GDPR – General Data Protection Regulation, What do I need to know for my business?
On the 25th of May 2018 the new GDPR regulation is coming in to place. But what does this mean??
The GDPR is the biggest update and change to Europe’s data protection laws since the Data Protection Directive from 1995. This regulation will be take effect from May 2018, there is a lot to be aware of so that you can be compliant with the new law.
This new regulation will require businesses to protect the personal data and privacy of people’s information they hold and process. The personal data must be processed according to the six data protection principles:
- Processed lawfully, fairly and transparently.
- Collected only for specific legitimate purposes.
- Adequate, relevant and limited to what is necessary.
- Must be accurate and kept up to date.
- Stored only as long as is necessary.
- Ensure appropriate security, integrity and confidentiality.
Companies will also have to have consent to collect an individual’s information. This consent must be clear, freely given, informed and can be withdrawn at any time. This is great news for individuals, as we will now be able to trust companies not to share our details with anyone else, hopefully this may reduce spam emails and phone calls in the future. This new law should help prevent data breaches in the future, which have become more and more common over the past few years.
However for companies this could mean a hassle and lots of new problems. These new rules and regulations are going to affect how companies have been operating for years. They will need to adapt to different systems and data management methods to comply with the new law. New processes will need to be brought into place for most organisations to ensure they are going to be working legally to comply with the GDPR. If companies do not change their data management to comply with the GDPR they could be faced with fines of millions.
Who does this affect?
Positive impact for individuals:
Businesses will now have to take the same level of protection for an individual’s data whether it is their IP address or cookie data it will need to be treated with the same level of protection and security as the individuals name and address. The consent to hold an individual’s data must be clearly given.
Individuals will now have the right to be forgotten/erasure and they can request this at any time. If this right is requested by the individual to an organisation to delete their personal data from their records, the company must comply as long as the data is no longer necessary or accurate.
Individuals will also have the right to data portability. This means someone can request a company to move their data to another organisation.
Impact for Businesses:
This new law will make most businesses rethink how their processes work regarding individuals data and how it is used and stored. Businesses will need to start getting things in place and following new procedures as soon as possible to be ready for when the regulation takes effect in May.
If companies do not comply with GDPR they could face a fine of up to 4% of their annual global turnover or 20 million Euros, whichever is greater.
This law is protecting any citizens within the EU and their personal data, so this may still affect and have implications for any companies operating outside of the EU using EU citizens’ data. This will include any companies whose data processing activities relate to offering of goods or services (even for free) of any individuals working and living in the EU. If you’re based outside of the EU, but use, process or hold data belonging to anyone living in Europe, you are liable.
What can you do?
Businesses will need to review their own data protection policies and then update them to comply. Companies should be putting a plan in place as soon as possible to make any changes necessary to be compliant with GDPR. These plans and procedures should have clear policies in place meeting the required standards. This may include when obtaining any personal data to make sure there is a written record of this consent of holding their details. Ensure privacy is a top priority for any new processing procedures, not only will this show compliance for the new regulation, it may also give an advantage over people who have yet to put this in place.
Have a procedure in place to deal with any data breeches. How to handle the situation and disclosed the breech to the affected individual. It is your own responsibility to inform your local data protection authority (Information Commissioners Office for the UK) of any breeches that risk people’s rights and freedom within 72 hours of your organisation becoming aware of it. Failure to report this to your data protection authority and the person whose data is involved, means you could receive a fine of up to 2% of your annual worldwide revenue, or €10 million, whichever is higher.
Be prepared for individuals to exercise their rights under GDPR, such as the right to erasure and the right to data portability. When following up with someone’s request of right to data portability, make sure people’s information files are stored in commonly used formats such as CVS files, so that person’s data can be moved to another organisation easily. The person who has the data must do this within one month and this service must be free of charge.
If you are a large public organisation that carries out data processing, that regularly requires monitoring individuals; you may need to consider hiring a data protection officer. To ensure all data management is handled correctly and legally.
Don’t put off, start preparing for GDPR now.