Guide to the General Data Protection Regulation (GDPR)
What is GDPR
The GDPR is a new piece of European legislation that applies across Europe from 25 May 2018. It will replace the current Data Protection Act 1998 and will apply even after we exit Europe so all organisations who handle data will need to comply.
The purpose of the GDPR is to impose certain conditions on those organisations which handle personal data to ensure that any individual can find out what is happening to their information (where it is going, what it is being used for and who else might see it). It also aims to ensure that personal data is kept secure and is not used in a way that is excessive or unfair. The rules cover any personal information that will allow individuals to be identified in some way. This includes information with their name or email address on but also less obvious identifiers such as an IP address. It helps protect consumers but poses a real cost to businesses which need to review and adapt their compliance.
What do you need to do:
A good place to start is to conduct an information audit within your organisation to identify what data you hold, where its held, if third parties have access to that data etc.
All businesses will need to review the way their IT systems use individuals’ data and check it is legal. You will need to identify a ‘data protection officer’ within the organisation who is up to speed with what the new rules mean. Lumping the role onto the office junior will no longer be sufficient! Some particular types of business (particularly any business offering online behaviour advertising services or website analytics) will need to consider if they need to employ a new Data Protection Officer who is a quasi-legal and highly technical member of staff with a very specific and in-demand skill set.
You will also need to ensure your business has a data breach plan, to ensure you know what to do in case the worst happens.
Why Comply with GDPR?
Any individual will be able to make a request to an organisation he/she believes is holding their personal data for all information they hold about him/her. This is known as a ‘subject access request’. Although there are certain exceptions on what needs to be provided under the current rules, these exceptions do not apply under the GDPR and the UK Government is hamstrung by how many of these current exceptions they can carry over into the new rules. Care should be taken on what is written down about individuals (electronically or otherwise) as they will be likely to be able to see it.
SMEs may not realise the level of fines for non-compliance. Fines are punitive. Non-compliant businesses can be fined up to 2–4% of global turnover or 10m/20m euros if greater. Per breach. That is enough to make most business owners sit up and take notice.
If you would like to know more about GDPR, you can find a good summary from the Information Commissioner’s Office; https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf