The General Data Protection Regulations (GDPR) will soon be upon us from 25th May 2018. They will further enforce legal obligations on organisations and individuals who store personally identifiable data (PII) (Article4-1) when dealing with or within the EU, with hefty fines for non compliance and granting more rights to individuals to whom the PII belongs.
First of all, let’s understand who we are talking about:
Personally Identifiable Information -PII. Names, addresses, email addresses, IP Addresses, photos etc of persons resident in the EU. Article 4
Data Subject – DS. This is any EU resident who has PII being processed at an organisation or third party, either on a computer system or through paperwork. Articles 12-23
Supervisory Authority -SA: Oversees and ensures compliance of legislation in each EU member state. (Ico in UK) Articles 51-59
Data Protection Officer -DPO: Responsible to oversee that DC is compliant. Article 37
- Can request to know what PII is being used for, where it is held, how it is stored, for what reason and duration held.
- Can request an electronic copy of PII from the Data Controller, with a PII response or acknowledgment within a month to a maximum of three months.
- View contact details for a Data Controller.
- Grant consent for processing of PII to the Data Controller
- Revoke consent for processing and retention of PII from Data Controller or third party of the Data Controller.
- Request deletion of PII
- Request transfer of PII to another DC
- Request to supply updates or corrections to PII
- Complain to SA
Data Protection Officer
- Required for all public authorities or bodies. This can include local councils, government departments, health sector, schools, emergency services.
- Most likely mandatory for private companies that carry out public functions or deliver public services in the area of water, transport, energy, housing or whose core business revolves around PII.
- Required to have expertise in national and European data protection laws and practices and an in depth understanding of the GDPR.
- Contact point for the SA
- Report to board level of organisation.
- Cannot have conflict of interest within an organisation or be under undue pressure from organisation in carrying out duties.
- Understand and identify PII
- Only use the minimum of PII for specified, explicit and legitimate purposes without further processing in a manner that is incompatible with those purposes.
- Inform the DS of the intended purpose of processing PII and the legal basis for processing
- Use every reasonable step to ensure the data is accurate, or to rectify inaccurate PII without undue delay upon request from DS
- Locate and provide PII on demand to the DS in a human readable understandable form
- Seek out recorded consent for storing or processing PII from the DS.
- Delete PII upon the request of DS
- Transfer the PII to another DC at the request of the DS
- Request key information from to confirm the identity of the DS
- Optionally archive the PII, if in the public interest
- Inform the DS of the recipients of PII
- Inform the DS how PII is categorized
- Inform the DS where applicable, the fact that the controller intends to transfer PII to a third country or international organisation
- Inform the DS the right to lodge a complaint with a SA
- Inform the DS of further processing of PII for other purposes
- Make reasonable efforts to verify parental consent
- To maintain written records of processing activities, which must contain the information specified – if greater than 250 employees.
- If necessary, appoint an employee or third party DPO
- Not influence the DPO in his/her duties
- Provide due diligence of third parties processing PII.
- Provide identity and contact details of the DC or representative to the DS.
- Provide identity and contact details of the DPO.
- Breach notification:
- Inform DS if necessary that a breach has occurred, with 72 hours of discovery
- Track the steps taken in dealing with a breach incident
- Provide evidence that corrective action is taking place to move back to GDPR compliance
For further reading click here
So how does this work out in practice for an organisation?
Each organisation has until 25th May 2018 to implement both internal and external infrastructures and processes to move to GDPR compliance. As expected, external infrastructures and processes are expected to revolve around interaction with EU residents.
The big blue chip companies will most likely have an IT Department and teams of developers who can create the supporting infrastructure, or they have the revenue to bring in a third party or completely outsource.
What about local councils, schools, or small organisations that have little or no IT support? If they are wise then they should be planning now to outsource as much as possible. to companies that can provide components of this service. For further details see my next article part 2
Thanks for reading!!