Are you ready to be compliant with the new General Data Protection Regulation?
Compliance. It can be a dirty word in business. It is often associated with spending time and resources on getting through red tape instead of investing in the growth and development of the business itself. Compliance is a necessary evil. Business owners need to be constantly abreast of regulatory changes that may affect them.
If you are more of a glass full sort of person, it isn’t hard to see the upside of having a compliant business. Apart from avoiding the obvious legal risks, complying with laws and regulations is, more often than not, a benefit to your clients. The new General Data Protection Regulation is no exception. The regulations are focussed on protecting client and employee data. The individual is the main concern of the regulations and your clients will benefit from your compliance with them.
The implementation of these new laws is fast approaching. It is important to consider how these laws affect you and your business. This blog post will provide some background information into what the new laws are and what you need to keep in mind when determining whether your business needs to make any changes to ensure compliance.
Given the General Data Protection Regulation represents a significant upheaval of the existing privacy legislation, there are bound to be some teething pains associated with your business’ compliance with it. The aim of this blog post is to help you to ease those growing pains and provide some guidance as to whether your business may need a Data Protection Officer to comply with the new laws.
The General Data Protection Regulation is a new European Union law that came into effect in May 2018. The object of the Regulation is to give power back to individuals over their personal data. The law extends the scope of existing data protection laws to regulate foreign companies that process the data of European Union residents. The Regulation will apply to all European Union member states.
The law regulates the use and protection of personal data. Personal data is defined by the European Commission as “any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address”. As you can see, the definition is extremely broad. As a result of this broad definition, the GDPR will likely have an effect on a great number of businesses of varying sizes across Europe and the rest of the world.
One notable feature of the new regulations is the requirement for many organisations to have a designated data protection officer. This role is designed to facilitate compliance with the General Data Protection Regulation.
Why does it matter?
Well, it matters because the laws that came into effect as of 25 May 2018. As it came into force before the UK leaves the European Union, British companies will have to comply with it. That doesn’t give you a great deal of time to ensure your business is compliant with the regulations. Making the necessary preparations now to ensure compliance is vital.
It may seem like a waste a time and money to be compliant now when the UK officially leaves the EU in 2019, however this is not the case. Firstly, if your business trades with EU citizens, it will need to comply with the new laws regardless. Secondly, the British government has committed to incorporating the General Data Protection Regulation into UK domestic law so your efforts to comply with the regulation now will not be wasted going forward.
Ultimately, compliance with the General Data Protection Regulation matters due to the potential penalties associated with the failure to do so. Penalties include warnings, data protection audits and hefty fines. For example, breaches of certain provisions can lead to a fine of up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year, whichever is greater. Compliance with the General Data Protection Regulation is no laughing matter and is something businesses need to remain conscious of. The fines are not really what should be scaring small business owners though. We have this conversation in our 1-day workshops where we ask our delegates to imagine having to tell their customers that they had lost their data. Just think about the damage that would do to your brand and reputation? Do you really think that they are likely to want to continue to do business with you after that? This alone should be reason enough for you to ensure your data is safe and secure and your staff are aware and trained on the basics of both GDPR and Cybersecurity.
As discussed above, a central feature of the new legislation is the requirement for certain bodies to appoint someone as a DPO. Whilst the position is not entirely new, the General Data Protection Regulation is a required role for certain organisations and companies. The role concerns the facilitation of compliance with the provisions of the General Protection Regulation. They also act as intermediaries between the organisation, supervisory authorities and individuals whose data is being processed. They are not personally responsible for non-compliance, so management should always be wary of the compliance standards of the business.
Does my company require a DPO?
There are three types of instances where an organisation will be required by law to appoint an officer. These are outlined in Article 37 of the General Data Protection Regulation. It is compulsory where:
- the processing is carried out by a public authority;
- the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
Now, that may seem like a lot of jargon that is hard to make sense of. Thankfully, the European Commission has provided some guidance on what this provision means. “Core activities” refers to the key operations necessary to achieve the controller or processor’s goals. Put another way, core activities are the primary activities and do not include the processing of personal data as ancillary activities. However, ancillary is not to be confused with activities that are still inextricably linked to the business. For example, a private security company that carries out surveillance. As surveillance is inextricably linked to the collection of personal data and is a core activity of the security company, the company would need to designate an officer.
