What is GDPR and how will it impact my business?
With the General Data Protection Regulation (GDPR) regime coming into force in the UK from 25 May 2018, key changes will be introduced to the way personal data is handled. The question is: are you and your business prepared for the forthcoming change? It is important first to understand the requirements of the Information Commissioners Office (ICO), now concerned about misinformation being shared in the media. The following outlines the change key features to help you prepare.
What is GDPR and why is it necessary?
The purpose of GDPR is to reflect the importance of safeguarding your clients and customers individual personal data in the digital age. Currently, for a data protection law breach, you could be fined up to a maximum of half a million, whereas, under GDPR, you could be looking at a maximum of £17 million or, if higher, 4% of worldwide annual turnover. You should also consider the negative public implications if you fail to protect personal data. With this in mind, you should look into the following:
- Those who are “controllers” and “processors” of data within your company
- The principles of data protection
- Accountability and governance
- New rights for data subjects
- Data security breaches
What is affected?
The definition of personal data is expanded under GDPR and includes a range of online identifiers, such as IP addresses, as well as sensitive personal data coming under special categories as genetic data and biometric data. Data relating to criminal convictions and offences is not included, although there are extra new safeguards relating to how the information is processed.
Who is affected?
GDPR will affect anyone handling personal data, from customer and employee records, through to manual data, regardless of where this information is stored – be it in a filing cabinet or digitally accessed via a laptop or computer – This applies to both “Controllers and Processors”. A controller is defined as someone who is in charge of how and why personal data is being processed. A processor acts on behalf of the controller to process the data. It may be that, in a business, this role is fulfilled by the one person. For the processor, this means that, in order to remain compliant with GDPR, they now need to keep records of how they process personal data and they can now be held legally responsible for breaches of security.
Principles of data protection
Your clients personal data must be:
- Processed lawfully, fairly, and transparently
- Collected for specified, explicit, and legitimate purposes
- Adequate, relevant, and limited to what is necessary for the purpose
- Kept in an identifiable format for no longer than is necessary
- Processed securely and protected from unauthorised or unlawful processing, accidental loss destruction or damage.
Accountability and Governance
Your company must be able to demonstrate how your organisation is GDPR compliant and, implement the required technical and organisational measures. These include data protection policies such as:
- Internal audits of processing activities
- HR policies review
- Employee training and adherence to policies
- Conducting Data Protection impact assessments and, in some cases, appointing a Data Protection Officer (DPO). The DPO now becomes a legal requirement in public authorities and in organisations carrying out large scale data processing of special categories.
New rights have been outlined for individuals / your customers / clients and cover the following points:
- The Right to be Informed – providing your clients with a privacy notice giving details of how their information is being processed and controlled.
- The Right of Access – providing your clients with the option to request details of how their information is being held, for which your company has a maximum of 30 days to deal with the request, under a £10 chargeable fee.
- The Right to Rectification – such that any of your inaccurate clients data will be corrected.
- The Right to Erasure – the right to be forgotten such that your client can request data to be deleted.
- The Right to Restrict Processing – such that your clients data can be stored but not processed.
- The Right to Data Portability – such as to obtain and reuse personal data across different services, allowing the movement, copy or transfer of clients personal data, provided that this is done in a structured format.
- The Right to Object – such that processing of personal data must stop immediately, unless there are compelling and legitimate grounds for processing.
- Rights in relation to automated decision-making and profiling – ensuring safeguards are in place to protect against damaging decisions taken without human intervention.
Lastly, if and when your company experiences data security breaches, you must inform the ICO within 72 hours, and your organisation should also have a clear plan on how to resolve / cope with the situation. Given that GDPR requirements are complex and do not exactly offer a quick fix, you and your company cannot run the risk of incurring significant penalties.