The GDPR Increases Fines for Non-Compliant Companies

By the time the General Data Protection Regulation (The GDPR) enters into force on May 25, all companies must ensure compliance with its provisions, otherwise they open themselves to huge fines from the regulatory authorities.

New Rules

The benefits of the GDPR are numerous. It will provide a better level of protection for users, but businesses will enjoy a more stable regulatory environment. A single piece of legislation will apply to the entire EU, so there will be no uncertainties with regards to data processing activities.

This is a step forward from the current tangled web of regulations where each country had their own rules, making expansion and doing business between EU member states a nightmare. This was especially true for modern tech companies that absorb and process huge amounts of data.

The rules for increased data portability will have a marked effect on fostering competition between companies. Smaller startups will be able to attract new users much more easily than before, as even the large players will have to transfer data when requested.

Huge Fines

Administrative fines can be levied by the regulatory authorities. Every EU member state will appoint one lead authority that will oversee all data protection practices in that country. The offenders can be punished according to the provisions of Article 83 of the GDPR.

Two levels of fines exist. The lower level is EUR 10 million or 2 % of the global annual turnover for the preceding year. A higher level is issued for serious fines, and is double the lower level: EUR 20 million or 4 % of the global annual turnover in the preceding year, whichever is larger. A maximum fine won’t be issued in every case of infringement; however it remains a possibility for repeat offenders.

In addition to fines, your company can also be sued by individuals who have been wronged in your data breach, in addition to getting fined.

Degree of Infringement

Fortunately, most infringements will carry a lower tier of fines. These includes a failure to implement the appropriate security measures, a failure to obtain reports and keep written records, non-cooperation with authorities and not designating the official privacy reps (such as data protection officers).

Grave infringements are punished with the highest tiers of fines. These infringements include a failure to adhere to the basic principles for processing and consent, violating the rights of data subjects, ignoring previous regulatory orders, and failure to report breaches and maintain proper records.

Circumstances of your infringement also matter. If you have been cooperative and did everything you could to minimize the damage, then you are likely to get off with a much smaller fine, or perhaps only a warning. It also helps if you had a clean slate up to that incident and if your breach or infringement was unintentional.

Overall, we expect the GDPR not to cost you too much, and the authorities probably won’t go guns blazing when it comes to fines. Just make sure you are taking the right steps to compliance and you should be all set.

Visit us at GDPRInformer.com for more great tips and articles to prepare for the GDPR. Our extensive knowledge base will certainly help you!

Advertisements

Official GDPR Consent Guidelines

The Article 29 Working Party is one of the bodies responsible for drafting and maintaining quality guidelines to steer organisations into compliance. Their new guidelines on consent are no exception, and we believe they will be extremely useful for all who need to comply.

Explicit Consent

So what is consent exactly? The principle is similar to the already existing one, but the rules have been made more stringent. People will have to give you their permission if you want to use their data, just like now, but you won’t be able to assume consent any more. They’ll have to check the box themselves, for example. You cannot serve them pre-ticked forms.

More sensitive data will require so-called explicit consent. You’ll usually be able to verify such consent by requiring additional confirmation, such as e-mail or two-factor authentication. You will also require explicit consent if you plan on transferring data to third countries not covered by the adequacy decision of the European Commission.

The best way to safeguard yourself is to ensure the consent is unambiguous at all times. Never bury your consent forms in long terms and conditions or bundle several requests in one form. Such consent is considered improperly obtained even if individual had no objections to your use of their data.

Honesty is the Best Policy

You are not allowed to mislead your users into giving you consent, as it is only valid when it’s freely given and informed. You must carefully list the purposes for processing, and you can only process the data for the specified purposes. Make sure to inform the individuals of their rights as well, most importantly, the right to be forgotten (the right to erasure). Otherwise, the consent is invalid.

Note that individuals can withdraw their consent at any time and you must cease with processing as soon as you receive their notice. Doing otherwise is illegal and carries a risk of huge fines. There might be some other processing bases you could base your processing on even after consent is withdrawn, but again, you must notify the individual of your intentions (and they have the right to challenge your decision).

