Get an overview of the GDPR and understand the implications for your intranet
The General Data Protection Regulation (GDPR) is a new EU Regulation that entered into force on 24 May 2016 and applies since 25 May 2018. It replaced the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. Any organisation that collects, stores, and controls information about EU citizens need to prepare for the GDPR.
This blog post gives you an overview of the General Data Protection Regulation (GDPR) and attempts to help you understand the new data protection legislation in the EU. The blog post describes the legislation and the new requirements and explains the similarities and differences with the existing Data Protection Regulations from 1995. This article targets those responsible for data protection in their organisation. And the main topics are:
- GDPR overviw
- Why you need to make sure intranet software complies with the GDPR
- Pay particular attention in these situations
- Key changes with the GDPR
- Data controller versus data processor
- Data controller and processors responsibilities
Why is it important to know something about the Personal Data Regulation?
The rules for processing personal data set the framework for how companies should handle personal data. Increased digitalization in society and the forthcoming personal data regulation has led to a sharp focus on personal data and compliance with rules in all organisations. It is therefore relevant already to familiarize yourself with the content of the regulation and the requirements it requires for handling personal data. The fact is that for the vast majority of organisations, it will require a change of their current processes for collecting and handling personal data. At the same time, it will require a far greater degree of transparency and information to customers and employees.
This blog post gives you insights into the General Personal Data Regulation and helps you understand the consequences of the new General Personal Data Regulation for your business and data on your intranet. The post also explains what you should pay particular attention to in the new legislation.
The European Parliament, the Council of the European Union and the European Commission, intended to strengthen data protection for all individuals within the European Union. The GDPR has centred around on imposing stronger controls on data collection, storage, use and disposal.
The legislation conditions that before 25 May 2018, all organisations involved in personal processing data of EU citizens had to meet new legal data protection requirements. The aim with the regulation is to strengthen the individuals’ right to data protection and to make the processes around the data simpler for organisations. Simply put, the objective of the GDPR is to give the control back to the citizens and residents over their personal data, and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The legislation also includes international organisations which hold personal information on EU citizens, although their organisation is not based within the EU. That also means that organisations from the UK, are not immune to the GDPR. The UK government has confirmed that UK’s decision on leaving the EU will not affect the initiation of the GDPR.
In areas where personal data is collected, processed and stored, the GDPR will apply, and that also includes employee data. The GDPR has made specific reference to consent from employees that such consent needs to be freely given. This means you as an employer need to ask for consent when harvesting data from your employees.
This means you cannot just harvest data from your employees unless there is a clear consent, with the obvious free choice.
Be cautious for stored information when an employee leaves your company. That may be work groups they created, comments they made or posts. If it identifies an individual, you will likely need GDPR compliance. Anyone with personal data (and remember, every employer has personal data on their employees) needs to consider the data they hold, how they hold it, where it is stored, and the policies, procedures, and technology used to keep it secure. And, don’t forget all the 3rd party organisations that may have access to this data – you can outsource the data processing, and you can even send data outside the EU (by legal methods), but you are still responsible for any subsequent data loss.
The information you hold on employees and how you interact with this data digitally, i.e. on your intranet, could leave you just as vulnerable if you do not comply with the GDPR.
Read on to get a full overview of the GDPR where we take a spade pointer deeper into the personal data. Here you will find an insight into how personal data are defined and the consequences of not complying with the GDPR...
The situations where you should pay particular attention to are the personal data that is on your intranet when an employee leaves your organisation. There may be content in workgroups on the intranet, comments or posts that they have created. If an individual can be identified, you need to obtain the consent of the person concerned to comply with the GDPR. The GDPR states that individuals (in this case your employee) may ask to have their personal data deleted if it is not used anymore in the company.
The personal data you have on your employees and how you relate to these data digitally, for example. on your intranet may pose a risk to your company if you do not comply with the Personal Data Regulation.
How is personal information defined?
According to the Personal Data Regulation, personal data are defined as any information that can identify an individual. This means that personal data is any information that can identify an individual, whether it is obtained for private, professional or public use. It can be anything from:
- Social Security number
- Phone number
- Email address
- Bank information
- Posts on social media
- disease history
- Or an IP address
The amendment to the current directive is that the GDPR applies a strict definition of personal data as any information that can be used to identify a person. A distinction is made between two types of information:
- General personal information
- Sensitive information
1. General Personal Information:
- birthday Date
- Contact Information
- personality Test
- Bank information
- Posts on social media
- Social security number
General personal information can be used in case the company has a necessary reason to use personal data or to fulfill an agreement, for example. Use of account number for payroll.
2. Sensitive Information:
- Disease history
- Ethnic background
- Political beliefs
Personally sensitive information must not be treated at all, unless explicit consent of the individual for use for a specific purpose.
Examples of using sensitive information may include: Spouse's contact information on appointment, allergy information in connection with a breakfast meeting or marketing authorization.
The GDPR aims to protect all EU citizens from data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the GDPR. Here are the nine most significant changes.
