New Data Laws in Europe

EU Directive cartoon-proposals

#DataPulse 77

It has been over four years in the making but the EU Parliament and Council have finally approved the General Data Protection Regulation (GDPR) after the EU Council of Ministers approved the final text last week.

The compromise agreement reached just before Christmas has remained intact, having been agreed by both the EU Council of Ministers and Parliament. Today’s decision means that the GDPR text will not be amended further and is now in its final state.

A two-year implementation process will begin once the Official Journal of the EU publishes the regulation – the final step to complete before the regulation becomes EU law, though whether that is published before the 23rd June EU Reforendum in UK we’ll wait and see.

The real work for European organisations will now begin. The task of picking over the legislation and interpreting what its real impact will be is now underway.

The ICO who has been heavily involved in consultation and done a great job in the last 3 years will publish its guidance

10 Things that you need to know before ICO guidance comes:

  1. It’s a regulation not a directive so passes straight to law in all 26 EU countries
  2. Data processors will be responsible for data protection
  3. The regulation has global ramifications ( 23rd June vote will not impact UK)
  4. Users will be able to make compensation claims
  5. There are tighter rules on transferring data on EU citizens outside the EU
  6. Harmonised user request rights
  7. New Rights to be forgotten
  8. It’s data controllers responsibility to inform users of their rights
  9. Tougher sanctions- E100m or 5% of global turnover
  10. Encryption and tokenisation can come to your rescue

The Principles of the new Directive are good for customers and good for all of us 450m EU citizens: My data is my data and organisations need to treat it thus

  • Transparency of use to individuals,
  • Data use for specified EXPLICIT and LEGITIMATE purposes only
  • Proportionality

Overall this is good for customers, good for responsible organisations and with 2 years before the directive becomes law there is time to prepare ourselves and use this as an opportunity to build consumers TRUST in an organisation.

 

Look out for future Blogs on explaining the detail and how to prepare using ICO guidance

12 Steps to Data Heaven

EU Directive cartoon-proposals

The new General Data Protection Regulation will become law in June 2016 and organisations have only 2 years to implement changes to be legal and compliant.

Here are 12 steps to take now : endorsed by Christopher Graham  and the Information Commissioner’s Office  ICO.

1. Build Awareness

You need to ensure that CEO and Board members and key stakeholders are aware that the law is changing to the GDPR , and appreciate the impact it’s likely to have. Many organisations I have been talking to aren’t aware at a Board Level of what is coming

2. Document Information you Hold

You should document what personal data you hold, where it came from and who you share it with, probably need to organise an information audit

3. Communicating privacy information

Review all current privacy notices and put a plan in place to put changes in place now so that data collected for the next 2 years is valid once regulation implemented

4. Individuals Rights

You should check your procedures to ensure that they cover all the rights individuals have , including how you would delete personal data or provide data electronically and in a commonly used format

5. Subject Access requests

Will not be able to charge so they will increase in volume: Plan how you will handle requests within the new timetables ( a month) and provide any additional information. Thought leading organisations may automate SARs to allow any customer to see all the date help on them

6. Legal Basis for processing Personal Data

Look at the various types of data processing that your organisation carries out, be clear on the legal basis for carrying it out and document it

7. Consent

Review how you are seeking, obtaining and recording consent, and agree how you need to implement any changes

8. Children

You should be looking at putting in systems and processes to verify individuals ages and to gather parental or guardian consent for data processing activity

9. Data Breaches

Any Breach no matter how small or sensitive needs to be reported. Review procedures in place to detect, report and investigate a personal data breach.

10. Data Protection by Design and Data Protection Impact assessment.

Familiarise yourself and organisation with the guidance from iCO on privacy

11. Data Protection Officers

Designate / Recruit a Data Protection Officer to be responsible for data protection compliance and assess where role will set

12. International

If your organisation is international be clear where your home supervisory body is that you come under.