gdpr - panic part 1

GDPR is coming (or if you are reading this in a few weeks then gdpr is here, what do you need to know and where do you start?

This post is based on how gdpr will apply to the UK. I have nothing against the EU, but in the UK it is the ICO which governs GDPR. Each country is allowed to add specific requirements, and each country does so if you are looking for how GDPR applies to another country the ICO can’t help you sorry.

The ICO documentation on GDPR is pretty good. The ICO also happens to be the ones who decide what fines you get, should you get caught doing something wrong. The ICO has a history of giving greater fines to people who ignore the information and warnings they put out so if you are getting started then go here and have a read:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protectio…

Once you have read that, the ICO has a great 12 step plan to get yourselves GDPR fit, use this as a guide to start your GDPR journey of enlightenment:

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

If you want to see how compliant (or otherwise) you might be then the ICO have a checklist, how do you score on this?

https://ico.org.uk/for-organisations/resources-and-support/data-protecti…

The checklist starts off by asking you whether you are a data controller or a data processor, to find out if you are either of those things (or both, or neither) see:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protectio…

Once you have read all that you can find the actual GDPR regulation:

https://www.gov.uk/government/uploads/system/uploads/attachment_data/fil…

Surprisingly, it is pretty easy to read and follow the document, I have in the past read, and written patents and I assumed the GDPR authors would have used the same awful legalese. The regulation is in plain English (at least this version is after Brexit god knows what language EU docs will be written in but I guess it won’t matter to the UK).

To read the article, and the actual requirements I would start at page 32 which begins “HAVE ADOPTED THIS REGULATION:” this lists each of the articles (requirements). You can go through each of these and make sure you are compliant with them.

The exciting bit, the fines

The exciting headline-grabbing parts of GDPR are the fines that can be enforced. We don’t yet know how the ICO will apply the fines, words like maximum are used and the maximum possible fines are large. It is possible that the maximum fines will apply but we will look in part 2 at previous ICO enforcement actions to see if the ICO’s past performance gives us any clues as to its possible future decisions.

There are two tiers of fine that the GDPR says that the ICO can impose upon a data controller or data processor. The section of the GDPR we need is:

“Article 83” - “General conditions for imposing administrative fines”

Article 83 says that while any fines should be proportionate, they should also be dissuasive, so there is a balance between not being too harsh but also being harsh enough to warn other people. It also says the amount of the fine should take into account:

- The seriousness,
- Whether it was intentional or not,
- Whether the controller or processor put in any mitigations
- How much responsibility the controller or processor took
- Any previous infringements
- The types of personal data affected
- Whether the controller or processor notified the ICO or whether they tried to hush it up
- Any other aggravating or mitigating factors.

To summarise, f you were a good data controller/processor, made a mistake and told the ICO yourselves you would potentially get a smaller fine than if you repeatedly make mistakes and try to keep it quite or deliberately do something nefarious.

Fine Tiers

The first tier which is up to 10M EUR or 2% of turnover (whichever is greater) but in the UK the ICO maximum is £9 Million or 2% of turnover. To see the things that are included in the first tier see the GDPR document and Article 83, section 4 or search for:

“Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines
up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the
preceding financial year, whichever is higher: "

To see what can trigger the larger £18 Million or 4% of turnover see Article 83, section 5, or search for:

“Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines
up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the
preceding financial year, whichever is higher: "

The ICO have published their thoughs on enforcements here:

https://www.gov.uk/government/uploads/system/uploads/attachment_data/fil…

Summary

GDPR is coming, and if you are based in the UK you need to do something about it. Personally I think GDPR is great as personal data has really been misused, I am looking forward to a serious reduction in things like me buying something from a retailer and the retailer then thinking they have the right to email and generally market to me - they don’t, they never have and now hopefully the GDPR will make our data safer and actually more private.

This is part one: https://the.agilesql.club/blogs/Ed-Elliott/2018-02-01/GDPR-Panic-Part-1
Part two is: https://the.agilesql.club/blogs/Ed-Elliott/2018-02-01/GDPR-Panic-Part-2
Part three is: https://the.agilesql.club/blogs/Ed-Elliott/2018-02-01/gdpr-panic-part-3