Think that the new General Data Protection Regulation (GDPR) doesn’t apply to you? Think again. Data privacy is a burning issue that is only becoming more foregrounded due to the increasing reliance on Internet-based processes working within the digital economy. Companies are holding more data about customers than ever before, and this increases the chances of leaking or mislaying information exponentially. News of cloud-based storage services being infiltrated for the purposes of accessing and obtaining sensitive data is just one example of how a new challenge has emerged from a convenient new technology.
The way that companies store and share data is a prominent concern for both companies and their customers, whether that’s payment details, stored CVs, mailing lists, or other information from algorithms. With so much data available, trust becomes a major apprehension. This article will serve as a prefatory text, outlining key points pertaining to the GDPR and including links to essential further reading for your business.
It’s time to get ready for GDPR
The GDPR replaces the Data Protection Directive and is a regulation that has been designed to improve and strengthen data privacy laws across Europe. By having a set of rules that apply multilaterally working in tandem with tougher enforcement, it is hoped that this will not only bolster trust in data related activity, but also simplify the legal requirements across the single market. Even in the midst of the Brexit process, it will automatically apply to the UK since the GDPR will take effect before the effects of the Brexit vote. The GDPR will be enforced from the 25 May 2018, and all organisations not complying will face heavy fines.
Harmonising data laws across Europe is intended to reshape the way organisations approach data privacy, and although much of the GDPR is the same as the current Data Protection Act, certain things will be changing. For example, the boundaries of what is considered to be personal data have extended, encompassing IP addresses as well as the existing identifiers in the Data Protection Act. Click here for a list of key changes and penalties. A two-tier system for fines will apply, and breaches of provisions by businesses could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is greater, as levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover, again, whichever is greater.
Regardless of how big or small your company is, chances are you will need to prepare for GDPR. It applies to what are defined as ‘controllers’ and ‘processors’ of data, with the former counting for those that hold data, and the latter being those that process the collected data. Processor and controller can both mean a natural or legal person, public authority, agency or other bodies. If any data belongs to residents within the EU, then the laws of GDPR apply, and it also protects those who are visiting the EU. Both the controllers and processors of data must ensure that they adhere to the laws to avoid potential data breaches.
After the implementation of the GDPR, personal data will have to be disposed of regularly according to its purpose and requirement. Data should only be processed for a legal and transparent purpose, and once that aim is fulfilled, the data must be deleted. Existing models that have allowed opt-outs and pre-ticked boxes will no longer be acceptable, giving the subject of the data greater control over consent. Clear, formal consent must be supplied by the subject of the data, and the controller of that data must keep up-to-date records of exactly when and how that individual gave their consent.
For small businesses, the GDPR can be seen as a positive thing. Compliance will probably be easier for small businesses because:
- Organisations with less than 250 staff will not have to train or employ a data protection officer
- They won’t have to change the structure of their organisations
- In some cases, they will no longer have to notify the Information Commissioner’s Office of their data processing activities, they will only have to keep detailed records of their own data processing activities.
To see vital information regarding compliance, the ICO has a range of documents specifically for small businesses here.
For more information about preparing for GDPR, click here to see this useful introduction with key steps you should take. Additionally, this document also outlines key steps to take to ensure compliance by the date of implementation.