The General Data Protection Regulation, or ‘GDPR’, is the result of years of work by the EU to modernise data protection legislation.
Since the creation of the previous regulations, the Data Protection Act 1998, the way personal data is used by business has changed dramatically. The volume of personal data captured by businesses and the sheer number of organisations that can be involved in the processing and gathering of data was not imagined 20 years ago and has left the public vulnerable.
1. Why is GDPR such a big deal?
2. When will GDPR come into force?
3. Who will GDPR affect?
4. Will GDPR still apply after Brexit?
5. What types of business will be affected?
6. How will GDPR affect my business?
7. When do I need to start taking action?
8. What happens if I don’t comply with GDPR?
9. How do I ensure my business is compliant with GDPR?
Why is GDPR such a big deal?
GDPR represents the biggest change to data protection laws in twenty years. The last twenty years of rapid technological change was not covered adequately by previous regulation, meaning companies were free to handle customer data however they wished, within reason.
This led in many cases to business misleading customers into providing data about themselves, without the customer understanding what data was being collected, stored, used and with who the data might be shared.
GDPR is designed to protect customers, whilst still giving organisations the opportunity to collect and use data to create and market products. The key is simply that there needs to be a clear record of, and transparent process for recording customer consent and how their data is used.
When will GDPR come into force?
GDPR is already here! Adopted by the European Commission in April 2016, businesses in the European Union are already subject to GDPR’s regulations. However, given the significant changes to processes many businesses would need to undertake, a two year grace period was granted to allow companies to get their act in gear.
But the actual enforcement date for GDPR in the UK is fast approaching on 25th May 2018 in the form of the Data Protection Bill 2018.
Who will GDPR affect?
All customers and consumer facing businesses in the EU. If you have control over customer data or process data on behalf of other organisations or individuals, GDPR will affect you.
Will GDPR still apply after Brexit?
British businesses will not be saved from the hard work of preparing for GDPR as the UK is almost certainly going to continue with GDPR after Brexit.
The new regulations are due to become enforceable in May 2018, well before the UK leave the EU. And the UK Government has already outlined their intentions to stand by the principles of GDPR, so that the country can continue to trade freely with Europe.
GDPR is also consumer-friendly and is, therefore, unlikely to be unravelled by the UK Government.
What types of business will be affected?
All businesses and organisations that hold personal data are affected by GDPR, no matter how big or small they may be. That said, there are some differences for businesses depending on how many people they employ. If you employ fewer than 250 employees, you most likely will only need to hold internal records of how you process data, and what you have done with this data, if the data contains sensitive personal information that could be used to identify or discriminate against an individual. If you employ more than 250 employees, you’ll need to keep much more detailed records of how your organisation is handling and processing data. These detailed records will likely need to the name and details of your organisation, your data protection officer, why you’re processing the data, a description of the types of individual and categories of their personal data, as well as categories of recipients of this data.
There are however some occasions when smaller businesses will need to keep more detailed records. We’d suggest that businesses, both big and small, get some advice on exactly what will apply to them.
How will GDPR affect my business?
GDPR requires businesses to implement data protection “by design” and “by default”.
Data protection by design and default
Data protection by design requires businesses to ensure that appropriate technical and organisational measures are taken to protect data, by default and without exception. This means that you must protect data at all times and not just in response to a potential threat or breach.
Part of data protection by design is the provision of Privacy by design, which is an approach to projects designed to put privacy at the centre of systems and processes.
Privacy by design
This means that you have a legal obligation to integrate data protection measures into your information processing activities and projects. For example, if you are developing a new IT system for storing and analysing customer data, you must ensure that privacy and data protection are key considerations from the start of your project and throughout the system’s lifespan.
When do I need to start taking action?
If you’ve not begun looking at how GDPR will impact your business, we’d recommend getting started right away.
What happens if I don’t comply with GDPR?
There’s been some no shortage of headlines exaggerating the potential fines for firms who fall foul of GDPR, but for major breaches of the GDPR framework, you could be fined up to the larger of either:
- 4% of annual worldwide turnover or
- €20 million.
These could attract a fine of up to the larger of:
- 2% of annual worldwide turnover or
- €10 million.
How do I ensure my business is compliant with GDPR?
Whilst we have a number of articles looking at GDPR, from our GDPR glossary to a checklist to get you started, we’d suggest heading over to The Information Commissioner’s Office (ICO) website and taking a look at their “Guide to General Data Protection Regulation (GDPR)” whitepaper.
Another option is to seek legal advice. There are of course lots of solicitors and lawyers that can help you better understand how GDPR affects your business. Or there are companies such as Lawbite that offer an online platform for securing legal advice. Lawbite even has their own GDPR checklist, and are offering free GDPR advice to businesses and 10% of their GDPR products.