ZZZZ I hear you – before you even got to the word Regulation! I know this is dry but it’s important we all understand the implications of GDPR on our businesses. It would be a great idea to start taking steps to meet requirements ahead of the 25th May 2018 deadline.
What is GDPR?
The EU General Data Protection Regulation (or GDPR) comes in to force in May 2018 and supersedes the Data Protection Act 1998. The new EU legislation will raise the bar for consumer rights with regard to their data and gives individuals more control over how their data is used and stored. All organisations will be required to prove they are compliant and provide any necessary documentation or risk significant fines.
Companies, however, will be challenged as they will need to review current processes and put new procedures in place to comply. All companies that do business in EU countries, that use clients’ data whether held internally or outsourced to a third party, will be bound by a new set of data protection rules. This includes Great Britain as it will come in to effect before Brexit.
One of the main changes in the new regulations are that suppliers (Processors) will now be jointly liable for any data breach along with the Controllers (your company) of the data. This means that all businesses handling personal data will need to look at what they hold, and review their procedures to make changes, before GDPR comes into effect.
What types of data does the GDPR protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
It is important that your business has guidelines in place detailing how personal data is safely stored. Data Processors and Controllers alike will be accountable for any data privacy breaches.
GDPR states that any data must be gathered with an active consent for use by a controller and processor. Customers must now opt in, rather than just be left to fail to opt out. There must be an option for consent to be withdrawn or unsubscribed at any time. Requests for held personal data to be deleted under the ‘Rights to be Forgotten’ must be acted on.
What do I need to do?
The GDPR states that all businesses must provide a “reasonable” level of protection for personal data. All companies in the first instance should consider;
- A Review of all the data they hold and ensure they document what it is and how it is used.
- Appointing a DPO, a company may name someone who already has a similar role to the position. Otherwise, you will need to hire.
- Creating a data protection plan: Most companies will already have a plan in place. The Data Protection Plan will need to be reviewed and updated to ensure that it includes all the GDPR requirements. Visit the ICO for full details.
- Carrying out a risk assessment: Look at what data you store and process on EU citizens and understand the risks around it. Your risk assessment should also summarise measures taken to mitigate that risk.
- A Plan outlining how you will contact all existing clients to gain explicit consent from them confirming the data held and they have the right to contact them.
- A test incidence response plan: GDPR requires companies to report any data breaches within 72 hours. Your plan needs to ensure you minimise the damage and will affect the company’s risk of fines for the breach.
- Ensuring that all third party partnering companies, such as cloud providers, have a policy.
As mentioned, there will be large fines for any data breaches. Now the legal recourse for breaches includes both processors and third-party suppliers.
Some large corporations have already started work to ensure compliance. This includes focusing on their HR and marketing databases. It is recommended that small businesses start to look at it today!