also be informed without delay. Furthermore, a record of all personal data breaches must be kept, regardless of whether it was necessary to contact the ICO or not.
There is still much confusion within many organisations over who bears responsibility and accountability for an organisation’s compliance, or lack of, to GDPR. In a study conducted by the Centre for Information Policy Leadership (CIPL), 32% of respondents believed the Chief Information Officer to be responsible, 21% thought it was the Chief Information Security Officer, 14% thought the Chief Executive Officer was accountable, and 10% thought it was the responsibility of the Chief Data Officer. In short, accountability does not lie with a single person, and everybody is responsible for compliance. Responsibility does not just end with the senior staff. Every department within an organisation must make sure that the GDPR is complied with in their particular field. For example, marketing teams must be able to guarantee that subjects have given true consent and actively opted into email campaigns. So, in short... pretty much everybody within an organisation shares some responsibility for GDPR compliance.
Article 35 of the GDPR states that Data Protection Officers must be appointed for all public authorities. In addition, a Data Protection Officer is required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.
In a Gartner research study, it was predicted that more than half of all companies would still not be compliant with GDPR by the end of 2018. If your company is in this category, there are several sanctions that may be applied. In the case of a first and non-intentional offence, a company will be given a written warning and may be subject to regular periodic audits. In cases of intentional non-compliance, companies may be subject to a fine of up to 4% of global turnover or €20,000,000, whichever amount is higher. This sanction is significantly more severe than the maximum financial penalty of £500,000 under the DPA. In serious cases, individuals may face prosecution and imprisonment for breaching the regulation.
Visit our GDPR Compliance Solutions page to discover how IntoZetta can help ensure your organisation's compliance with the new regulation.