All you need to know about GDPR
In the run up to May 2018, you can’t have missed the hype surrounding the introduction of GDPR, the European Union’s new data privacy law. But what exactly is it and what does it mean for you?
GDPR stands for General Data Protection Regulation. It’s being put in place by the European Union (EU) Parliament, to make sure that personal data is handled in the right way – and the same way – by companies, big and small across Europe. There are plenty of similarities with the current UK Data Protection Act 1998 (DPA) but your teams will also need to be fully aware of some changes and new features.
In the first in our series on data security technology, we’ve put together a quick guide to the key points of GDPR.
One of the biggest changes is the number of people covered by the new regulations. It applies to every company that processes personal data about EU citizens – regardless of your size, where you’re based, where the processing takes place or where the data’s stored.
And if your company is based outside the EU? You’ll need to appoint a representative within the EU.
Penalties are based on a percentage of your annual global turnover, up to a maximum of 4% or €20 million (whichever is the greater).
If you don’t have your records in order, for example, you’ll be fined 2%. But you’ll be looking at the maximum penalty for a serious infringement such as not obtaining customer consent.
Businesses can no longer get away with burying requests for consent in lengthy terms and conditions. Customers’ consent has to be opt-in – no pre-ticked boxes allowed – and companies must ask for it using clear, plain language. And it should be just as easy for people to withdraw their consent at any time.
If you provide services to children under the age of 16, their parent or guardian will also need to give consent.
The people handing over their personal data have a lot more rights under GDPR, so your teams will need to be prepared to handle their requests.
People are entitled to know if you’re processing their data and what you’re doing with it. They have the right to access the data you hold on them and ask you to delete it, if necessary. They can also ask for a copy of their data, free of charge, in an electronic format.
If your company designs any new processes or systems, you must build in data protection from the very beginning, not as an afterthought.
Your data controllers need to make sure they limit who has access to personal data. Plus, they should only hold and process the bare minimum of data needed to keep the business running effectively.
If the worst happens and there’s a data breach, you’ll need to let the regulator know within 72 hours.
Appointing a Data Protection Officer might sound a bit ‘big business’. It’s not. Whatever your size, if your company is a public authority or engages in large-scale systematic monitoring or processing of sensitive personal data, you’ll need to get a DPO on board.
They’ll need to be an expert on data protection law and practices, but they don’t have to be an employee. As long as they report directly to your highest level of management, it’s okay to outsource the role.
Every decision-maker within your company needs to be aware of the impact of GDPR. Assemble key staff from Legal, HR and IT. Or if you’re a smaller business whoever looks after these roles. And run through your processes for gathering and storing personal data, to see how they hold up against the new regulations.
You’ll need to cover many areas, including:
What data does your company hold, where did it come from, why do you hold it? Who has access to it, who do you share it with and how long do you plan to hold it for? Do you have a template for record-keeping?
Are staff aware of and trained for the new regulations? Do you need to appoint a data protection officer?
Policies and procedures
Do these show you’re aware of your privacy obligations? Do you have a general data protection policy, privacy impact assessment and data breach checklist?
Do you inform people at the right time that you’re collecting their data? Do you give them all the relevant information about their rights and what you intend to do with their data? Have you used clear and simple language?
Can you prove you’re operating within the law? Can you ensure consent? Do you have the proof that it’s necessary for you to collect, process and use personal data?
Are your IT staff trained to respond to data requests? Do you have the processes and technology in place to help people exercise their rights?
How secure is the personal data you hold? Where’s it stored? Is it encrypted? Would your IT team be able to report a data breach within the 72-hour timeframe?
Are data protection principles at the heart of your business processes? Do your third-party data processors comply with the new regulations? If you transfer data out of the EEA, is it in a way that meets GDPR requirements?