1. Fines for not complying with the GDPR
Not complying to meet the requirements under GDPR can be costly, with potentially huge fines: Sanctions for offences relating to control and mitigation can be up to 10 Million Euros or 2% of the total worldwide annual turnover (whichever is higher). Offences relating to rights and obligations can be as high as 20 million Euros or 4% of total worldwide annual turnover (whichever is higher). Chapter VIII, article 83 (4)
2. Mandatory notification of data loss incidents
Companies are required to report data breaches within 72 hours to a Supervisory Authority, and the individuals whose data has been lost must also be informed promptly if the breach represents a high risk to the individual. Information about the circumstances of the data breach and the technical measures that were in place to safeguard the data must be given to the Supervisory Authority. (Chapter VI, section 2, article 33).
3. Data processors and data controllers are jointly accountable
Previously, only data controllers (usually the organisations who gathered the data) were accountable for data protection. Now, it is a joint responsibility. That means, if you are a cloud service provider or outsourcer of data if you process data on behalf of someone else and that includes data on EU citizens, you are accountable for the data.
4. One set of rules for all countries
The data protection law of 1995 was a directive, in which EU countries could make their national laws to comply with the directive. The GDPR is set out as a regulation, which means there is no option for interpretation, and the rules are the same for all countries.
5. Encryption and pseudonymising of personal data are encouraged
One of the central principles of the GDPR is that personal information will have to be encrypted in the future. This includes using pseudonyms in place of names. The aim is to ensure that any data leaked or misappropriated becomes useless to anyone who doesn’t have the encryption key. There are many forms of encryption available and different methods of implementation. (Chapter II, Article 6, 4e)
The law specifically encourages data controllers and processors to implement technologies such as encryption to safeguard data.
6. The need for Data Protection Officers
A Data Protection Officer (DPO) must be appointed by all public authorities, or in cases where the core activities of the data controller or processor ‘require regular and systematic monitoring of data subjects on a large scale’. (Chapter IV, section 4, article 37-38).
7. Privacy by default and privacy by design
Privacy by design means that each new service or business process that makes use of personal data must take the protection of such data into consideration. That means when organisations initiate a project, they need to consider data protection. Privacy by default means that the strictest privacy settings apply once a user has acquired a service or a product. No changes to privacy settings are allowed after the purchase (chapter IV, section 1, article 25)
8. The GDPR provides the following rights for individuals
The right to be forgotten. An individual has the right to request that his or her data is deleted by the organisation when the data is no longer necessary for the purpose for which they were collected. (Chapter III, section 3, article 17)
The right of access. An individual has the right to obtain information on whether personal information concerning him or her is being processed. (Chapter III, Section 2, article 15)
The right to rectification. An individual has the right to have inaccurate information about themselves rectified or completed. (Chapter III, Section 3, Article 16)
The right to restrict processing. An individual has the right to obtain restriction of data processing if the accuracy of the data is contested by the individual. (Chapter III, section 3, article 18).
The right to data portability. An individual can transfer their data from one organisation to another. (Chapter III, section 3, article 20).
The right to object. An individual has the right to object to the use of their personal data for instance profiling for marketing use. (Chapter 3, section 4, article 21)
9. New rules for consent protocols
The controller shall be able to demonstrate that an individual has consented to use their personal data. Furthermore, pre-ticked boxes or inactivity does not constitute consent. Controllers processing personal data of children under the age of 16, must collect consent from their parents. (Chapter II, article 7-8)
All organisations collect and store personal data about their employees; therefore, all organisations, EU or non-EU, are responsible for processing data within the EU. (Chapter IV, Section 1, article 24)
The GDPR applies to two different roles: Data processors and data controllers. Both have specific responsibilities with regards to protection of personal data. You must know which role your own business has, so you can live up to the new rules, especially where there is a data breach.
According to Chapter IV of the GDPR, different roles are identified as indicated below:
Controller – “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal ”
If the controller processes data itself, they will still be considered data controllers. Examples of data controllers are online retailers, as will most of the businesses.
Processor – “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the ”
A processor is someone outside the controller organisation processing the data on behalf of the controller. Examples of processors are payroll companies, accountants and cloud providers. A processor is an organisation that processes data on behalf of data controller, e.g. cloud service providers)
If your organisation were considered a data controller under the old directive, it would also be under the GDPR. The definitions on data controller and data processor have not changed, but their responsibilities have changed. This means that while the old directive placed data protection responsibility on the controller, the GDPR also places data protection responsibilities to the processor.
While a controller is heavily involved in how personal data is handled, i.e. identifying and analysing how it should be processed and what actions to take, the processor is the one carrying out any action involved with handling the data itself.
Where under the old Data Protection Directive, even though the processor is handling the data, the legal liability fell onto the controller who appointed the data processor. The primary data protection liability lies with the data controller, and the data controller organisation is responsible for reporting data breaches to their Supervisory Authority. Controllers will also have to demonstrate upon request that a data subject has consented to process his or her personal data.
With the GDPR, controllers will still be responsible for appointing data processors, but the processors themselves will now be held accountable for actions on personal data as well. If a controller is to appoint a processor, they need to make sure the processor has applied the organisational and technical measures to comply with the GDPR.
This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how Colibo has addressed some important legal points. You still need to consult legal advice on GDPR.