The new European Union’s General Data Protection Regulation (the “GDPR”) will require any company doing business in the European Union to provide enhanced security regarding the collection, storage and use of personal information relating to EU citizens. Jersey’s government is committed to meeting the 2018 deadline for implementation of the same standards for Jersey citizens. This article tells you how to act in 2017 for this transformation in storing and processing data.
Why this applies to you in Jersey now
Your business is based in Jersey. Why does the European standard matter? Firstly, this new standard applies if you do business with EU citizens in Europe even if you are based outside Europe. Secondly, Jersey is committed to implementation of international standards in the area of data protection and safeguarding confidential information by May 2018.
Isn’t this a long way away?
The amount of changes means that companies now have significant compliance work to put in place in 2017. The question is, where should your business be by the middle and then the end of 2017? The Data Protection Commissioner for the Channel Islands has warned companies to start planning for the changes.
Consider the dramatic changes brought about by the GDPR and plan or seek advice about its coming into force. There are significant amounts of work that needs to be put in place for businesses that handle large amounts of data. Fines for non-compliance could be very substantial and as high as 4% of turnover. A review of the key ingredients on the menu and planning the implementation of your shopping trips would enable timely compliance with the new standards.
10 Key Facts about GDPR
The European Commission says that, “The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established.”
The GDPR includes new obligations and liabilities for those who process data (the “Data Processor”) or who control data (the “Data Controller”). These include:
- The conditions for consent have been tightened up when you are storing data belonging to another person. Your terms must be clear and in “plain English” and the purpose for processing attached to the consent.
- Breaches must be notified to controllers, customers and the Office of the Data Protection Commissioner.
- There must be an appropriate level of security in place to safeguard against breaches.
- Subjects have rights to access their data and whether their data is being processed.
- You may have to appoint or hire a Data Protection Officer.
- Subjects have a right to be forgotten, and stop third parties processing the data.
- A Data Controller and Data Processor must be able to demonstrate that data is processed in line with the rules including documentation of processing operations.
- Data Processors will need to be able to guarantee to Data Controllers that the rules are being followed.
- Impact Assessments will need to be carried out in many cases.
- There are increased potential liabilities for breaches up to 4% of turnover.
When GDPR comes into force many of the current agreements between controllers and processors will not be compliant with the GDPR and will need updating. This gives processors a foot in the door to renegotiate the terms and potentially re-allocate the risks imposed on them by the GDPR. SMEs are often not in a strong negotiating position when buying or selling processing activities with larger commercial enterprises and so care should be taken when such agreements are renegotiated.
To do or shopping list for 2017
1. Be aware
CEOs, IT staff and compliance officers need to be aware of what GDPR requires. It would benefit your organization if key employees are educated on the GDPR’s importance and the role they have to play.
2. New inventories
Prepare inventories of all personal data held and ask key questions about whether you are still entitled to hold the data. Key questions include: Why are we holding it? How did we obtain it? Why was it gathered? How long will we keep it? How secure are our systems? Do we share data with third parties and on what basis?
3. Review contracts with staff and processors
Review the terms of all contracts with processors and staff to ensure that they are compliant with the new standard.
4. Review communications with staff and processors
Review all current data privacy notices alerting individuals to the collection and use of their data. Identify gaps between the collection of data and the processing that the organization does and whether communication between customers and staff are upgraded to the new standards.
5. Review and protect privacy rights
Review operational procedures to ensure they cover all the new rights individuals have under GDPR, including how one would delete personal data or provide data electronically and how requests within the new tighter timescales will be handled.
6. Understand the legals
Companies should look at the various types of data processing they do, identify the legal basis for carrying it out and ensure proper documentation.
7. Ensure customer consent
If customer consent is obtained when recording personal data, review the terms under which the consent is sought, obtained and recorded.
8. Security for children’s data
Organizations processing data from minors must ensure clear systems are in place to verify individual ages and gather consent from guardians.
9. Plan how to report breaches
Businesses must ensure the right procedures are in place to detect, report and investigate a personal data breach. It is best to assume that a breach will happen at some point.
10. Understand Data Protection Impact Assessments
Impact Assessments are the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. They help organizations to identify potential privacy issues before they arise, and provide mitigation for them.
11. Appoint or hire a data protection officer
Someone in the organization must take responsibility for data protection compliance and understand what this involves.
12. Work out who is your lead Authority
The regulation includes a provision to assist organizations operating in EU member states. Multinational organizations will be entitled to deal with one data protection authority, or Lead Supervisory Authority (LSA) as their single regulating body. Work out out who this is.
Risks to your business
The risks include fines of up to 4% of turnover for the most serious breaches. But even more minor breaches such as not having records in order, or not conducting an impact assessment could attract a fine of 2% of turnover.
Conclusion – Write your shopping list now
Unless active planning is undertaken now in 2017 businesses risk not complying with the new GDPR. Act now to avoid ending up with no Data Protection Officers available, fines being levied on your business, the risk of denial of access to key markets in Europe, and an audit ofdata protection practices from the Data Protection Commissioner. The GDPR is a major new development and getting it right will require considerable effort for many businesses in 2017.