Punam Tiwari, Senior Legal Counsel at Gibbs Hybrid, discusses how contractors and companies can get ready for GDPR
The clock is ticking, with only months to go until the General Data Protection Regulation (GDPR) comes into effect on the 25th of May this year. In its simplest form, GDPR will allow individuals to have more power over their own data, and organisations will need to put the systems in place that prevent and detect any breach of that data.
For instance, individuals will have strengthened rights to access their information through the additional right of data portability and GDPR has revised the definition of consent to require a “freely given, specific, informed and unambiguous” indication of the data subject’s wishes, thereby moving away from the “opt out” feature which was relied upon before. Companies, on the other hand, will be required to report any data breach without undue delay and no later than within seventy-two hours of its occurrence.
But as well as affecting companies, GDPR also has implications for contractors working with them, if they have any access to personal data. One of the focus points in the regulation centres over how data is communicated and shared between organisations and individuals who control customer data and third parties, such as contractors or consultants, who also have access to it.
Under GDPR, “data controllers” will need to make sure they have granular contracts with any third party ‘data processors’ who process this data, and will have to only appoint processors who can provide ‘sufficient guarantees’ that they will meet the requirements of GDPR.
The regulation is extending the responsibility for compliance to contractors who are data processors as well as the companies who determine the purpose and manner for processing the personal data.
So what can contractors, and companies, do to make sure they are GDPR compliant? First, it’s important to work out if the regulation applies to you. GDPR rules are far-reaching, but only cover information defined as ‘personal data’. This is any data that can be used to identify a living individual, such as address or date of birth. Sensitive personal data” or “special category data” is personal data such as health data, details about race or ethnicity, religious beliefs, sexual orientation, political beliefs, or any biometric and genetic information, which is deemed to be even more sensitive than personal data and so the regulation considers that it needs more protection. If a contractor (or company) does not have access to this personal data or special categories of data, then GDPR would not apply. It is recommended that specific advice is taken on this point to determine the nature of the “data”.
If the data is being transferred between the organisation or individual and a third party, each party will need to make sure they have the systems in place to protect this data from attack, and detect any breach should it occur. This means that any affected contractors will have to make sure their cyber security systems are up-to-scratch and capable of detecting leaks.
But for contractors in the cybersecurity and data-management space this offers a growing opportunity. Faced with the scale of preparing for GDPR, many companies are looking to external expertise to ensure compliance. Two in five European governments and companies are expected to increase their cybersecurity spend by 15%, leading to a huge growth of new jobs in the industry.[1] As organisations become more circumspect about the way they store, share and manage personal data, a lot of work will need to be done.
With only a few months to go, and the threat of substantial fines in the event of non-compliance, GDPR is the word on everyone’s lips. Companies and their contractors will need to make sure they have taken the necessary steps to ensure compliance, and make the regulation work for them.
[1] https://www.theregister.co.uk/2017/06/07/gdpr_cyber_skills_jobs_gap/
The clock is ticking, with only months to go until the General Data Protection Regulation (GDPR) comes into effect on the 25th of May this year. In its simplest form, GDPR will allow individuals to have more power over their own data, and organisations will need to put the systems in place that prevent and detect any breach of that data.
For instance, individuals will have strengthened rights to access their information through the additional right of data portability and GDPR has revised the definition of consent to require a “freely given, specific, informed and unambiguous” indication of the data subject’s wishes, thereby moving away from the “opt out” feature which was relied upon before. Companies, on the other hand, will be required to report any data breach without undue delay and no later than within seventy-two hours of its occurrence.
But as well as affecting companies, GDPR also has implications for contractors working with them, if they have any access to personal data. One of the focus points in the regulation centres over how data is communicated and shared between organisations and individuals who control customer data and third parties, such as contractors or consultants, who also have access to it.
Under GDPR, “data controllers” will need to make sure they have granular contracts with any third party ‘data processors’ who process this data, and will have to only appoint processors who can provide ‘sufficient guarantees’ that they will meet the requirements of GDPR.
The regulation is extending the responsibility for compliance to contractors who are data processors as well as the companies who determine the purpose and manner for processing the personal data.
So what can contractors, and companies, do to make sure they are GDPR compliant? First, it’s important to work out if the regulation applies to you. GDPR rules are far-reaching, but only cover information defined as ‘personal data’. This is any data that can be used to identify a living individual, such as address or date of birth. Sensitive personal data” or “special category data” is personal data such as health data, details about race or ethnicity, religious beliefs, sexual orientation, political beliefs, or any biometric and genetic information, which is deemed to be even more sensitive than personal data and so the regulation considers that it needs more protection. If a contractor (or company) does not have access to this personal data or special categories of data, then GDPR would not apply. It is recommended that specific advice is taken on this point to determine the nature of the “data”.
If the data is being transferred between the organisation or individual and a third party, each party will need to make sure they have the systems in place to protect this data from attack, and detect any breach should it occur. This means that any affected contractors will have to make sure their cyber security systems are up-to-scratch and capable of detecting leaks.
But for contractors in the cybersecurity and data-management space this offers a growing opportunity. Faced with the scale of preparing for GDPR, many companies are looking to external expertise to ensure compliance. Two in five European governments and companies are expected to increase their cybersecurity spend by 15%, leading to a huge growth of new jobs in the industry.[1] As organisations become more circumspect about the way they store, share and manage personal data, a lot of work will need to be done.
With only a few months to go, and the threat of substantial fines in the event of non-compliance, GDPR is the word on everyone’s lips. Companies and their contractors will need to make sure they have taken the necessary steps to ensure compliance, and make the regulation work for them.