In contrast, necessary functions of all organisations such as paying employees or having standard IT support activities will usually be considered ancillary activity, rather than core activities. These alone do not give rise to the obligation to appoint an officer.
For the appointment of the officer to be mandatory, the processing of personal data is carried out on a large scale. There is no numerical amount of data processed or individuals concerned that creates a clear boundary for what constitutes “large scale”. As the legislation is new, this may change over time. Some examples given by the European Commission on what large-scale processing is include:
- processing travel data of an individual’s use of a public transport system
- processing customer data by an insurance company or bank
- processing patient data by a hospital
- processing data by telephone or internet service provider such as traffic or location
- processing of personal data for behaviour advertising by search engines
The European Commission has also provided some commentary on what constitutes “regular and systematic monitoring” under the Regulation. At the very least, it includes all forms of tracking and profiling online. However, it is not limited to internet-based processing only. “Regular” means ongoing, recurring, repeated at fixed times, constantly or periodically taking place. “Systematic” is organised or methodical or occurring according to a system. Some examples of regular and systematic monitoring of individuals include:
- data-driven marketing activities
- profiling and scoring for the purpose of risk assessment
- monitoring fitness and health data via wearable devices
- location tracking by mobile applications
Whilst for some bodies the appointment of the officer is not required, the European Commission encourages the appointment to assist businesses with compliance. If your business decides to take up this option, the role will be governed by the General Data Protection Regulation as if the role was mandatory. This is something to bear in mind when considering whether to employ an optional officer. Alternatively, if you are not required to appoint an officer but are concerned with compliance you may employ a worker or hire consultants to undertake tasks relating to the protection of personal data. If you do so, you must make it clear that this person is not acting in the role of officer.
Whatever assessment your business makes about whether you require an officer or not, it is prudent to document this assessment. Unless it is plainly obvious that you are not required to appoint an officer, the European Commission recommends that you document your analysis of whether you require an officer under the legislation. This is so that you can demonstrate the relevant factors have been taken into account when making your decision as accountability is fundamental to the GDPR.
Article 39 of the General Data Protection Regulation sets out the responsibilities of the officer. The following list in not exhaustive:
- Teaching and educating the business and its staff on the important compliance requirements under the General Data Protection Regulation
- Training all employees that are involved in processing data
- Monitoring performance of the organisation and employees and giving advice on the effect of data protection efforts
- Conducting regular audits to ensure compliance with the Regulation and address any potential problems in a proactive manner
- Serving as the contact point between the business and the General Data Protection Supervisory authorities
- Cooperating with the General Data Protection Supervisory authorities
- Having an awareness of the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing
What should I look for when hiring for the role?
Your officer needs to have expertise in data protection law and practices and an in-depth understanding of the General Data Protection Regulation. They will also need to have a thorough understanding of IT infrastructure and the structure of your business – both in an organizational and technical sense. The required level of expertise must be proportionate to the complexity, amount and sensitivity of the data that your business processes. The role is fundamentally concerned with compliance and your officer should understand and appreciate the significance of this. It is important that you provide them with adequate resources and support to properly undertake their role or you could be in breach of the General Data Protection Regulation.
Who you hire for the position is up to you, it can be someone who is internal or you can recruit someone new. They can perform other tasks separate from their role, as long as this does not result in a conflict of interests. This means by doing everything reasonable to restrict their access to personal data and in particular any processing of personal data. If you do decide that you require an officer, you will want to begin the recruitment process sooner rather than later as the best candidates for the position will likely by in high demand. Whilst this blog aims to arm you with foundational knowledge about the regulations, it is a guide only. Whether you require an officer is ultimately an assessment that you and your business will have to make.
As these laws are so new, the provisions themselves and commentary from the European Commission remain the starting points for gaining some clarity. As the law develops over time, it is possible that businesses will be able to develop a more precise understanding of how the Regulation affects them and how to most effectively ensure compliance.
If you would like more information about this topic or how we can assist your business with compliance, please do not hesitate to contact me directly via email on firstname.lastname@example.org