What a whirlwind 12 months for the European Union General Data Protection Regulation (GDPR). May 25th, 2018, resulted in probably the most dramatic change in data privacy laws in 20 years. It has fundamentally changed how data is held and processed in every industry, from legal services to advertising and everything in between.
According to the Irish Examiner, in Ireland along more than 5,800 of the 6,200 complaints received by the Data Protection Commission (DPC) since the introduction of the GDPR have been deemed valid.
In the modern data-driven world, the EU moved to protect every EU citizen from privacy and data breaches. Let’s explore how GDPR has impacted organisations over the last 12 months:
- Worldwide jurisdiction
- Potential of damaging fines and penalties
- Clear conditions for consent
- No delay notifying of data breaches
- Personal data access
- Right to erase personal data
- Ability to reuse personal data
- Built-in privacy from the outset
- Appointment of Data Protection Officers
The most notable change is GDPR’s extended jurisdiction. Regardless of location, any organisation that processes the personal data of EU residents. Before May 25th, 2018, unclear regulations muddied the waters allowing its citation in several high-profile legal cases.
Now there is no ambiguity. GDPR applies to the processing of personal data by controllers and processors in or outside the EU, regardless of whether the processing takes place in the EU or not.
Non-EU businesses processing the data of EU citizens must also appoint a representative in the EU.
Potential of damaging fines and penalties
Breaches of GDPR can result in severe penalties. Fines will be imposed based on the gravity of infraction rather than separate fines for each provision penalized. Unfortunately, this is less comforting when you consider the number of fines possible.
The maximum organizations can be fined either up to €20 Million or 4% of worldwide annual revenue, whichever is higher. This is the upper echelon of GDPR fines reserved for the more serious breaches. The lower level includes fines of up to €10 Million or 2% of worldwide annual revenue, whichever is higher.
AggregateIQ, a Canadian analytics firm that worked for Vote Leave campaign was the first organisation hit with a ‘significant’ GDPR notice. They were accused of processing people’s data “for purposes which they would not have expected”. Should the firm fail in their appeal, they are likely to be hit with a big fine.
Meanwhile, earlier this year, Google was fined €50 million by France’s data protection regulator, CNIL. The biggest fine imposed so far. The CNIL said Google’s data consent policies aren’t easily accessible or transparent and the search engine giant is yet to rectify the issues.
Clear conditions for consent
GDPR has rendered long-winded terms and conditions not only inert but also illegal. A clear and accessible form is required to request consent, with the purpose for data processing attached to that consent. Clear and understandable language is an absolute must.
PrivacyPolicies.com outline the five must-have elements of consent under GDPR, it must be:
- Freely given – the person must not be pressured into giving consent or suffer any detriment if they refuse.
- Specific – the person must be asked to consent to individual types of data processing.
- Informed – the person must be told what they’re consenting to.
- Unambiguous – language must be clear and simple.
- Clear affirmative action – the person must expressly consent by doing or saying something.
Should any of the above be missing, consent is granted under GDPR.
No delay notifying of data breaches
With GDPR, people must be notified of data breaches where it is likely to “result in a risk for the rights and freedoms of individuals”. This is true for both data processors and controllers. Either way, notifications must be sent within 72 hours of the breach.
These data security breaches are becoming all too frequent. In the last year alone, Facebook and WhatsApp have suffered. Facebook is likely fined up to $5 billion by the Federal Trade Commission for privacy violations.
Personal data access
Another dramatic change GDPR brought is the empowerment of people. They now have the right to obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
An electronic copy of personal data must be provided entirely free of charge. This request must be granted within 40 days.
Right to erase personal data
GDPR introduced Data Erasure or the right to be forgotten. People can now request to have their data erased by data controllers. Once requested. they must cease continued circulation of data and stop any third parties from processing this data.
Article 17 of GDPR outlines the conditions for erasure. This includes a person withdrawing their consent or data no longer being relevant to original purposes for processing. However, in this instance, controllers have the right to compare a person’ rights with “the public interest in the availability of the data” when considering such requests.
With Submit, this can be achieved with our privacy dashboard. Here you can manage your data including deleting any client information using our intuitive search features and updating any of your policies.
Ability to reuse personal data
GDPR has brought data portability as an option for EU citizens. In essence, this is the right of a person to transmit their personal data from one controller to another with minimum fuss.
This is as long as the data was provided in a ‘commonly use and machine-readable format’.
Built-in privacy from the outset
Ensuring privacy is a core part of your system is no longer ‘a nice to have’ but an absolute must. Data protection can no longer be an extra addition to systems but must be included from the initial design stage. Or in other words:
‘The controller shall… implement appropriate technical and organisational measures… in an effective way… in order to meet the requirements of this Regulation and protect the rights of data subjects’.
Data controllers must also limit access to personal data only to those carrying out the data processing. They also must minimise the data they hold and process to the required amount to complete their work.
Appointment of Data Protection Officers
Under GDPR, organisations are required to keep meticulous internal records. Organisations whose core activities consist of processing operations which require regular and systematic monitoring of people’s data on a large scale are required to appoint a Data Protection Officer.
It is vital the Data Protection Officer (whether a staff member or external service provider):
- Appointment based on professional qualities and, in particular, expert knowledge on data protection law and practices
- Contact details provided to the relevant DPA
- Appropriate resources provided to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Cannot carry out any other tasks that could result in a conflict of interest.
So if you know your organisation’s submissions totally adhere to these to these regulations, congratulations! If you’re unsure or worse you know your submissions aren’t compliant, you should start researching a secure online submission management system immediately. We’re not kidding.
Luckily, Submit is a fully GDPR compliant submission management system. We spent six months consulting with data protection specialists building additional layers of security and transparency into our system. In addition, we made changes to our forms to make sure all the information gathered is compliant with GDPR.
Are you running an awards program? Check out the essential features of awards management software.
Maybe your granting funding to worthy organisations? See why you should move your grant management process online
You might even be looking cast talent for your TV show. Click to see ask of a potential TV talent casting software solution.
If you want to ensure your submissions are fully compliant speak to a senior solution specialist today. They’ll guide you through the process of switching to the best way to collecy, manage and evaluate online submissions.