The General Data Protection Regulation (GDPR) is the largest overhaul of European data protection in two decades and it is coming into effect on 25th May 2018 - That’s less than six months from now. Just to put things into perspective, when the EU last made data protection laws, Windows 95 was the newest Microsoft OS, internet speeds were in the 28.8kps to 33.6kbps range and Hillary Clinton was still the First Lady. A lot changes in 20 years, especially when it comes to technology, so these regulatory changes are certainly overdue.
The GDPR, like all current data protection laws, applies to ‘data controllers’ and ‘data processors’. While these may sound like robots, your business is going to have both of these.The controller is simply an organisation or individual that decides what the data is going to be used for. The processor is the person who processes the data on behalf of the data controller. Easy.
The clock is ticking……but don’t panic. The date is 25th May 2018. You have six months to make sure that your company is GDPR compliant and this guide aims to ensure you are. The UK Information Commissioner (ICO), who is in charge of data protection, Elizabeth Denham describes the GDPR as “an evolution, not a revolution,” so there shouldn’t be anything that is too shocking to businesses.
What about Brexit?
As we have seen with the European Capital of Culture fiasco, anything involving EU law is going to be affected by Brexit. The UK’s Data Protection Act (DPA) 1998 is derived from the European Data Protection Directive 1995, and our next Data Protection Act (that’s currently a bill that needs to be passed through the Houses of Parliament) will follow the recommendations made by the GDPR.
Irrespective of whether the UK leaves the EU (which, at the moment, it seems to be), businesses which control or process the data of EU citizens will have to follow the laws set by the GDPR. If we leave the EU and your business only deals with UK citizens’ data, then it is likely that the GDPR is going to affect you in the form of the new Data Protection Act, that will very much likely follow the rules and regulations of the GDPR.
So, what’s different about the GDPR?
Accountability: In light of several serious data breaches over the past couple of years at various companies, including Yahoo (both in 2013 and 2014), JP Morgan and Chase, Target and MySpace, the EU is cracking down on shoddy security when it comes to people’s data. Under the GDPR, the "destruction, loss, alteration, unauthorised disclosure of, or access to” personal data must be reported to the ICO within 72 hours.
This ensures that the people it affects are told as quickly as possible, so appropriate measures can be carried out to protect their finances and private lives. You must make sure that your business has the correct procedures in place to report any data breach.
Additionally, if your company has “regular and systematic monitoring” of people on a large scale, then you must employ a Data Protection Officer. Hiring a whole new full-time staff member could have a big impact, depending on the size of the company.
The rights of individuals: Under GDPR, individuals have more rights in accessing their data that companies have on them. Under the current data protection laws, a Subject Access Request let's public bodies and businesses charge £10 for people and other organisations to make a data request.
Now, under GDPR, Subject Access Requests are being scrapped and requests can be made for free. If you are asked for the data that your company holds on an individual, that data must be sent to the that person within 1 month. You also have to be transparent about your data processing – you must provide explanations for certain decisions you make concerning their data.
In some cases (if it was unlawfully obtained, or if it has served its purpose) the GDPR even gives individuals the right to have their data erased from existence.
New fines: If you have skim read this article up until now, then the word ‘fines’ should make you take notice.There will be two levels of fines under the GDPR. The first level is up to €10 million or 2% of your global annual turnover for the previous financial year, whichever number is higher. The second level is up to €20 million or 4% of your annual global turnover for the previous financial year, again whichever is the higher number.
Compared with the current system, this is an absolutely enormous amount. Under the DPA 1998, you could only be fined up to £500,000. This means that under the GDPR, the maximum possible fine has increased by 35.7 times.
What do you need to do?
Luckily, ICO has compiled a handy checklist of what you need to do right here. To calm your nerves slightly after the section on fines, in the introduction for the checklist, it says “Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from.”
The 12 steps boil down to:
- Make sure everyone in your company is aware of the new regulations.
- Document the personal data that you hold.
- Put a plan in place if anything needs to be changed.
- Check your procedures concerning personal data.
- Plan how you handle data requests.
- Ensure your basis for processing data is legally watertight.
- Review how you obtain consent for data processing.
- Think about how you process children’s data.
- Ensure your data breach protocols are as good as they can be.
- Familiarise yourself with ICO’s code of practice on Privacy Impact Assessments
- Make sure that you have someone in the role of Data Protection Officer.
- If you process data outside of the EU then you should ensure that you are complying with all of the relevant regulatory bodies.
Conclusion: evolution, not revolution
Bottom line is, don’t worry. Just like Elizabeth, the UK Information Commissioner said, this is an evolution, not a revolution. As long as you are already following the ideals of the DPA 1998 then you should find it easy to adapt to GDPR. Document management and data storage companies can help, just keep in mind what’s changed and make sure that everyone in the company is fully up-to-date on how it will affect their roles. Don’t leave yourself open to those eye-watering fines.