On 25 May 2018 the General Data Protection Regulation (GDPR) comes into being – now is the time to start the process of ensuring your business is prepared.
What is the GDPR?
The GDPR replaces the Data Protection Directive 95/46/EC and is intended to regularise data privacy laws across Europe, whilst also addressing the export of personal data outside the EU. In an ever-more data dominated world, whereby privacy and data breaches form an escalating threat to businesses and consumers alike, it is anticipated that the GDPR will introduce an enhanced level of protection for all parties.
Does Brexit mean it will no longer apply in the UK?
Although the GDPR originates from the European Union, and will initiate unified regulation within the EU, it will still be operational in the UK. Brexit does not mean that the consequences of the GDPR will be unenforceable; businesses need to start making provision for the GDPR regardless of our exit from the EU. The GDPR will be live before the UK leaves the European Union and is, in fact, already in force – it’s just Member States are not obligated to comply until 25 May 2018.
Consequences of non-compliance
The fines for non-compliance have been increased so it’s so important to make sure you are confident that your business is observing the new data regulations. The GDPR has made headlines for the maximum fines it could levy (£17 million or 4% of turnover), but the focus is on protecting the individual and ensuring businesses are approaching data protection with a real commitment to getting it right.
The Information Commissioner’s Office (ICO) has an allegiance to educating organisations in this data-driven world and will use its new capacity for larger fines justly, with a focus on lesser sanctions to guide businesses towards best practice.
A spokesperson for the ICO – the body responsible for enforcing GDPR in the UK – says: “The new law equals bigger fines for getting it wrong but it’s important to recognise the business benefits of getting data protection right. There is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals – and gain a competitive edge.”
What data does the GDPR apply to?
The definition of personal data has been extended within the GDPR to include a computer’s IP address or even your genetic make-up, anything that can help to identify an individual.
According to the European Commission “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
The GDPR applies to both automated personal data and to manual filing systems – a broader specification than within the current definition.
What has changed?
The GDPR’s central values remain the same as the Data Protection Directive, so there is certainly reassurance in the fact that if you are complying with the current laws then you have a solid starting point to build on.
There are some new directives though and you might have to make changes or implement new policies.
To look at things in very basic form, businesses need to
- Keep records of all personal data that is held (employees, clients, suppliers etc.)
- Prove that consent was given
- Demonstrate where the data is going
- Show what the data is being used for
- Establish how the data is being protected.
The Information Commissioner’s Office (ICO) is a reliable source of information on the GDPR and the best way of working out the differences between the current policies and the new laws.
Key differences include:
- Accountability: increased prominence on the documentation that data controllers need to maintain to show compliance with the GDPR
- Management of data: as a corporate issue (it would be helpful to review the processes you have in place for sharing data with other organisations)
- Consent: this is the fundamental change. The Article Working Party are due to publish guidelines on consent before the end of 2017 and in March the ICO published their ‘Draft Consent Guidance’ – which would be highly useful to have a read through:
The GDPR will be looking at how much control you are giving individuals and how you build their trust – are you giving them a positive opt in and offering them genuine choice?
Within the GDPR there will be an obligation to report data breaches to the relevant authority, and in some cases the individual affected, if it is likely to result in a risk to their rights or freedom. Scenarios that could constitute a detrimental impact on an individual would include discrimination, loss of reputation and financial loss.
Keep an eye on the ICO’s Overview of the GDPR for more guidance on what represents a high risk data breach.
If a personal data breach, that impacted on rights and freedom, should occur within your business, you would have 72 hours to report it. With cyber-crime posing an ever-increasing threat, data breaches are becoming so much more commonplace and it is crucial that you evaluate your approach to cyber-attacks to ensure you have the necessary protection in place.
How do I start preparing for the GDPR?
If you haven’t already done so, start planning now – giving you time to fully consider your processes and documentation and enabling you to make any system changes and upgrades as necessary.
The ICO has published a, very useful, ’12 steps’ on how to prepare for the GDPR’s requirements.
A basic starting point is to ascertain where all of your data is, how it is being used and the policies you have in place for managing it. If you carry out a data audit, involving relevant personnel across your business, and assuring their ongoing co-operation then you have a really good footing to start identifying any potential risks associated with your data processes.
An integral part of my role is to advise you on the range of communication solutions available and how these have the capacity to create efficiencies within your existing systems.View my profile >
The Cyber Essentials badge shows our commitment to cyber risk management