What you need to know about GDPR
The General Data Protection Regulation (GDPR) is the most comprehensive European data privacy law in decades, it came into effect on 25th May 2018 replacing the Data Protection Act of 1998.
In order to make it easier to understand the nature of GDPR, what it incorporates and the effect it has on businesses, this article will explain its main points. It is intended to be an overview and not an alternative to legal advice. There are 99 Articles within GDPR, and the ones covered here are limited to the ones relating to software design and implementation.
GDPR aims to protect European citizens, strengthening user data privacy. Thanks to the law, individuals now have more control over how and where their data is processed. Nevertheless, GDPR does not only affect European companies, it has global consequences. In fact, any organisations that handle EU citizens’ data, regardless of their location, must adhere to the law. Non-compliance is severely punished.
The two central objectives of GDPR are:
- give citizens and residents back control of their personal data
- simplify the regulatory environment for international business by unifying the regulations within the EU
FLOvate LEAP Solutions are GDPR compliant and FLOvate is committed to maintaining our support and compliance going forward. We are able to provide advice on how to configure FLOvate LEAP to enable/maintain compliance for tailored solutions.
Data controllers and processors face administrative fines of:
the higher of €10 million or 2% of annual global turnover for infringements of articles:
- 8 (conditions for children’s consent),
- 11 (processing that doesn’t require identification),
- 25-39 (general obligations of processors and controllers),
- 42 (certification),
- 43 (certification bodies)
the higher of €20 million or 4% of annual global turnover for infringements of articles:
- 5 (data processing principles),
- 6 (lawful bases for processing),
- 7 (conditions for consent),
- 9 (processing of special categories of data),
- 12-22 (data subjects’ rights),
- 44-49 (data transfers to third countries)
The core principles of GDPR
GDPR introduces new concepts and companies will have new obligations toward individuals. Here are the key points and goals of GDPR applicable to software design and implementation:
Data Portability (article 20)
Companies will need to be able to provide users with their data in a machine-readable format when requested. Within FLOvate LEAP the ability to export this data in XML format can be easily configured as required.
Consent (articles 6, 7, 8, 9, 17, 18 and 22)
The consent request form will need to use plain and clear language, avoid pre-ticked boxes and include the purpose of data processing in an easily accessible form. In addition, companies will be obliged to keep records of the consent forms received.
Right to Erasure (article 17)
Also referred to as “the right to be forgotten”, it means that individuals can withdraw consent and companies will be obliged to delete any information about the person exercising the right. FLOvate LEAP can either remove completely or anonymise personal information.
Right to Access (article 15)
Data handlers will need to be able to provide individuals with information about where and for what purpose data is being processed.
Privacy by Design (article 25)
Technical and organisational measures will need to be implemented to show that GDPR is fully integrated into the company activity. This also means that companies will be obliged to use only data processors that guarantee to meet the requirements of the regulation. FLOvate is committed to helping our customers comply with GDPR and, as a data processor, we are fully GDPR compliant.
What about small businesses?
The good news is that the GDPR recognises that smaller businesses require different treatment to large or public enterprises. In fact, Article 30 of the regulation declares that organisations with fewer than 250 employees will not be bound by GDPR – although there are several stipulations that will come to that mean they probably still should.
In particular the following needs to be considered:
- If the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9 then GDPR will affect small businesses under 250 employees.
- Any breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) which is responsible for enforcing GDPR in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours.
- Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.
Are certain types of data more sensitive than others?
Yes. If you are creating a process within FLOvate LEAP that contains the following information you will have to be more cautious:
- ethnic origin;
- trade union membership;
- biometrics (where used for ID purposes);
- sex life;
- sexual orientation
If your process requires this information, we would recommend you create these fields in a separate data object and control permissions around who can access this data in addition to logging when access is used. Keeping this data, together with other personal data, means that processes to comply with all GDPR articles can be easily implemented. Within the FLOvate Solutions data of this nature is contained within the CRM structures (contact records) and access is continually logged.
We hope this is helpful and provides an overview of how FLOvate and its LEAP platform are GDPR compliant.