The GDPR (General Data Protection Regulation) is something you might have heard a lot about already. Like most people, you have probably received dozens of emails in the last few weeks asking you whether you want to remain on marketing lists.
But have you taken action for your own business? You will almost certainly be affected in some way – and with the deadline now passed, it’s imperative that you take action as soon as possible to make sure you have everything in order.
Here’s what you need to know to ensure your business is compliant in a post-GDPR world.
What Is the GDPR?
Europe’s data protection rules have changed. On May 25th, 2018, the GDPR came into force, marking the biggest change to European data protection in two decades.
The GDPR has been in the works for years, but the final details were agreed back in April 2016. Since then, businesses across Europe and the world have been given two years to prepare.
The GDPR essentially changes the way in which businesses and organisations can use and process personal data. It also changes how businesses handle customer information. Its overall aim is to provide better rights and protection for individuals.
The reason for its introduction is that personal data rules had become outdated. Before this, we had the Data Protection Act 1998 in the UK, which was based on the previous directive dating from 1995. A lot has happened since 1995 – much more data is being produced, for a start. As a result, this new framework updates the rules for the digital era.
How Your Business Is Affected by GDPR
Your business will almost certainly be impacted in some way by GDPR. Essentially, if you possess or control any personal data or sensitive personal data, the GDPR affects you.
But what exactly do personal data and sensitive personal data consist of?
What Is Personal Data?
Personal data as defined by the GDPR is quite a broad category. In general, you should consider it to be any information that can identify a person. It could therefore include details such as a name, address, phone number, IP address, etc.
What Is Sensitive Personal Data?
Sensitive personal data, on the other hand, is personal data that, unsurprisingly, is considered to be of a more sensitive nature. This includes data about a person’s religious views, sexual orientation and similar information.
What You Need to Do
Because the GDPR is now in force, if you have not prepared your business, you must make this a priority. Exactly what you have to do will depend on the amount of data you handle, but it could turn out to be a lot of work or very little.
While you should seek legal advice to find out exactly which steps you will need to take, some of the most important include the following:
- You will need to have clear data protection policies in place. These will need to show exactly how you process data in your business.
- You have a responsibility to get consent from people when you collect information. In some situations, you will need consent to process data. This means using a positive opt-in when you get consent – a pre-ticked opt-in box is not acceptable. This is one of the reasons for the email bombardment of recent weeks where companies have realised they need to get express consent from people on their email lists. From now on, use a double opt-in. You should also use clear language to explain consent (which has always been a good idea anyway).
- You must also make it easy for people to withdraw their consent. Individuals have the right to be forgotten, and you need to have a process in place to delete their records. You must also provide them with a copy of their data.
- If you suffer a data breach in your organisation, you will have to inform the ICO within 72 hours after you become aware of the breach.
- If you have over 250 employees, you will need to have documentation in place detailing why information is being processed, what the information is, how long it is going to be kept, and any security measures you are taking.
- You might also need to hire a data protection officer (DPO) if you monitor individuals on a large scale or process large amounts of sensitive data.
- If you want to process data relating to children 16 or under, you will need parental consent.
These are the main steps you will need to take. However, there are 99 articles in the GDPR that set out the individual’s rights, and you will need to ensure you comply with all of them.
Providing Free Access to Data
One of the changes that have come into effect is the focus on providing people with greater access to the information that organisations hold about them and making it easier for them to request it.
Before the GDPR came into effect, people could use a Subject Access Request (SAR) for this information, but organisations could charge £10 to provide the data to individuals. The GDPR has made it free for people to make such requests, and you will also have to ensure you provide the data within a month.
What About the Fines?
As always when new rules come into effect, a lot of discussion focuses on the fines. And it’s true that if you don’t comply, you can face large fines as a consequence.
The fines go up to €10 million (or 2% of turnover) for small offences and up to €20 million (or 4% of turnover) for more serious offences. Compare that to the ICO’s maximum fine of £500,000, and that’s quite a big leap.
However, the chances of receiving such a fine are small. There is a preference to work with organisations to help them become compliant rather than to dish out large fines to make examples of them.
For example, if you have made a serious effort to meet your new obligations but you have fallen short, it is likely that the authorities will be more lenient rather than giving you a business-ending fine outright. Instead, you might be given a warning or a much smaller fine.
That being said, why take the risk? Complying with the GDPR is not difficult, so it’s better to be safe than sorry.
Make Sure You Comply
As mentioned already, the GDPR is now in force, so make sure you are complying. You no longer have time to prepare – the time to act is now. If you get caught out and cannot show that you have made any effort to comply with the new regulations, you could find yourself in hot water.
Do you need a data protection officer? Have you planned your process following a data breach? Have you determined the information that you hold on individuals?
If you are already complying with the Data Protection Act, there is a good chance you are meeting most of the requirements of the GDPR.
Still, always be certain of your responsibilities. Here’s a useful guide to other steps you should take to be compliant.
What About Brexit?
You might be wondering how much this will affect you after Brexit comes into force in 2019. The truth is, not much.
Right now, the UK is working on a new Data Protection Bill that will be very similar and will be based on the GDPR. So follow the requirements of the GDPR and there’s a good chance you won’t need to take much further action following Brexit (but always stay up to date with the latest information).
Get Legal Advice
This blog is designed as a general guide to the GDPR and your responsibilities, but it does not contain legal advice. We would highly recommend that you seek legal advice to find out what your exact responsibilities are so that you don’t leave anything to chance.
Find Out More
If you would like to read further information about the GDPR, here are some useful resources: