From 25th May 2018, every UK business will need to be fully compliant with new data protection laws; the EU General Data Protection Regulation (GDPR). The EU spent four years preparing GDPR, which was approved at European parliament in 2016, allowing two years for organisations to comply with the new legislation.
GDPR will replace the current Data Protection Act from 1995, bringing it up to date with how businesses use Internet and cloud technology, making provision for the new, previously unforeseen ways businesses are gathering and using personal data. This new legislation is designed to protect and empower all EU citizens (and UK residents following Brexit – more on that later), offering tighter control and transparency over how their personal information is used.
The EU also aims to revolutionise the way organisations approach data privacy, with a uniform change that makes it simple and clear. By doing this, the EU estimates it will collectively save businesses over €2.3 billion a year.
Broadly speaking, GDPR will affect every organisation that holds or uses personal data, including businesses outside of Europe. So once the legislation comes into effect in May 2018, any kind of personal data, including IP addresses and other online identifiers, must be processed transparently and when required, deleted, completely lawfully.
GDPR talks about both Controllers and Processors in their guidelines. If you’re unsure of the terminology here, a controller is an entity that determines how personal data is used (a business sending marketing emails for example) and a processor, processes the data on behalf of a controller (the email provider who stores the email data on their systems for sending the emails).
You may fall into either category or both, but you’ll still need to ensure you’re compliant, and with the enforcement date looming, it’s imperative that every business knows exactly what they need to do to avoid the significantly increased and hefty fines.
The key changes GDPR will introduce are as follows:
1. Penalties for non-compliance are either 4% of a company’s global revenue, or €20m – whichever is higher.
2. If a breach occurs, the EU government needs to be notified within 72 hours. Failure to do so could lead to a €10m fine, or 2% of your annual worldwide revenue, again, depending on which is greater.
3. Clear and plain language must be used when requesting consent for the use of personal data, so any illegible T&C’s full of confusing and obtuse language will need to be revised. You also can’t offer people pre-ticked boxes or ask them to perform a action to opt-out. Instead, clear, affirmative consent needs to be obtained before using anyone’s data.
4. Data controllers need to make it easy for people to withdraw consent to use their data.
5. If requested, data controllers need to provide a free of charge copy of personal data in an electronic format. Plus, they should offer secure, direct access to the information they’ve stored.
6. Data must be saved in commonly used file formats like CSV’s, so they can be moved to other organisations free of charge if a person requests it. If that happens, controllers are obligated to move that data within one month.
7. People can exert the right to be forgotten. This Data Erasure means that:
> Controllers must delete any data that’s no longer being used for the purpose it was collected for;
> If someone revokes the right for that company to hold their data, the company must delete it.
8. As a data controller, you can only hold and process data that is absolutely necessary for the completion of your duties.
9. If you’re a company processing large amounts of sensitive data or monitoring the behaviour of consumers, you’re required to appoint a Data Protection Officer.
69% of businesses in the UK voted to keep GDPR in place even after we leave the European Union. The widespread support for the legislation is undeniable, but Brexit has made its implementation less clear.
If your customers are in the EU, you’ll have to comply with GDPR regardless of what happens during Brexit. If you only conduct business within the UK, the issue is more complicated. However, in August 2017, the UK government put forward their own Data Protection Bill, and it’s very similar to GDPR, so, post-Brexit, UK data will still be protected in much the same way.
The amount of work involved when preparing for GDPR will vary depending on a number of factors: how much you use marketing data and how you communicate with your prospects (by email or telephone), and if you’re already working in line with industry best practice accreditations. If you align with the likes of ISO 27001, chances are it will be more about making tweaks, rather than overhauling the way you operate.
Regardless of your businesses activity, if you use personal data you’ll need to review the way you work and implement the necessary changes as soon as possible to ensure compliance. Seeking some expert advice is often appropriate if you are unsure about what measures specifically you need to put in place to remain on the right side of the regulations.
GDPR will shake up how we store and use data, and it firmly places the customer or user’s rights at the centre. Despite the effort and additional cost that may well be involved in becoming compliant, a big proportion of UK businesses see the value of the legislation, and support it.
The challenge lies with defining the actions that need to be taken and bringing your business’s systems and processes in line with GDPR’s stipulations before the 25th May 2018.
Failure to be fully compliant could lead to a significant fine and so if you haven’t started preparing to implement these new regulations across your business, start now, or seek expert compliance advice to help you make the first steps.
As CFO, Ed makes sure Secura's finances are run like a well-oiled machine. He also monitors excessive stationary usage like a hawk, swooping down on offenders with alacrity.
Tweet me at: