We know what you’re thinking, ‘not another confusing post on the GDPR’, but we’re going to do our best to explain the EU’s General Data Protection Regulation without leaving you in the depths of legal jargon. Our aim is to hopefully give you a better idea of what the GDPR is and what it means for your business…and hopefully help you to avoid any future bank-busting fines!
What is the GDPR and where did it come from?
We all know how rapidly technology changes, and we’ve come a long way in the past two decades. The UK currently relies on the Data Protection Act 1998, but the use and storage of data has changed rapidly in that time and now there are more and more ways that data is being exploited. To bring legislation up to date, the EU have spent four years working on the GDPR, which will see stricter fines for non-compliance and data breaches, as well as giving individuals overall more say with what companies can do with their data.
The EU hopes that the GDPR will bring more trust back into the digital economy, and as the legislation means that data protection rules will be more or less identical throughout the EU, this should also provide businesses with a clearer legal view.
What about Brexit?
The GDPR will take effect before the results of the Brexit vote come to fulfilment, therefore the UK will still comply for time being. However, the UK government is already working towards a solution once the UK leaves the EU, developing a new Data Protection Bill that effectively mimics the GDPR for UK law.
Who does the GDPR apply to and what does it mean for my business?
The GDPR is to take effect in all EU member states from 25th May 2018. It applies to and should be adhered by the company or organisation that requires the data, as well as the person or business doing the actual data processing. This will also affect international businesses if they are handling data that belongs to EU residents, they must also abide by the legislation.
There are a few things to keep in mind at all times when prepping for the GDPR so that you can avoid any of the hefty fines that come with a data breach.
Purpose – Any personal data should be processed lawfully and for a specific purpose. Once that purpose is fulfilled, that data is no longer required and should be deleted.
Consent – The individual must have consented to their data being processed and understand the purpose it is being used for. It must be made clear to the individual what they are consenting too.
Record – A record must be kept of how and when an individual has given consent for their data to be processed.
Access – Individuals have the right to access the data a company holds on them and they can also withdraw their consent at any time.
‘Right to be forgotten’ – If an individual believes it is no longer necessary for their data to be used for the purpose specified, they have the right to demand it be deleted. You must then inform other affiliated companies to delete any copies of this data.
Definition – What’s included under the bracket of ‘personal data’ has changed significantly, but to put it brief, IP addresses now qualify, as does any personally identifiable info, such as cultural or economic factors. Anything that previously qualified is also included.
Storage – There is no definite limit to how long you store the data for, however you must state in your new Data Policy how long you will keep the data for and what happens to it when that time period is reached.
What happens if you suffer a data breach?
You have 72 hours to inform your data protection authority of any data breach since becoming aware of it. You should be ready to provide a clear outline on what the breach is, how many people are affected, the consequences of the breach on those individuals and then your plan of action. Before this, you should also make sure you inform the people affected by the breach. If you fail to meet the 72-hour deadline, you will be at risk of paying a penalty of 2% of your annual worldwide revenue, or €10 million, whichever is greater. These figures double if you don’t follow any of the GDPR guidelines for processing data. These fines are however subject to the type of breach occurred. The important thing to remember is that they will favour those who follow the rules and meet the deadline.
What do I do now?
Be proactive. Start prepping now so it isn’t as big of a change when 25th May rolls around. This as good a time as any for a digital spring clean. Make sure the data you store is relevant and actually needed for a purpose, otherwise this will be a breach of GDPR when it comes into legislation. Check through all of your data and ensure it is up to date and accurate.
If you handle large amounts of data or if you send out regular marketing campaigns, it might be best to appoint a Data Protection Officer. It’s important you choose the right person for this as they will essentially be in control of your entire organisation’s compliance with the GDPR legislation.
The key part to all of this is to be transparent and be prepared.