The EU General Data Protection Regulation (GDPR) comes into force in May next year. Here’s what it means for you and your business:
What is the GDPR?
The GDPR is a wide-ranging replacement to the Data Protection Act 1998 that will apply to all organisations that process, handle and keep the personal data of EU residents. It comes into effect on May 25th, 2018.
You can read all about it in more detail on the blog we published earlier this year, but in brief it means:
- An absolute requirement for consent to be given for all data collection on individuals, along with clear and comprehensive privacy notices to help individuals understand what they are opting into.
- Crucially, organisations must be able to prove that consent was given if they want to process this data. Parental consent must be given to process the data of any individual under 13 in the UK, and under 16 in most other EU countries.
- Any data breaches must be reported to the local Supervisory Authority (the Information Commissioner’s Office in the UK) within 72 hours.
- An expansion of the meaning of “personal data”: an online identifier, such as an IP address, can count as personal data.
- Increased powers for Supervisory Authorities, including the ability to impose much stiffer financial penalties for non-compliance or breaches.
For severe non-compliance, organisations may be fined up to €20 million or four per cent of their worldwide annual turnover, whichever is higher. For less severe breaches, the penalty is up to €10 million or two per cent of turnover.
How will the GDPR affect small businesses?
The GDPR may have a significant impact on small businesses, who will need to begin taking steps to achieve compliance as soon as possible. Bear in mind the law applies to all companies regardless of size, from sole traders to multinationals.
A key question during the development of the GDPR was which companies will be required to employ a Data Protection Officer (DPO). As it stands, the regulation states that only public authorities, organisations that carry out “regular and systematic monitoring of individuals”, and organisations that carry out “large-scale processing of special categories of data, such as health records” must appoint a DPO.
In other words, there may not be a legal requirement for every small firm to have a DPO. However, it is implied that most companies handling personal data in some way should designate someone who is responsible for GDPR compliance, even if they are not formally a DPO.
The Information Commissioner’s Office has stressed that companies who already fulfil their Data Protection Act 1998 obligations shouldn’t be unduly stressed by the new requirements in the GDPR. Instead, the incoming changes should be seen as a chance to review those measures and build on them, rather than to start again from scratch.
Finally, this year’s ransomware attacks should already have underscored the need for any business to invest in robust antivirus and cybersecurity measures – but in case they didn’t, hopefully the GDPR and its new penalties for non-compliance will.
Will Brexit affect the GDPR?
No – at least, not at first. When the law comes into force on May 25th, 2018, the UK will still be an EU member state and will be obliged to comply with it. Additionally, the UK Government confirmed in October 2016 that it is committed to implementing the GDPR regardless of the Brexit process.
Whether the rules will change after the UK leaves the EU remains to be seen, but for now it’s sensible to assume they won’t. Whatever happens, British firms wishing to do business with EU partners post-Brexit will be expected to maintain similar data protection standards to the GDPR.
GDPR compliance checklist
- Begin compliance discussions now with key people in your organisation. Some aspects of GDPR compliance may take longer or have bigger budgetary considerations than others, so preparing well ahead of time is key.
- Document the personal data your organisation holds, where it came from and who it is shared with. A systematic audit of your current processes is a good start to identifying what changes need to be made.
- Review your privacy notices. Under the GDPR, you will need to explain the lawful basis for processing customer data, as well as how long you retain it for and the customer’s right to complain about how you are using it. This must be communicated clearly and concisely.
- Have a robust process in place for locating and deleting individual customers’ data if and when requested. This is one of the key rights individuals will be made aware of under the GDPR.
- Be aware of the new right to “data portability”. This means individuals have the right to request their personal data in a commonly-used, machine-readable format, provided free of charge and within one month. Consider how your organisation will provide this.
- Review how you seek, record and manage consent for data collection. Remember consent must be explicitly provided: assumption of consent (for instance, via pre-ticked boxes on a web form) may land you in trouble.
- Review how you will verify individuals’ ages, and how you will obtain parental consent to process the data of under-13s if required. This will also mean your privacy notices must be written in a way children can understand.
- Reinforce your existing data breach reporting procedures to ensure your organisation can meet the new timelines. Failure to comply may be a much more serious matter under the GDPR than it currently is.
- Take steps to appoint a Data Protection Officer if you are required to, and consider who should be responsible for GDPR compliance even if not.
This is just a brief summary of the key changes to be aware of. For a full explanation of how to prepare for compliance with the GDPR, refer to this guide from the Information Commissioner’s Office.