What will be covered in this topic
- Explaining GDPR
- Who may need these changes made
- GDPR Definitions
- What you need to know about GDPR compliance
- GDPR Fines and other sanctions.
- Importance of being GDPR compliant
- Data subject rights
- The role of having a data protection officer
Its was ratified in April 2016 and become law in all EU states from May 25, 2018. The UK adopted it in August 2017 as one of the laws that would transfer over to the UK after leaving the EU. data protection laws that would transfer the GDPR into the UK
The Purpose of GDPR gives better protection to EU citizens even when the data holder is outside of the EU. Organisations will be required to appoint a DPO (data protection officer)
The fine for not being GDPR compliant is up to 20 million Euros or 4% of global turnover.
Who needs these changes made
Any customer using any script or function on their website that processes data.
- Google Tag Manager
- Google Analytics
- Adwords Remarketing
- Facebook Marketing / Facebook Pixel
In plain English, this means that if you’re using a Google product to track the on-site action of prospects in order to serve personalized ads down the line, you must acquire their consent to do so.
*Now this law is for EU citizens but also includes any user from other countries when travelling through Europe where these laws reside. This makes that particular organization accountable.
Definitions for the below explanations surrounding GDPR
- A natural person – A human being.
- Personal data – Any information related to a natural person or data subject that can be used to directly or indirectly identify the person.
- Processing – Any operation performed on personal data, automated or manually, including collection, use and recording.
- Profiling – Is an automated processing of personal data intended to evaluate, analyses, or predict data subject behaviour.
- Controller – data controller. The entity that determines the purpose, conditions and means of the processing of personal data.
- The Processer – The entity or person that processes data on behalf of the data controller
- Supervisory Authority – A public authority which is established by a member state in accordance with article 46. Such as the information commissioner’s office (ICO) in the UK (They will talk to the Data processing officer (DPO) in your organization about fines and becoming compliant)
What you need to know about GDPR compliance
- You cannot collect data for the sake of collecting data. All data collected must be used for a specific and explicit purpose (Because customers must be told what the data will be used for)
- Data must be accurate and maintained
- Data must be retained only for how long it is needed
- Data must be processed lawfully, transparently & fairly (This ties in with the 1st principle)
- Data must be processed securely and you must be able to prove this (THIS IS A MUST. You must be able to prove what data you collecting, why you collecting it, how long you will be using it and if you sharing the data with any 3rd parties and the security around this process) you must explain which system are used and the security around it
- Data held must be adequate. Relevant and limited to what is needed. (You can’t collect every piece of useless information, just because it might prove useful later)
- Organisations is accountable and can be heavily penalized. You must adhere to the regulations including the 6 principles for compliance above.
- Business must have a data protection officer to make sure that every aspect of your business adheres around the 6 principles and the GDPR
GDPR Fines and other sanctions
Determination of sanctions
- Nature of infringement (did the business infringe by mistake or was it intentional)
- The extent or how quickly the business/data protection officer (DPO) notified the Supervisory Authority about a data protection breach
Level of Fines
Up to 10 million Euro, 2% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringement of:
- Controllers and processors under articles 8,11,25-39,42,43
- Certification body under articles 42,43
- Monitoring body under article 41(4)
Up to 20 million Euro, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issues for infringement of:
- The basic principles for processing, including the condition s for consent
- The data subjects’ rights under articles 12-22
- The transfer or personal data to a recipient in a third country or an international organization.
- Any obligations pursuant to member state law.
- Any non-compliance with an order by a Supervisory Authority
The Importance of being GDPR compliant
- Big Fines.
- Legal Costs.
- Costs of putting things right.
- Loss of goodwill.
- Loss of customer trust.
Data subject rights
- Portability (means the data is yours and gives you’re the right to move this data to another provider easily)
- Rectification (The right to rectify data that might be misleading)
- Erasure (The right to erase data or the right to be forgotten)
- Profiling & fairness (The right to look at profiling or data held. The profiling of demographic groups example their ability to afford insurance)
- Access (data subject access requests. Subjects must have access to the data held)
- Restrict Processing (Subjects must be able to restrict data or the time data is held)
- Object to Processing (Subjects can object to data processing)
- Information – Privacy (Data security and how its shared)
The data protection officer
Requirements, roles and responsibilities
Who is required to have a DPO
DPO’s are required where:
- Processing is carried out by a public authority
- Core activities need regular and systematic monitoring of data subjects on a large scale
- Core activities involve large-scale processing of special categories of personal data, relating to criminal conviction and offences
Who does not need a DPO if:
- It’s main activities seldom involve monitoring data subjects and with little infringement on those data subjects’ rights
- It does not process category personal information
- It is only processing the special category of personal information of a small group of data subjects.
Role and responsibilities
- To assist data controllers and processors comply with data protection law and avoid the risks that organisations face when processing personal data
- The DPO also acts as the person that data protection queries are directed to.
- Gives advice about data protection impact assessments
- Is the point of contact for the supervisory body
- Monitors GDPR compliance
- Informs and advises on data protection
The main role is to be played by the Member States of the European Union who will have to comply with the GDPR and ensure the rights and freedoms of individuals.
The best way to make sure that you are GDPR compliant is to stick to the 6 principles above, It is, however, important to get a lawyer involved in order to make sure you are covering all the bases of your business.