In May 2018, we will witness the most significant overhaul in data protection in decades, as the European Union introduces the GDPR. The GDPR, General Data Protection Regulation, will alter the way we handle and store data in a bid to protect personal information provided by consumers and clients. If you run a business that operates within the EU, and you’re keen to learn more about how the GDPR will affect you, you’ve come to the right place. This detailed guide will provide you with information about what the GDPR means for businesses and customers, and tips to help you ensure you’re ready.
What exactly is the GDPR?
The General Data Protection Regulation (GDPR) represents the biggest shakeup in data privacy for over 20 years. After lengthy debate, the GDPR was approved by the European Parliament on the 14th April 2016. The GDPR will come into play on the 25th May 2018. If you’re found to be non-compliant by this date, there are consequences, including fines. The GDPR is a framework, which has been drawn up to strengthen privacy and data handling laws in a bid to protect customers. Previous laws, which were enforced during the 1990’s, are no longer relevant, as we are producing and sharing a huge amount of digital data. The new regulations will affect companies, organisations and authorities that handle and store personal data. From 25th May 2018, the General Data Protection Regulation will replace the 1995 Data Protection Directive. The GDPR was first published in May 2016 in the EU Official Journal. Since its publication, businesses and organisations have had two years to adjust and modify the way they work in order to adhere to new legislation.
The territorial scope of the GDPR
If you live in the EU, you will almost certainly be affected by the GDPR. The GDPR applies to all controllers and processors, which operate within the EU. If you run a business, for example, and you are based within the EU, you will be required to comply with the GDPR. If you’re not based within the EU, but you handle data provided by residents of EU countries, the GDPR will also apply to you. Companies and bodies that are not based in the EU are also required to adhere to the GDPR if they are responsible for monitoring the behaviour of organisations that operate within the EU. The scope of the GDPR is, therefore, both territorial and extraterritorial. In the most basic terms, if you come into contact with personal data provided by an individual or a business based in the EU, you will be required to fulfil the criteria set out by the GDPR. If, for example, you’re a business owner based in the USA, you will need to ensure your company is GDPR compliant if you do business with EU residents, you have access to data pertaining to EU citizens or you monitor the behaviour of EU subjects. The territorial scope of the GDPR is outlined in Article 3.
What is the definition of personal data?
Personal data is information related to a ‘data subject.’ In simple terms, personal data is information that can be used to identify a person, either directly, for example using their name, or indirectly, for example, using their IP address to find out more. Examples of personal data include:
Social media posts
Bank details and account information
Within the category of personal data, you may also come across the term sensitive personal data. This information relates to:
Membership of trade unions
How does GDPR affect the privacy rights of individuals?
The GDPR will affect businesses and organisations that handle and store information and data, but it will also have an impact on individuals. The aim of the GDPR is to make data protection and regulation more robust. There is so much information out there now, and old laws aren’t relevant to the way we live in 2018. As an individual, the GDPR gives you a host of new rights, which are related to the data you provide and share.
From May 25th 2018, individuals will have the following rights:
The right to be informed: this provides clarity linked to the type of information that is processed and how personal information is used
The right of access: individuals will have the right to access their personal data
The right to rectification: this relates to the ability to modify incorrect or inaccurate information
The right to erasure: individuals have the right to erase information that is no longer relevant to the processor
The right to restrict processing: individuals have the right to inhibit processing. In this case, a business or organisation has the right to store the information, but not to continue processing.
The right to data portability: the right to portability allows individuals to access and transfer data across different IT platforms
The right to object: individuals have the right to object to data processing in cases such as collecting information for scientific research, direct marketing and profiling
Individuals will also enjoy new rights that are linked to automated profiling and decision-making processes. Automated decision-making involves the use of technology, such as computer software, with no human involvement.
What obligations do organisations have under the GDPR?
Under the GDPR, businesses and organisations have an obligation to use, store and share information in accordance with guidelines and legislation laid out in the new framework. Failure to comply with GDPR will result in penalties. The GDPR requires you to review, rethink and refresh the way you access, store and use personal data provided by customers, clients and consumers. Here is a simple checklist, which outlines the obligations and responsibilities:
Understand the data you handle and demonstrate clearly what you’re going to do with it: businesses and organisations must be able to show that they have an in-depth understanding of different types of personal data and that they are aware of where the information is coming from, how they use it and where it may end up. Types of personal data include names, addresses, email addresses and phone numbers while sensitive personal data relates to religious and political beliefs, race and sexual orientation, for example.
