Contractors’ countdown to GDPR begins

The clock is ticking, with only a few months to go until the General Data Protection Regulation (GDPR) comes into force on May 25th 2018. So how can contractors and companies use the next 99 days to get GDPR-ready?, asks Punam Tiwari, senior legal counsel at IT consultancy Gibbs Hybrid.

In its simplest form, GDPR will allow individuals to have more power over their own data, and organisations will need to put the systems in place that prevent and detect any breach of that data.

For instance, individuals will have strengthened rights to access their information through the additional right of data portability and GDPR has revised the definition of ‘consent’ to require a “freely given, specific, informed and unambiguous” indication of the data subject’s wishes, thereby moving away from the “opt out” feature which was relied upon before.

Companies, on the other hand, will be required to report any data breach without undue delay and no later than within 72 hours of its occurrence.

But as well as affecting corporations, GDPR also has implications for contractors working with them, if these contractors have any access to personal data. One of the focus points in the regulation centres over how data is communicated and shared between organisations and individuals who control customer data and third parties, such as contractors or consultants, who also have access to it.

Under GDPR, “data controllers” will need to make sure they have granular contracts with any third party “data processors” who process this data, and will have to only appoint processors who can provide “sufficient guarantees” that they will meet the requirements of GDPR.

The regulation is extending the responsibility for compliance to contractors who are data processors as well as the companies who determine the purpose and manner for processing the personal data.

So what will contractors, and companies, do to ensure GDPR compliance? First, it’s important to work out if the regulation applies to you.

GDPR rules are far-reaching, but only cover information defined as “personal data”. This is any data that can be used to identify a living individual, such as address or date of birth. Sensitive personal data or “special category data” is personal data such as health data, details about race or ethnicity, religious beliefs, sexual orientation, political beliefs, or any biometric and genetic information, which is deemed to be even more sensitive than personal data and so the regulation considers that it needs more protection.

If a contractor (or company) does not have access to this personal data or special categories of data, then GDPR would not apply. It is recommended that specific advice is taken on this point to determine the nature of the “data”.

If the data is being transferred between the organisation or individual and a third party, each party will need to make sure they have the systems in place to protect this data from attack, and detect any breach should it occur. This means that any affected contractors will have to make sure their cyber security systems are up-to-scratch and capable of detecting leaks.

But for contractors in the cybersecurity and data-management space this offers a growing opportunity. Faced with the scale of preparing for GDPR, many companies are looking to external expertise to ensure compliance. Two in five European governments and companies are forecast to increase their cybersecurity spend by 15%, leading to a huge growth of new jobs in the industry. As organisations become more circumspect about the way they store, share and manage personal data, a lot of work -- and training on GDPR -- will need to be done.

With only a few months to go, and the threat of substantial fines in the event of non-compliance, GDPR is the word on everyone’s lips. Companies and their contractors will need to make sure they have taken the necessary steps to ensure compliance, and make the regulation work for them.