What does the new GDPR legislation mean to me as a business owner?
New legislation comes into force in May 2018 that requires every business handling data to meet stringent new requirements or face hefty fines. GCI’s Danny Mills talks through what it is, as well as what firms need to do to stay on the right side of the law.
5 April 2017
What is GDPR and why should I care?
The General Data Protection Regulation (GDPR) is EU legislation designed to beef up data protection regulations and comes into force on May 25th, 2018. It replaces the existing Data Protection Act (DPA) and is far more rigorous. The penalties for non-compliance are also much more severe – firms can be fined up to €20m or 4% of their annual turnover. Compare this with the current maximum fine that the Information Commissioner’s Office can levy of £500,000 and we can see it’s a big leap.
I’m only a small business. Do I still need to be concerned?
Yes, if you handle personal data then you need to comply. Given that any business will hold information about employees and contacts, GDPR pretty much applies to every organisation small and large.
What data does GDPR apply to?
The categories are similar to the DPA, namely, data is classified as either ‘personal data’ or ‘sensitive personal data’. By personal data we mean HR records, customer contact information and online identifiers (for example Email or IP addresses). Sensitive personal data applies to special categories but biometrics is one simple example.
But we’re leaving the EU. Does it still apply?
Yes, the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
What are the main differences between GDPR and the Data Protection Act?
GDPR takes the Data Protection Act but applies a lot more rigour. The key difference is accountability. Essentially, firms must ensure that personal data is collected for valid reasons, stored securely, and accessed ‘only by those who need it‘ for valid data processing reasons.
There is also a requirement to delete the personal data once it is no longer needed for the processing activity. Data controllers must also comply with the ‘right to be forgotten’ when an individual asks for their data to be erased if it’s no longer required for processing.
Proof of compliance might be required at any stage. This means firms will need to evidence policies on data handling and prove they are processing the data lawfully and provide evidence they have consent.
It also mandates special considerations for children’s personal data. Additionally, public organisations and enterprises processing a certain number of data records will need to appoint a Data Protection Officer (DPO).
What do I need to do?
It’s key to remember that whilst technology can help, the main challenge is around people and process. It’s more of ‘what we’ve always needed to do’.
The first step is to formulate a plan. Think about all the areas of your business where personal data is stored. If you’re already doing this for the data protection act, then you have a head start. Storing anyone’s data constitutes a risk for them so think about how that can be mitigated. Is access restricted to only those that need it as a specific part of their job function? Is data encrypted so if there is a breach from a cyber criminal there is less chance of them being able to access it? Do you actually need to capture the data in the first place? If data doesn’t exist, it can’t be breached so think carefully about the amount of personal identifiable information (PII) that you hold on individuals.
Remember that a key difference of GDPR versus the DPA is that GDPR is more up to date with modern technology – it means for instance that IP logs of customers when looking at your website would constitute personal data and fall within GDPR.
Similarly, if personal data has been collected for marketing purposes but to some extent anonymised and ‘keyed’ according to certain group characteristics it can still fall within the scope of the GDPR depending on how difficult it is to unravel this and isolate it to a particular individual.
When do I need to start preparations?
Now! GDPR is the biggest upheaval in how data is handled in 20 years and there’s only just over a year to become compliant. Many will see it as a burden but much of this is best practice and will give reassurance to your employees and customers that you are doing the right thing by them.
In particular, we have seen over the last couple of years the damage and angst that can be caused by cyber attacks when personal data has been exposed. Had some of these firms been GDPR compliant their customers would have been spared a lot of anxiety and firms wouldn’t have had the level or reputational damage that has come their way. Whilst getting GDPR compliant will be a lawful requirement it makes sense to do it any case.
If you are unsure on how you could be affected or would like to discuss this topic further, please get in touch at firstname.lastname@example.org to arrange a free consultation with one of our technical experts.
Head of Enterprise Sales - North