General Data Protection Regulation – or GDPR – is intended to strengthen and pull together data protection across the whole of the EU. It will enforce tight restrictions on how businesses use and handle personal information and it will allow people to request that a company delete their personal data if there is no need to keep it, or request personal information without charge.
GDPR will:
- Crack down on breaches and noncompliance with hefty fines
- Provide individuals with more control over what companies can do with their personal data
- Make data protection rules identical across the EU
As you can imagine, this change in regulations is vast – GDPR is a big deal. It will have significant implications for your business and how you use customer data. GDPR comes into effect from 25 May 2018 and the government has confirmed that Brexit won’t change this.
Why is GDPR being introduced?
The European Commission stresses that GDPR will not delete past events and actions nor will it restrict freedom of press – it is all about protecting people’s privacy. Many people worry and are nervous about mobile apps and businesses using and sharing their personal information. GDPR will be even more forceful on protecting children’s data. Children are often innocent to the reality of sharing details online.
There are two goals behind the introduction of GDPR:
1. Security
GDPR is intended to ensure data protection legislation keeps up with the ever changing ways that data is used.
The current legislation – the Data Protection Act 1998 – was created prior to the widespread use of the internet and social media, so it is now out of date with new software and systems such as cloud based services and the associated security issues such as data exploitation.
The EU is aiming to increase trust in the use of digital equipment and services by bolstering data protection legislation and introducing stricter enforcement and prosecution levels.
2. Legality
The EU aims to make data protection identical through the whole of the single market through the introduction of clear and uniform guidelines by which businesses must legally operate.
When is GDPR becoming law?
The official implementation date for GDPR to become law in the UK is 25th May 2018, so there is still plenty of time to implement any necessary changes in order to ensure your business is ready.
The expectation is GDPR will become law before the UK formally leaves the EU, so all UK businesses must ensure they comply with the specified legislation. Even after Brexit, the government won’t be reversing the agreements.
Who will be affected by the new regulations?
Most businesses will be affected by GDPR. The regulations are designed to target how sensitive customer data is processed, stored and shared between businesses. This affects any business that holds names, records, files, addresses, and lists of customers or clients. This will impact:
- ‘Controllers’ of data – anyone who collects any element of personal data
- ‘Processors’ of data – those who process the data
GDPR regulations recognise that small businesses require different practices to large or public enterprises, so Article 30 of the regulations states that organisations with 250 employees or less will not be wholly bound by GDPR, although they are encouraged to comply.
Companies with over 250 employees must employ a data protection officer who is responsible for ensuring the business is fully compliant with the specified regulations.
What is classified as personal data under GDPR?
Anything classified as personal data under the Data Protection Act continues to qualify as personal data under GDPR. In addition, GDPR states that IP addresses and any mental health, cultural and economic information is classified as personally identifiable information.
Controllers are legally obliged to ensure any personal data is processed lawfully and transparently, for a specific purpose. Once the purpose has been met, the data should be deleted under the ‘right to be forgotten’.
GDPR specifies that consent to collect personal data must be an active and affirmative action from the individual. The existing passive acceptance of opt-outs or pre-ticked boxes will no longer be allowed under GDPR.
Controllers are obliged to keep records of how and where an individual gave consent for their data to be collected and the regulation allows individuals to request that their personal data is deleted if they’ve withdrawn their consent or they object to the way it is being processed.
Can individuals access their stored data?
Under GDPR, individuals:
- May request access to their data at defined ‘reasonable’ intervals and controllers must respond to the request within one month
- Have the right to access any personal information held by a company or organisation
- Have the right to know why their personal data is being processed, who has access to it and how long it will stored
- Have the right to request their personal data is rectified if it is incorrect or incomplete
The new regulations state both controllers and processors must be fully transparent regarding:
- How they collect data
- What they intend to do with it
- How they process it
- How they store it (formats such as CSV should be utilised)
What happens if data is breached?
Non-compliance can have serious consequences, so it is better to be safe than sorry. Should a data security breach occur, GDPR regulations state that you must inform your relevant data protection authority within 72 hours of you becoming aware of the breach. The relevant authority in the UK is the Information Commissioner’s Office.
Before you inform the Information Commissioner’s Office, you must first inform the individuals affected by a data breach. If you fail to do so within the 72 hour timeframe, the penalty is a maximum of 2% of your worldwide annual revenue, or the equivalent of €10 million, whichever is the higher amount.
In the event of a breach, the correct protection can help recoup the costs involved in a data breach, as such cyber liability insurance is crucial for any company that handles data.
How do I ensure my business is compliant?
In order to make sure that your business is ready, you should start preparing for the implementation of GDPR as soon as possible.
You should:
- Ensure key people within the business are aware of GDPR, its requirements and its implications
- Begin to document all personal data you hold. An audit may be necessary
- Review how you obtain, record and manage consent and whether you need to make any changes to meet the new regulations
- Identify and document the lawful basis for your data processing activity, updating your privacy policy in accordance
- Identify whether you need to put any new systems in place to verify individuals’ ages when collecting personal data
- Check your existing privacy policies and provisions and instruct a data protection officer if necessary, clarifying where this role will sit within your company structure
- Determine which policies you need to update or adopt in order to meet compliance
- Clarify how you plan to delete data if required by an individual
- Ensure firm plans are in place to train your staff to meet the new requirements
- Check the data policies of any third parties who are defined as processors comply with the new regulations
- Ensure you have the correct procedures in place to identify and report a data breach
What will happen if you fail to comply with GDPR?
If you fail to inform any affected parties in the event of a data breach and if you fail to adhere to the key rules for processing data, you will be hit by enormous fines.
Your relevant data protection authority could issue a penalty of up to €20 million (or the equivalent), or 4% of your annual global revenue, whichever is greater.
The businesses that will flourish will be those that support the change of mindset that GDPR brings. Instead of seeing data protection as a compliance issue, respect people’s privacy and process any personal information ethically as essentially it is all just good business practice.