General Information
The EU’s General Data Protection Regulation (“GDPR”) automatically comes into force on the 25th of May 2018. On this date businesses must comply with the new data protection rules that apply to the collection, storage, processing and use of personal data.
Narrative Industries does not offer advice on GDPR and this statement must not be construed as advice.
Who does the GDPR apply to?
Any business that offers goods or services to individuals (“data subjects”) within the EU and/or monitors the behaviour of data subjects in the EU must comply with the GDPR. Even if a business is physically located outside of the EU it will be obliged to comply with the GDPR, if it targets the EU market or EU residents (for example: companies in the US selling services to EU companies).
There are no exemptions for small businesses. There is no grace period for ensuring compliance. Businesses must be fully compliant from the 25th of May 2018.
The GDPR applies to both data processors and data controllers, although they do have different obligations.
Brexit Implications
Even after Brexit, and proposed changes to UK law, UK businesses still need to comply with the GDPR if they target the EU market or EU residents with their goods and services.
What is Personal Data?
Personal data is defined under the GDPR as:
“any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.“
Personal data therefore includes, but is not limited to: a name, email address, IP address, photos, location data, bank details, social networking posts, medical information, device IDs, genetic data and biometric data.
DPIA
A data protection impact assessment (“DPIA”) is a privacy-related impact assessment whose objective is to identify and analyse how data privacy might be affected by certain actions or activities. DPIAs are mandatory in certain cases (for example: where profiling is carried out using personal data).
Consent
Where consent is relied upon as the basis for processing personal data, consent must be unambiguous when given. Businesses must be able to prove they obtained unambiguous consent to the collection, storage, processing and use of personal data (i.e. by data subjects actively clicking a consent box agreeing to the terms of a privacy policy).
Contracts and Policies
All existing contracts and privacy policies will need to be reviewed and updated to include the mandatory obligations and information set out in the GDPR. (for example: having a written data processing agreement between the data processor and data controller).
Data Subject Rights
Data subjects have the right to request: access to all personal data held on them, rectify inaccurate data, object to processing (for example: for marketing purposes), export of data and erasure of data. Appropriate processes and templates should be put in place to allow data subjects to exercise their data subject rights within the statutory time limit (of 1 month).
Data Breaches
There are new obligations to report a personal data breach to a data protection supervisory authority where the breach is likely to result in a risk to the rights and freedoms of individuals (for example: damage to reputation or financial loss), and in some circumstance to data subjects. A personal data breach is defined as “a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data” and includes paper data, not just electronic data. Breaches must be reported within 72 hours, providing the specific information set out in the GDPR.
Appointing a Data Protection Officer (“DPO”)
Most businesses with fewer than 250 employees will be exempt. However, if a core activity of a business involves large-scale monitoring or processing of sensitive personal data a DPO must be appointed. “sensitive personal data” includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and data concerning health or sex life. Examples of large-scale monitoring provided by the EU are: patient data processed by a hospital, or customer data processed by a bank or insurance company. A CTO/head of IT cannot be a DPO as they are not independent of, the team undertaking the processing, nor from the management.
International Data Transfers
Where businesses or their subcontractors, affiliates or suppliers, store or process personal data outside the European Union data subjects must be made aware of this and in most circumstances must consent to this. Where personal data is transferred to a country which does not have adequate protection the methods adapted for protecting the personal data must be specified (for example: the use of contract model clauses).
Fines for Breaches of the GDPR
Businesses can be fined the higher of up to 4% of their global turnover or 20 million Euros for serious breaches of the GDPR, or 2% of global turnover or 10 million Euros for breaches that are administrative.
Preparing for Change
Businesses must know what personal data they hold, how it is collected, how it is stored and used and where and to whom it is being transferred. All such processes and information must be documented.
Businesses must implement technical and organisational measures that show they have considered and integrated data protection into their processing activities.
To achieve the above objectives, businesses should:
- audit their processing activities and security measures;
- have in place GDPR compliant privacy and security policies;
- review and amend existing contracts with customers, suppliers and subcontractors;
- create a written data processing agreement for use between data processors and data controllers.
Narrative Industries Specific Data Protection Information
Narrative Industries has always taken the safety of your data very seriously and we will continue to do so after GDPR.
Company Registration Details
Narrative Industries Ltd is a private company limited by shares, registered in England and Wales under number.
We are registered with the Information Commissioner’s Office under number ZA383901.
Data Protection Officer
Narrative Industries has fewer than 250 employees and does not engage in large-scale monitoring of sensitive personal data. As such we consider that we are not obligated to appoint a Data Protection Officer.
Data Centres
Narrative industries website hosting is managed by our partner Wirehive. Servers reside in Tier 3 UK Data Centres and access is strictly controlled.
Sub Processors
Narrative Industries only make use of GDPR compliant sub processors (storage solutions, information repositories, accounting and workflow management systems, etc) and we ensure that data is held within the EU.
Data Breach Notification
Narrative Industries have a responsibility to notify all customers of a data breach within 72 hours, and will do so.
Personnel and Procedures
All Narrative Industries staff are resident in the UK and we do not use overseas contractors when building or maintaining our core systems. We may use overseas contractors to work on new projects that have no data contained within them.
We operate strict access controls to our websites, production databases and storage services. Only selected staff have logons which enable access.
Our staff have been trained on security and are aware of our responsibilities under GDPR.