GDPR preparation: 2018 data protection changes

The right to be forgotten

Perhaps the most written-about feature of the GDPR is the "right to be forgotten". This gives an individual the right to order a business to erase their personal data, as long as certain criteria are met.

To find out more, IT Pro spoke to Sarah Pearce, a partner in the Technology Transactions Group at law firm Cooley LLP. She told us that data controllers will have to erase any and all copies or links to personal data where the data subject withdraws consent and there is no legal ground for processing it. The organisation must also take reasonable steps to inform others who are processing the data concerned.

Data must again be removed pending investigation if someone objects to the accuracy of their personal data, under a provision called the "right to restriction".

Pearce recommended at the time that all businesses review their procedures for handling erasure requests, to ensure they can provide both for erasure and restriction. Determine how you'll identify other controllers and inform them of a request, and nominate someone within your business to be responsible for dealing with such requests.

Record keeping

This might sound like something of a record-keeping nightmare for smaller business, but the reverse could well be true. "For a smaller organisation, the ability to comply should actually be easier," reckoned Guy Bunker, senior VP at security company Clearswift, ahead of GDPR's debut.

"Under GDPR, organisations of less than 250 employees will not have to employ or train a data-protection officer (DPO)." Essentially, they won't have to change the structure of their organisation, whereas larger businesses probably will.

Smaller organisations also benefit from no longer having to notify the ICO of data-processing activities. The GDPR instead requires businesses to keep detailed records on their own processing activity.

"This includes info such as the reason for processing, the description of the categories of the data subjects and personal data, categories of recipients to whom personal data is disclosed, the time limits for erasure and a description of the security measures taken", explained David Barker, technical director at cloud hosting company 4D Data Centres.

In fact, companies with fewer than 250 employees are exempt from these bookkeeping requirements but only if your data processing isn't "likely to result in a risk to the rights and freedoms of the subject"; doesn't relate to sensitive personal data, and isn't occasional in nature. If any of those do apply, then even the smallest business must comply with the full record-keeping requirement.

Getting it wrong

Watchdog - CNIL - for it's 'forced consent' approach for Android users. The fine was issued after two organisations, noyb (None of Your Business) and LQDN (La Quadrature du Net) filed complaints against the tech giant shortly after the legislation came into force.

The complaint related to Android users who, when setting up a new Android phone, were forced to follow its onboarding process which included forced consent for the processing of their data. Both groups said Google had no legal basis to process the personal data of its users - particularly for ads personalisation purposes.

The maximum fines for GDPR are 20 million or 4% of the company's annual turnover, whichever is greater. In this case, Google could have potentially faced a maximum fine of almost 4 billion.

Instead, it received the significantly smaller fine of 50 million, which is pocket change to Google as it has a huge amount of global revenue. For SMBs, although the fines will reflect a companies size, getting GDPR wrong could potentially be fatal. Smaller firms simply can't afford to get it wrong as they will not have the same financial clout or backing as a Google or Facebook.

Indeed, some have questioned the scale of the penalties associated with non-compliance.

"If a smaller business were hit with one of these fines," noted Bunker. "It would be potentially catastrophic."

How catastrophic? Well, GDPR replaced the old warning system for SMEs with a two-tier fining regime. Tier 1 is for a "less serious" breach of the regulations, such as where an administrative failure in record-keeping is found. Even this can be up to 2% of turnover, or 10 million.

Tier 2 is for failures categorised as "serious", such as a breach of basic data-protection principles and the maximum penalty is doubled.

"This means that SMBs are exposed to the Tier-1 level of fines for non-compliance with record-keeping or procedure issues," warned David Barker, ahead of GDPR.

However, there are ways to reduce your exposure, said Baker: "Fines will be set by the ICO, and they do take into account an SME's code of conduct and certifications such as ISO 27001. It may be worth small businesses perusing these to give them some protection from fines as well as implementing best practice when it comes to information security."

That's the real point. It's not about the fines or laws, but about protecting your clients' data.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.