Four letters that have been on everyone’s lips in recent months are GDPR, standing for General Data Protection Regulation – the EU’s new set of rules for protecting personal information, which comes into force on 25 May 2018. After that date, if you run a business or organisation that collects, controls or processes personal data, you will be required to abide by a significantly more stringent set of controls than the ones that have been in force since the last EU regulation two decades ago. And with penalties of up to €20m (or 4% of turnover, whichever is the highest), it’s not the sort of thing you want to ignore.
We can offer advice and services to help you with your GDPR compliance, but it’s important to understand how the regulation has changed the data processing landscape and what your responsibilities are. Below is a quick summary of the most important points of the GDPR.
10 Things you should know about GDPR
1. What ‘personal data’ means
The GDPR describes personal data as any data that can be used to identify an individual. This is a much more comprehensive definition, including sensitive information such as medical records, religious persuasion and financial details, as well as social media posts and shared images, and the more obvious name, address, age, phone number etc. Data you already hold must also be compliant.
2. It applies here too
Brexit or no Brexit, UK company’s will need to comply with the GDPR. The Information Commissioner’s Office (ICO), the UK’s independent authority set up to uphold information rights in the public interest, will make sure of that. One of the major changes is that the GDPR is effective worldwide; ie it doesn’t matter where you are in the world or where you conduct your business, if you hold or process the personal data of individuals resident within the EU, you must comply with the GDPR.
3. Data processors are no longer exempt
Another big change. It used to be the data controller (whoever decides what data is gathered and how it will be used) that was solely responsible for data protection. Now that responsibility also lies with the data processors (organisations providing processing services to data controllers, such as marketing companies).
4. No more opt outs
Transparency is paramount when gathering personal data. You must make it very clear what information you are collecting, what you are going to use it for and how you are going to store it. And you can only collect data where the subject has given their explicit consent by ticking a box to opt in. If you change the way you intend to use an individual’s data you must go back to them for renewed consent. And if you’re collecting information from children under 13, affirmative consent must be acquired from their parents.
5. Documentation is key
The GDPR requires diligent record-keeping, including documentary proof of consent wherever data has been collected. You will be expected to produce your records on request from the authorities or from data subjects. In the event of a data breach, you will be required to show your data protection impact assessment (DPIA), a document you need to produce to demonstrate that you have taken appropriate measures to identify, assess and mitigate or minimise privacy risks.
6. Data breaches must be reported
If you do suffer a data breach, you must notify your national data protection authority (in our case the ICO) within 72 hours of discovering the breach. This requires a certain level of technology, training, communications and processes to ensure you are quick to detect and respond to any data breach.
7. You might need a Data Protection Officer (DPO)
Record-keeping and reporting should be the responsibility of a designated DPO if your organisation is:
- A public authority
- Engaged in large-scale systematic monitoring of user data
- Processing large volumes of personal user data
The term ‘large-scale’ is left open to interpretation but it has been stated that this does not rule out SMEs. Your DPO must be “designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices”.
8. You must respect the individual’s rights
If an individual requests access to their data, you must comply within 40 days and you can no longer charge for the service. If they ask to have their data deleted, you must not only erase any of their data that you hold but you must also ensure that any other organisations connected to you also delete it. This means having the processes in place to carry out a thorough delete.
9. The penalties are frightening
The maximum penalty for failing to comply with the GDPR is €20million or 4% of turnover, which is the higher. That’s such a scary figure it’s been generally assumed that the authorities will only go after the giants, but it’s best not to find out. Even if you avoid a fine, the authorities have the power to stop you from all data processing activities, which could effectively bring your business to a grinding halt.
10. Help is at hand
As the deadline for being GDPR compliant draws nearer, you may want to call in expert help. We process data on behalf of most of our clients and have a good understanding of the GDPR and how it applies to all sorts of businesses. We can also help you with the installation of compliance software that will help you remain in step with the GDPR.
If you want to read the full 99 articles of the 88 page GDPR document for yourself, you’ll find it all here!
Or you could just call us to get started.