Existing Consent

Consent you have obtained prior to the GDPR is not automatically invalid, but it must have been obtained according to the GDPR rules. If you’re in doubt, then it probably isn’t valid. Note that you must have documentation proving that the consent had indeed been given. If you don’t, your consent is unfortunately useless.

Consent of Children

Children under 16 are generally unable to consent on their own (barring exceptions from member states that can reduce the threshold to 13 years of age) and parental consent is required. The WP29 did recognise that it’s often difficult to verify the identity of the parent and advocates for a risk-based approach. For risky data, they feel an ID scan or perhaps a written statement is in order.

 

If you liked this overview, you’ll like our extensive GDPR knowledge base on GDPRInformer. Visit us to get up to speed with the compliance process and learn how to prepare yourself for the GDPR to avoid huge fines.

GDPR Regulators Explained

prepared for the GDPR. In the resulting confusion, few know who’s responsible for what. We’re here to help.

European Data Protection Board

The EDPB will be an entirely new body, however it will be based on the Article 29 Working Party which currently issues recommendations for the GDPR. Its function has been mostly advisory so far and it does not deal directly with clients. It serves as an organisation which keeps the European Commission up to date with the current state of affairs.

However, the EDPB is tasked with yet another responsibility: to coordinate the action of the supervisory authorities. It can help solve disputes and issue opinions of several issues that SAs cannot agree amongst themselves.

Supervisory Authorities

Supervisory authorities are organisations established in all EU member states. They must operate independently from the government, and their task is very comprehensive. They are, in a nutshell, responsible for a smooth application of the GDPR in practice. They are here to protect the rights of EU individuals when it comes to data privacy and safety.

All supervisory authorities must work together in order to ensure a smooth and consistent application of the rules in the entire European Union.

They facilitate contact between the individuals who have queries or complaints on one side and companies on the other. They are the contact point for companies who will solve all their data privacy and safety issues with them. This is the touted one-stop shop mechanism that will help reduce overall costs and administrative load imposed both on companies and on the individuals.

Even if a company is based in several EU countries, the company only deals with a single supervisory authority, which then becomes the lead authority. The lead authority is the only one that can produce legal decisions against the company.

European Commission

At least, there is the European Commission. It will be part of the European Data Protection Board. It is there to act as an observer and a watchdog of common interests of European citizens. It can issue opinions regarding consistency mechanisms, but should not get tangled up in individual cases.

The Commission and the EDPB can demand that a supervisory authority suspend a measure they deem incorrectly applied, but only in cases where the opinions of the authority and the Board differ in opinions and if these decisions would affect the functioning of the common EU market.

 

Overall, we believe the one-stop-shop is an excellent mechanism that will leave companies with more time and resources to do their thing and leave the administration to the supervisory authorities. They will do a lot of work behind the scenes, so that companies don’t have to do anything. This will drastically ease communication and foster the overall competitiveness of EU companies. At the same time, the rights of the individual citizens will be well-protected. We can’t wait to see it work in practice!

Preparation for GDPR Compliance

Even if you found out the GDPR will apply to you from 25 May 2018, when it enters into force, you don’t have to worry. It’s all a matter of simple preparation – the better you do before it rolls out, the better your chances of having nothing to worry about. Now, nobody said this will be trivially easy to do, but it’s not that big of a deal either.

From our experience, we found out that small companies are having the hardest time complying with the basics of the GDPR. The reasons are very much practical – they simply don’t have time, money now know-how to do better, no matter how hard they try. But things don’t have to be as bad as they are now.

Analyse and Research

The first part of getting things right for the GDPR is laying down the basics. Study the key provisions of the GDPR and try to think about the changes you will have to make. Consult your local laws, too, as they may sometimes be applicable as well.

Then, make note of practices you have identified as possibly not in line with the GDPR. These are the activities you will have to closely watch as you advance in your compliance efforts.

