If you aren’t already aware of GDPR and what it stands for, you will certainly be hearing more about it over the coming months. The new rules for the protection of personal data come into effect in May 2018 and there are implications for most businesses.
The General Data Protection Regulation – GDPR for short – has an official launch date of 25 May 2018. From this date, businesses will have increased obligations to safeguard the personal information they store. This applies to information held about all individuals, whether they be customers, suppliers or employees.
If you are uncertain whether your business must comply with the new rules, in general, companies already subject to the Data Protection Act, will likely have to follow GDPR.
Two key terms have been introduced to help businesses to understand the scope of the regulations: ‘data controllers’ and ‘data processors’.
‘Data processors’ handle the technical aspects of operations, such as storing, retrieving and erasing data. ‘Data controllers’ use the data for the purposes of interpretation or decision making. The two roles are connected i.e. the data processor processes personal data on behalf of a data controller. Under GDPR, there are now obligations for data processors.
GDPR – broader than the Data Protection Act
GDPR applies to personal data but is wider-reaching than the Data Protection Act (DPA).
Companies that store and use personal data must now actively demonstrate that they comply with GDPR rules. Keeping evidence of compliance is referred to as the ‘accountability’ principle. Staff training and reviewing your HR policies are examples of compliance. But it is not sufficient to simply carry out the activity – you will need to prove that you have done it.
Under GDPR, higher standards have been set for gathering consent from the people whose data you hold. This means offering people genuine choice and control over how their data is used.
Data Protection for companies under 250 employees
The new legislation recognises that micro, small and medium enterprises operate differently. With regard to recordkeeping, the GDPR distinguishes between organisations with more than 250 employees and with fewer. Reassuringly, smaller business have fewer additional requirements than organisations with 250+ employees.
Larger organisations must keep internal records of all data processing activities, whilst smaller organisations need not. Smaller organisations do, however, have to keep records of all activities concerning higher risk processing. The higher risk data category includes the processing of special categories of data or criminal convictions or offences. It also encompasses personal data that could potentially impact the rights and freedoms of an individual.
Evidence of compliance and consent
The overall aims of GDPR are to rigorously protect personal data and create a minimal data security risk environment. For most organisations, bringing systems in line with the rules will take time and energy. The key priority is likely to be reviewing the mechanisms already in place for gathering consent. In practice, this will mean measures to ensure individuals actively opt-in. ‘Pre-ticked’ opt-in boxes will be invalid under the new rules.
Organisations will also have to consider existing consents given under the Data Protection Act. The advice from the Information Commissioner’s Office (ICO) is that ‘you will need to be confident that your consent requests already meet the GDPR standard and that consents are properly documented. You will also need to put in place compliant mechanisms for individuals to withdraw their consent easily.’
If the consents you already have in place do not meet the new standards, you will need to take further action.
The cost of getting it wrong
The financial cost of not following basic principles for processing personal data and the conditions for consent, could be up to 20 million euros or 4% of total worldwide annual turnover (if higher). That is aside from the damage to the reputation of your business.
This article introduces just some of the key features of the GDPR. The ICO has provided useful information and planning points to help organisations get ready for GDPR ahead of the deadline:
Getting ready for the GDPR