General Data Protection Regulation (GDPR)
In May of 2018, the EU GDPR, or General Data Protection Regulation, will come into force. Do you know what that means for your business, or for you personally?
Understanding What GDPR Is
Serving as a replacement for the Data Protection Act of 1998, the GDPR is coming into effect. This will apply to every organization that works with the data of any EU resident. As of May 25, 2018, you will need to know what this is if you process, manage, or store any personal data. This blog gives you more insight, but here is an overview of what the GDPR is about.
- You must get consent for the data collection of everyone, plus have a comprehensive and clear privacy notice that will help people understand what it is they are having done.
- Organizations must prove they received consent if they choose to process any personal data. If the person is under 13 years of age in the UK, or below 16 on other EU countries, then parental consent needs to also be given as well.
- Data breaches of any type need to be reported to your local Supervisory Authority, or the Information Commissioner’s Office if you are within the UK, within the first 72 hours.
- The term “Personal Data” is expanded, including online identifiers like IP address, can now be counted as a type of personal data.
- The powers of the Supervisory Authorities is increased, allowing for the ability to enforce a higher financial penalty for those who suffer breaches or who do not comply.
When a severe case of non-compliance appears, the organization can be given a fine up to €20 million, or a total of 4% of annual turnover worldwide, whichever ends up being higher. For smaller breaches, organizations should be expecting a penalty of €10 million, or 2% of annual turnover.
The Effects of the GDPR on Small Businesses
There is the potential for the GDPR to have a significant impact for some small businesses. They will need to start taking steps to reach compliance quickly. This law applies to businesses of all sizes, including everything from a sole trader up to a multinational corporation.
While the GDPR was being developed, an important question arose about what companies were required to hire a DPO, or Data Protection Officer. Currently, regulations state that public authorities, any organization that performs “regular and systemic monitoring of individuals”, and any organization that performs “large-scale processing of special categories of data, such as health records” need to have a DPO hired.
There is currently no legal requirement for you to hire a DPO. However, the implication is there that nearly all companies that handle any type of personal data should have someone designated to cover GDPR compliance, no matter if that person is a formal DPO or not.
The Information Commissioner’s Office stresses that any company currently in compliance with the Data Protection Act of 1998 should not stress the new GDPR requirements. Instead, those changes should be considered an opportunity to review those requirements, allowing for a progression from old compliance levels, not a new beginning.
After this year’s attacks from multiple sources of ransomware, prove the need for businesses to put robust cybersecurity and antivirus measures in place. However, for those that did not, these new regulations give the will and opportunity to bring up compliance.
Brexit’s Effects from the GDPR
At the beginning, the GDPR will not have any affect on Brexit. As this new law comes into effect (May 25, 2018), the UK is still considered an EU member state, so that will require its compliance. Plus, the government of the UK confirmed that in October of 2016, it would implement the GDPR, whether or not Brexit was put into play. Whether or not those statements change once the UK is no longer part of the EU, will be seen when that time comes. However, for the time being, it makes sense to assume that nothing is set to change. No matter what happens, British companies that want to do any type of business with an EU partner after Brexit, will have to comply with similar GDPR protection standards to protect data.
Checklist for GDPR Compliance
- Discussions about compliance must begin early within your organization. Not all aspects of compliance take the same amount of time, and some will cost more to put into place than others. Time is important for proper preparation.
- You need to keep track of all personal data that you keep, whom you got the information from and who that information gets shared with. Systematic audits of current processes are a way to begin identifying any changes that you will need to make.
- Go over your current privacy notices. Within the GDPR, you’ll need to discuss the legal basis for how you process your customer data, plus how you hold on to it. You also need to make sure the customers know what rights they have to change or alter what you do with it.
- Your processes must be robust when it comes to getting rid of any data you have stored if anyone requests that you delete that data. Individuals must know they have this right as well.
- Know that your data needs to remain portable. This allows people to request their commonly used data in a format that is easy for a machine to read, is given to them at no cost, and within 30 days of their request. You need to know how you plan to provide this information.
- Look over how you gather, record, and process the data collection consent forms. Plus, you need to remember that consent needs to be provided explicitly. You cannot assume consent through checked off boxes on a form, as this could leave your organization in trouble.
- Have a system in place to verify the ages of people giving consent, and make sure any privacy notices you have can be understood by all, including children.
- Make sure your current reporting procedures for data breaches are reinforced, ensuring that your organization meets the newest timelines. Compliance failures may become much bigger issues with the GDPR than they currently are.
- Taking proper steps to appoint your organization’s DPO, if required, will help, and if you do not need one, make sure you have someone in place to help with GDPR compliance.
- As part of the GDPR you should secure your website from potential data breaches making sure all software is up to date and personal data encrypted. More info on secure GDPR compliant hosting
This is only a summary of upcoming changes you and your organization should know. If you want a more detailed explanation on GDPR compliance, read this guide directly from the Information Commissioner’s Office.