The EU General Data Protection Regulation (GDPR) is the biggest ever shake up to data protection laws, yet many businesses feel unprepared.
With the GDPR’s introduction taking place in May 2018 and the UK not leaving the EU until 2019 at the earliest, Brexit will not affect the introduction of the GDPR in the UK. The UK will replace the 1988 Data Protection Act (DPA) with legislation that mirrors the GDPR post-Brexit.
This means now is the time to put the processes in place to ensure you are compliant.
Any company, big or small, will have to comply with the new regulations regarding the secure collection, storage and usage of personal information. Failure to do may be met with heavier fines or other regulatory censure. What’s more, individuals can sue you for compensation to recover both material damage and non-material damage, like distress.
The core objectives of the GDPR is to give individuals more transparency and control of their personal data and to unify the regulation within the EU. It is making companies across the EU think seriously about data protection.
- Firms processing significant amounts of personal data, processing sensitive data, or undertaking large-scale monitoring must employ a Data Protection Officer (DPO).
- The requirement to appoint a DPO will apply to small businesses if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9.
- Breaches in data security must be reported within 72 hours to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. .
- Individuals have more rights and control as to how businesses use their personal data. In particular, they have the ‘right to be forgotten’, enhanced rights of data access and rights to data portability.
- Failure to comply with the GDPR will lead to heavier punishments than ever before: up to €20 million or 4 per cent of annual turnover (whichever is higher).
Does it apply to you?
If you’re unsure of whether or not GDPR applies to you, consider how regularly you deal with personal data. That includes present and past employees and suppliers, not just client data.
If it’s a routine occurrence, then you should abide by the GDPR. In a nutshell, any businesses affected by the Data Protection Act (DPA) will also fall under the GDPR. The key difference between the DPA and the GPDR is that the latter will be much stricter in what is defined as personal data, the scope and the requirements.
Understanding the type of data that will be affected under the GPDR is one thing, but having to find out where that data is held may not be as easy. For example, think of personal emails sent and received by your staff that may have been lurking on your server for years. Every piece of personal information held by your business needs to be identified – even if it’s on a mobile device or in the cloud.
It’s a complex task, and data discovery technology can help. Many IT consultants are offering GDPR toolkits and the Information Commissioner’s Office offers some helpful guidance.
A big plus to all of this is that you will probably emerge with more structured data and be able to monitor and manage it easily in future. You’ll also be in pole position to respond to Subject Access Requests (SARs) – when individuals ask to see a copy of the information an organisation holds about them – and the ’right to be forgotten’, which may require you to identify and erase all of an individual’s data.