Provide clarity on whether you are seeking consent to obtain and process personal data. If you are relying on an individual providing consent, you must ensure that consent is clear. Some companies have adopted an ‘opt-in’ feature to make it apparent that customers have given consent.
Take a good look at your current security measures and the policies and procedures you have in place to protect data and reduce the risk of security breaches.
If your business employs more than 250 people or you are responsible for continual or systematic monitoring, you must appoint a data protection officer. A data protection officer is responsible for ensuring that the business is compliant and can also act as a point of contact for both employees and clients.
Provide information about how you plan to collect and store information, how long you plan to have access to that data, what you plan to do with it and why you want to obtain it. Companies must also provide details of the measures they have in place to protect data and prevent security breaches.
Organisations must report security breaches to the relevant authorities. In the UK, the ICO (Information Commissioner’s Office) must be informed within 72 hours.
Organisations should demonstrate that they have an understanding of the GDPR and a commitment to data protection by providing staff training, introducing internal policies and auditing.
Documentation must be updated and reviewed on a regular basis.
Preparing for the GDPR: a step by step guide
Make your employees aware of the changes that will occur when GDPR comes into play.
Carry out an audit to determine what kind of information you hold, where you get it from and what you do with it.
Review the privacy measures you employ currently and make necessary adjustments in line with the GDPR.
Make sure everyone is aware of the individual’s rights outlined by the GDPR.
Modify the way you ask for information and handle data requests.
Get to grips with the legal obligations for handling data and update your privacy notice to explain how you handle data and ensure you comply with the GDPR requirements.
Revise the way you seek consent if it doesn’t match the GDPR standard.
Check that you handle data provided by under 18’s in the right way and seek consent from parents or guardians if this is required under the GDPR.
Ensure you have policies in place to tackle and report security breaches.
Consider appointing a data protection officer.
What are the costs of non-compliance?
The GDPR is a robust policy, which carries significant penalties for non-compliance. In the past, if you didn’t adhere to data protection policies and regulations, fines of up to £500,000 could be issued. This sum would be reserved for the most significant, large-scale breaches, and most companies and organisations received much smaller fines. The GDPR is threatening much more severe punishments, in the form of fines of up to 20 million euros. Currently, the regulation suggests fines of up €10 million or 2% of annual turnover for less severe offences and €20 million or 4% of annual turnover for serious infringements. The fee charged would relate to the higher figure, with the turnover defined as the global turnover. If you had a global turnover of €100 million, for example, you would be charged €20 million, as this sum is greater than 4% of the annual turnover. The numbers are vast, and they may instil fear in business owners, but the expectation is that companies and organisations will go out of their way to eliminate even the smallest possibility of falling foul. If you have reservations about GDPR compliance, it’s worth double checking with the deadline looming. If you don’t already have a data protection officer on board, it may be a good idea to seek advice to ensure that everything is in order.
The fines appear excessive, but the ICO is keen to point out that penalties will be only issued as a last resort. No company director will find themselves in a situation where they get a demand for millions of euros out of the blue. Those who are in danger of breaching regulations will be informed and encouraged to make the necessary modifications before a fine is imposed.
If you run a business or you have contact with customers or clients based in the EU, it’s best to go too far in terms of data protection than not far enough. The more robust and watertight your approach, the lower the risk of facing punishment. Security breaches can be incredibly costly in terms of financial loss, but also for your reputation. Customers want to know that when they consent to share data, or they provide you with information, they can trust you to keep that data safe and secure. If you lose trust, you’re likely to lose clients.
The GDPR represents the most significant change in data protection in the last twenty years. The GDPR was formulated to enhance data protection and provide individuals with more rights. It is designed to provide a modern solution, which is better-equipped to operate in the digital age. The GDPR will come into force on the 25th May 2018, although the policy was first published in May 2016 to give businesses, authorities and organisations time to adapt the way they work to comply with new legislation. The GDPR affects organisations, authorities and individuals who are based in the EU, as well as companies or bodies that obtain data from customers and clients residing in the EU. Your business does not have to be based in the EU in order to qualify for GDPR regulations. If you have data related to customers in the EU, you will be required to adhere to these guidelines. The GDPR is also relevant for bodies that monitor behaviour within the EU. As well as reducing the risk of security breaches and securing data, the GDPR is also designed to give individuals more rights in terms of what kind of data they provide, where it goes and how long it is stored for.