The General Data Protection Regulation (GDPR) is a new set of regulations to personal data protection. The European Parliament, the Council of the European Union and the European Commission, intend to strengthen data protection for all individuals within the European Union. The GDPR has centred around on imposing stronger controls on data collection, storage, use and disposal.
The legislation conditions that before 25 May 2018, all organisations involved in personal processing data of EU citizens must meet new legal data protection requirements. The aim is to strengthen the individuals’ right to data protection and to make the processes around the data simpler for organisations. Simply put, the objective of the GDPR is to give the control back to the citizens and residents over their personal data, and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The GDPR was adopted on 27 April 2016 and will apply from 25 May 2018, giving organisations a two-year transition period.
The legislation also includes international organisations which hold personal information on EU citizens, although their organisation is not based within the EU. That also means that organisations from the UK, are not immune to the GDPR. The UK government has confirmed that UK’s decision on leaving the EU will not affect the initiation of the GDPR.
Why you need to make sure your intranet software complies with the GDPR
In areas where personal data is collected, processed and stored, the GDPR will apply, and that also includes employee data. The GDPR has made specific reference to consent from employees that such consent needs to be freely given. This means you as an employer need to ask for consent when harvesting data from your employees.
This means you cannot just harvest data from your employees unless there is a clear consent, with the obvious free choice.
Be cautious for stored information when an employee leaves your company. That may be work groups they created, comments they made or posts. If it identifies an individual, you will likely need GDPR compliance. Anyone with personal data (and remember, every employer has personal data on their employees) needs to consider the data they hold, how they hold it, where it is stored, and the policies, procedures, and technology used to keep it secure. And, don’t forget all the 3rd party organisations that may have access to this data – you can outsource the data processing, and you can even send data outside the EU (by legal methods), but you are still responsible for any subsequent data loss.
The information you hold on employees and how you interact with this data digitally, i.e. on your intranet, could leave you just as vulnerable if you do not comply with the GDPR.
Read on to get a full overview of the GDPR where we take a spade pointer deeper into the personal data. Here you will find an insight into how personal data are defined and the consequences of not complying with the GDPR.
Pay particular attention in these situations
The situations where you should pay particular attention to are the personal data that is on your intranet when an employee leaves your organisation. There may be content in workgroups on the intranet, comments or posts that they have created. If an individual can be identified, you need to obtain the consent of the person concerned to comply with the GDPR. The GDPR states that individuals (in this case your employee) may ask to have their personal data deleted if it is not used anymore in the company.
The personal data you have on your employees and how you relate to these data digitally, for example. on your intranet may pose a risk to your company if you do not comply with the Personal Data Regulation.
How is personal information defined?
According to the Personal Data Regulation, personal data are defined as any information that can identify an individual. This means that personal data is any information that can identify an individual, whether it is obtained for private, professional or public use. It can be anything from:
- Social Security number
- Phone number
- Email address
- Bank information
- Posts on social media
- disease history
- Or an IP address
The amendment to the current directive is that the GDPR applies a strict definition of personal data as any information that can be used to identify a person. A distinction is made between two types of information:
General personal information
General Personal Information:
- birthday Date
- Contact Information
- personality Test
- Bank information
- Posts on social media
- Social security number
General personal information can be used in case the company has a necessary reason to use personal data or to fulfill an agreement, for example. Use of account number for payroll.
- Disease history
- Ethnic background
- Political beliefs
Personally sensitive information must not be treated at all, unless explicit consent of the individual for use for a specific purpose.
Examples of using sensitive information may include: Spouse's contact information on appointment, allergy information in connection with a breakfast meeting or marketing authorization.
Key changes with the GDPR
The GDPR aims to protect all EU citizens from data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the GDPR. Here are the nine most significant changes that organisations will need to put in effect until May 2018.
1 Fines for not complying with the GDPR
Not complying to meet the requirements under GDPR can be costly, with potentially huge fines: Sanctions for offences relating to control and mitigation can be up to 10 Million Euros or 2% of the total worldwide annual turnover (whichever is higher). Offences relating to rights and obligations can be as high as 20 million Euros or 4% of total worldwide annual turnover (whichever is higher). Chapter VIII, article 83(4)
2. Mandatory notification of data loss incidents
Companies are required to report data breaches within 72 hours to a Supervisory Authority, and the individuals whose data has been lost must also be informed promptly if the breach represents a high risk to the individual. Information about the circumstances of the data breach and the technical measures that were in place to safeguard the data must be given to the Supervisory Authority. (Chapter VI, section 2, article 33).
3. Data processors and data controllers are jointly accountable
Previously, only data controllers (usually the organisations who gathered the data) were accountable for data protection. Now, it is a joint responsibility. That means, if you are a cloud service provider or outsourcer of data if you process data on behalf of someone else and that includes data on EU citizens, you are accountable for the data.