Map and Secure

Mapping your data is also a very important requirement of the GDPR. You have to be able to account for your data at all times. That means knowing where the personal data is stored exactly, how many copies there are, what your plans with the data are, and finally, when you will delete the data.

If you meet the above checklist, you can be reasonably sure the data won’t get used maliciously. Plus, it will be easy to answer personal data requests if you know where you store your data.

Additionally, security is also paramount. Make sure to encrypt and anonymise your data for maximum protection. Consider using access controls and make strong passwords mandatory.

Impact Assessments

A Data Protection Impact Assessment (DPIA) is an essential tool to ensure your data processing is legal. If you are doing any processing of sensitive data, you must perform a DPIA.

DPIAs help you determine both the risks and positive consequences of your envisioned processing actions, thus helping you decide whether carrying out the processing is a good idea. Data Protection Officers can help you conduct a DPIA.

Consent – Revised

Processing of personal data will now require a more informed level of consent from individuals. You will have to explicitly inform individuals of your plans to use their personal data. The notices must be served at the time of obtaining data, and they must be written in simple, understandable language. Consent (ticking the box or similar) must be explicit – no pre-ticked boxes are allowed anymore!

Records

Keep all records of your data processing. This isn’t a requirement if your company has less than 250 employees, but good records are the key towards proving compliance with the GDPR to the authorities.

Data Portability and the GDPR: User Rights

Data portability is one of the core rights that data subjects have under the GDPR. It is very important for the optimal protection of user rights, but also crucial for the overall economic development.

Data Portability: Defined

Data Portability is in fact a very simple right. Basically, an individual has the right to swiftly and easily move all their data from a single service provider on to another one in a highly standardised, common format. For example, they could move their e-mails or contacts to another provider. Or, their pictures and profile details from one social network to another.

This measure has been introduced to aid individuals in finding services they like without fearing that their data would be lost. It also helps reduce the inconvenience on switching services by having to input all the data again. Many large companies were banking on the users’ reluctance to switch instead of introducing new features in order to keep their users.

Now they will have to try harder, whereas users will be able to try out novel services.

The Economy?

In theory, startups should be the happiest group to see this right. They will now have an easier time of attracting new users, since the inconvenience of changing services goes out of the window. In turn, this should foster innovativeness and competitiveness between companies in the entire EU.

This will provide customers with a greater range of choices and ensure the EU does not fall behind in innovation and technology compared to the rest of the world.

The Nitty-Gritty

The principle of data portability goes as follows: As soon as the individual makes a request, the company has 30 day to compile the data and either provide it to the individual or directly transfer it to another service. The data should be in a common format so that it can be easily shared and used with minimal alterations.

Companies can charge a proportional, small fee for excessive requests or very large requests that require plenty of administrative workload. Most often, these requests will be made offline, but the GDPR allows for written requests as well.

The entire process should be performed with regard to safety of personal data of individuals whose data is being transferred. To that end, the company should make sure the person initiating the request is indeed the person whose data will be transferred. They have the right to require login identification, but may also ask for other forms of verification, such as ID scans or similar.

Conclusion

Overall, the data portability principle will balance out the powers that huge companies have over the regular folk. They will be able to choose their online service providers without being forced to stay under the threat of seeing their data deleted. This will spur growth and competition, and all this will benefit the end users. Furthermore, they will now know exactly where their data is and what data the companies actually hold on their servers.

 

GDPR and Data Protection Methods

Data breaches can be a very expensive affair. Fines from the supervisory authorities can be huge, not to mention the huge fallout from the users and a major drop in confidence.

The GDPR will replace the deprecated Data Protection Directive from 1995 and bring new, streamlined rules. Along with the new rules comes the threat of substantial fines, so data protection should be the top priority of all companies that process personal data.

The fines are large – up to 20 million Euros or 4% of the company’s annual global turnover, so it pays to prevent data breaches rather than contain them.

Essential Measures

Personal data, and particularly sensitive personal data, must be secured well. The more sensitive the data, the better the security measures need to be. Less important data does not need to be as secured (but there must be a high basic level of general security).

This risk-based approach aims to reconcile the costs of data security with potential risks. That’s why you should be aware of severity of the data you have by regularly conducting DPIAs. You can save plenty on low-risk data by not guarding it so secretly, but if you are unsure, it is best to treat all data as important.

Behavioural Security

Along with very useful technical measures, the human factor is simply too important to ignore. Employees are a huge data breach risk, and so measures must be taken to reduce the risk. Access controls are one of the ways to reduce the risk. Confidentiality agreements and physical access restrictions are another.

Ensure data isn’t taken away on portable devices. Make regular backups of data and store them well. Encrypt sensitive data, and make sure to keep the backups completely offline. Third party services should not be used for backup services, as it simply creates another weak link where the data might leak out, mostly due to human error (consider how often data gets stolen from the cloud).

Two-factor authentication is a great way of forcing all the responsible individuals to keep up with their security routines, while preventing, at the same time, malicious individuals from gaining easy access to the company network.

Technical Security

Low-risk data generally doesn’t need measures such as anonymization or encryption, but sensitive data does. High-risk data should at all times be encrypted and whenever possible stripped of its identifying parameters in a process called pseudonymisation. Such data is considered low-risk, since the identity of the individual person cannot be found out as easily. Encryption, of course, is still highly recommended and remains the gold standard of data safety.

Updates and regular maintenance of security applications should not be overlooked. Make sure the company uses cryptographic protocols at all times, like SSL and TLS. Ensure the data is securely destroyed. This includes deletion in multiple passes, but can also refer to physical deletion of media in some more extreme cases. Papers could also need expert disposal instead of simple shredding.

 

Essential Rules for Records in the GDPR

It’s easy to feel overwhelmed with the obligation to keep records under the GDPR. It is a non-trivial requirement that will force most companies to reconsider their processing operations. This is likely the goal of the GDPR, in that only the necessary processing operations should be carried out-

However, not all is that bad. Records can give you more insight into how you process data, giving you an overview that you could have a hard time getting otherwise. Plus, the regulators will look kindly upon you.

Mandatory for All

Record-keeping is now a requirement both for data controllers and data processors. Even third-party companies will have to store processing records for data they don’t own, but process anyways.

The goal is to have the records ready for when the regulators require them. They must be quickly presented to the regulatory authorities, and they are considered prime evidence of compliance with the GDPR.

SMEs Have It Easier

Small to medium enterprises, i.e. businesses employing less than 250 individuals, are ‘given some slack’ when it comes to record-keeping. The administrative burden is comparatively larger for smaller than large companies, so SMEs now do not have to keep records, as long they satisfy certain conditions.

Their processing must not occur on a regular basis (only occasionally), and processing cannot be the core business operation. If sensitive (protected) data is being processed, record-keeping is mandatory. This includes employee data as well.

Purpose Matters

Several processing activities can be bundled into a single record, as long as the processing is conducted for one, individual purpose.

A single record can thus apply to several operations, which can help you reduce the number of records you own. However, sometimes this can increase their complexity so you might not gain much. Separate records are thus also allowed.

Bare Essentials

Processing records have a list of required data that must be included within them. There are no set rules for how they should look (or in what file format they should be made and kept), so companies are allowed to choose whatever they like.

However, the bare minimum of content is non-negotiable. Each record must include a detailed explanation of the purpose of processing and the contact details of the processor. Categories of personal data and sensitive personal data used for processing must be listed, as well as any ongoing transfers of data outside the EU. Specify the period after which the data will be deleted and briefly explain what security measures you took in order to secure the data.

DPOs Can Help

A data protection officer can help things to smoothly, especially in smaller organisations that lack qualified personnel. Small companies can even outsource their DPO to reduce costs but still take advantage of their know-how. This can help them avoid expensive fines and responsibility at a minimal, nominal cost. Plus, a DPO can provide valuable education for the rest of the staff, which should reduce the risk of data loss and breaches.