Do you keep and use personal data relating to your clients or customers as part of your business activity?
Then you need to listen up.
If you haven’t already heard about it, the General Data Protection Regulation (GDPR) is on its way and time is running out for companies to make sure their systems and processes comply with it.
The GDPR has been billed as the ‘most important change in data privacy regulation in 20 years’ and is due to come into force on May 25 this year. However, despite its wide-reaching impact and the fact it’s been talked about for the last two years, it’s believed not all businesses have taken the necessary action. Awareness of the GDPR is high among global businesses, but only two in five are confident about knowing where their data’s stored (NetApp).
Time is clearly of the essence here and the advice to businesses, who haven’t yet investigated how the GDPR is going to impact them, is to act fast – ideally now. We’ve put this Q&A together to help bring you up to speed on all things GDPR.
Q. ‘What is the GDPR?’
A. It’s new legislation that was approved by the EU parliament two years ago. This new EU regulation will replace the existing Data Protection Regulation 95/46/EC. It’s designed to set the new standard for consumer rights in relation to their data.
Q. ‘Why’s it happening?’
A. The GDPR is aimed at setting the new standard for consumer rights in relation to their data. It’s envisaged it will harmonise data privacy laws and strengthen the protection of data across Europe.
Q. ‘Does it apply to my business?’
A. If you use and handle personal data, then yes. The GDPR applies to all businesses that are in the EU that use and store personal data as part of their operations.
Q. ‘I’ve heard it doesn’t apply to small businesses. Is this true?
A. No, it’s not true. The GDPR applies to all businesses (regardless of their size) that handle private data.
Q. ‘My data processing takes place outside of the EU, what now?
A. If you’re an EU company and your data is processed outside of the EU, the GDPR still applies to you so you’ll need to make sure you’re fully prepared for it. If you’re in any doubt, get expert advice as soon as you can.
Q. Which type of data do I need to be concerned about?
A. The GDPR relates to personal data and sensitive personal data.
Personal data – includes any information from which a person can be directly or indirectly identified. For example, their name, email address, bank details, photo, medical information or computer IP address.
Sensitive personal data – relates to ‘special categories’ of data, including genetic and biometric data used to identify individuals.
Q. What are the main changes I need to worry about?
A. It’s essential you explore the impact the GDPR is going to have on your business and, if you’re not sure how to go about doing this, speak to a GDPR specialist.
One of the main changes that’s going to be brought about by the GDPR relates to the issue of consent. Companies must provide clear requests for consent, using a format that’s easy for people to understand and access. It’s crucial that the process of withdrawing consent is as easy as granting it.
Q. There’s been a data breach, what happens now?
A. Under the GDPR, if a data breach occurs and it’s likely to ‘result in a risk of the rights and freedoms of individuals’ then notification must be given within 72 hours of the breach taking place. This is a new legislative requirement in which data processors must notify customers and controllers of a data breach ‘without undue delay.’
Q. What’s a ‘data processor’ and what’s a ‘data controller?’
A. If you’ve started to familarise yourself with the GDPR, then you’ll no doubt have come across these two phrases. Data controllers determine the purpose, condition and means of the processing of personal data, while data processors process the personal data on behalf of data controllers.
Q. Do I have to give people access to their data?
A. Yes you will. From May 25, people will have the right to find out if their personal data’s being processed, where it’s being processed and for what purpose. They’ll also have the right to receive an electronic copy of their personal data from you.
Q. Can people ask to have their data deleted?
A. Yes, they can. Individuals will have the right to be forgotten by asking the data controller (the organisation that has their data) to delete it from their files.
Q. What happens with children’s data?
A. You’ll need to obtain parental consent to be able to process the data of children who are under the age of 16 for online services. If in doubt, always double check.
Q.Other businesses have appointed a Data Protector Officer (DPO). Do I need one?
A. DPOs are for public authorities and organisations that are involved in 1) larger-scale systematic monitoring and 2) the processing of sensitive personal data. If you fall into either of these two categories, then you’ll need to appoint one.
Q. What happens if I don’t maintain compliance?
A. All businesses that fail to comply run the risk of being significantly penalised. Organisations found to be in breach of the GDPR could be fined a standard penalty of €10m or 2% of their annual global turnover, up to a maximum of 4% of their annual global turnover, or €20m, whichever is greater.
Q. What should I do now?
A. You need to make sure your systems meet the GDPR requirements and that your data is protected in accordance with the current guidance by May 25. Carrying out an audit of your current procedures and data is a thorough and effective way of determining the work’s that required. As with all projects of this nature, we recommend that you seek expert advice.
We hope you’ve found this Q&A useful and that it’s provided you with a clear understanding of the GDPR. For more details, including 12 steps to take now, visit https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/