4. One set of rules for all countries
The data protection law of 1995 was a directive, in which EU countries could make their national laws to comply with the directive. The GDPR is set out as a regulation, which means there is no option for interpretation, and the rules are the same for all countries.
5. Encryption and pseudonymising of personal data are encouraged
One of the central principles of the GDPR is that personal information will have to be encrypted in the future. This includes using pseudonyms in place of names. The aim is to ensure that any data leaked or misappropriated becomes useless to anyone who doesn’t have the encryption key. There are many forms of encryption available and different methods of implementation. (Chapter II, Article 6, 4e)
The law specifically encourages data controllers and processors to implement technologies such as encryption to safeguard data.
6. The need for Data Protection Officers
A Data Protection Officer (DPO) must be appointed by all public authorities, or in cases where the core activities of the data controller or processor ‘require regular and systematic monitoring of data subjects on a large scale’. (Chapter IV, section 4, article 37-38).
7. Privacy by default and privacy by design
Privacy by design means that each new service or business process that makes use of personal data must take the protection of such data into consideration. That means when organisations initiate a project, they need to consider data protection. Privacy by default means that the strictest privacy settings apply once a user has acquired a service or a product. No changes to privacy settings are allowed after the purchase (chapter IV, section 1, article 25)
8. The GDPR provides the following rights for individuals
- The right to be forgotten. An individual has the right to request that his or her data is deleted by the organisation when the data is no longer necessary for the purpose for which they were collected. (Chapter III, section 3, article 17)
- The right of access. An individual has the right to obtain information on whether personal information concerning him or her is being processed. (Chapter III, Section 2, article 15)
- The right to rectification. An individual has the right to have inaccurate information about themselves rectified or completed. (Chapter III, Section 3, Article 16)
- The right to restrict processing. An individual has the right to obtain restriction of data processing if the accuracy of the data is contested by the individual. (Chapter III, section 3, article 18).
- The right to data portability. An individual can transfer their data from one organisation to another. (Chapter III, section 3, article 20).
- The right to object. An individual has the right to object to the use of their personal data for instance profiling for marketing use. (Chapter 3, section 4, article 21)
9. New rules for consent protocols
The controller shall be able to demonstrate that an individual has consented to use their personal data. Furthermore, pre-ticked boxes or inactivity does not constitute consent. Controllers processing personal data of children under the age of 16, must collect consent from their parents. (Chapter II, article 7-8)
Data controller vs data processor
All organisations collect and store personal data about their employees; therefore, all organisations, EU or non-EU, are responsible for processing data within the EU. (Chapter IV, Section 1, article 24)
The GDPR applies to two different roles: Data processors and data controllers. Both have specific responsibilities with regards to protection of personal data. You must know which role your own business has, so you can prepare yourself for May 2018, especially where there is a data breach.
According to Chapter IV of the GDPR, different roles are identified as indicated below:
- Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal ”
If the controller processes data itself, they will still be considered data controllers. Examples of data controllers are online retailers, as will most of the businesses.
- Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the ”
A processor is someone outside the controller organisation processing the data on behalf of the controller. Examples of processors are payroll companies, accountants and cloud providers. A processor is an organisation that processes data on behalf of data controller, e.g. cloud service providers)
If your organisation were considered a data controller under the old directive, it would also be under the GDPR. The definitions on data controller and data processor have not changed, but their responsibilities have changed. This means that while the old directive placed data protection responsibility on the controller, the GDPR also places data protection responsibilities to the processor.
Data controller and processors responsibilities
While a controller is heavily involved in how personal data is handled, i.e. identifying and analysing how it should be processed and what actions to take, the processor is the one carrying out any action involved with handling the data itself.
Where under the old Data Protection Directive, even though the processor is handling the data, the legal liability fell onto the controller who appointed the data processor. The primary data protection liability lies with the data controller, and the data controller organisation is responsible for reporting data breaches to their Supervisory Authority. Controllers will also have to demonstrate upon request that a data subject has consented to process his or her personal data.
With the GDPR, controllers will still be responsible for appointing data processors, but the processors themselves will now be held accountable for actions on personal data as well. If a controller is to appoint a processor, they need to make sure the processor has applied the organisational and technical measures to comply with the GDPR.
The changes within Colibo
As we approach May 2018, Colibo is focused on GDPR compliance efforts. During this implementation period, we are evaluating new requirements and restrictions imposed by the GDPR and will take any action necessary to ensure that we handle our customer data in compliance with the GDPR by the 2018 deadline. As a customer you’ll receive notifications of new functionality and changes to our Terms in your inbox in the usual way. We’ll also be updating this page and sharing content over the coming months, so come back for updates.
This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how Colibo has addressed some important legal points. To be prepared for the GDPR in May 2018, you need to consult legal advice on GDPR and how it will impact the way you comply to the GDPR. This post doesn’t constitute legal advice, and should not be considered as such.