What is GDPR and will it affect me?
The General Data Protection Regulation (GPDR) is coming. Are you compliant?
What is GDPR?
The General Data Protection Regulation (GDPR) is a new law that is coming into effect in 2018 and is the result of four years of work by the EU; to bring data protection legislation in line with modern uses of data.
The UK currently relies on the Data Protection Act of 1998, but this will be superseded by this new legislation.
It introduces much tougher fines for non-compliance and gives the public more say over what companies can do with their data.
It also unifies data protection laws across the EU.
When will the GDPR become law?
The GDPR will apply to all EU member states from the 25th May 2018. Because this is a new regulation, the UK does not need to draw up any new legislation.
Instead the GDPR will apply automatically from this date.
Businesses have until this date to ensure that they are compliant with the new regulation.
According to a survey by Imperva, although the majority of IT professionals are aware of GDPR, just under a half of them are currently preparing for its arrival.
Only 43% of professionals surveyed admitted that they were currently assessing the impact that GDPR would have on their business.
Nearly a third said they are not doing any preparation for GDPR and 28% admitted to being ignorant of any preparations that their company were involved in.
Who will the GDPR apply to?
GDPR will apply to ‘controllers’ and ‘processors’ of data within an organisation.
A data controller determines how and why personal data is processed and a processor is the person performing the actual processing of data.
In this example, a controller could be any company and a processor could be an IT company who processes that companies data.
It is the controllers responsibility to ensure that their processor abides by data protection law and processors must also abide by laws about how they maintain records of their data processing activities.
What data can I process under GDPR?
Controllers must ensure that all personal data is processed transparently, lawfully and for a specific purpose.
Once that purpose has been fulfilled and that data is no longer required, it must be deleted.
What do you mean by lawfully?
Lawfully would normally mean that the person has explicitly consented to their data being processed.
Lawfully could also mean to comply with a contract or legal obligation. For example if the controller was processing the data to prevent fraud.
How do I get consent under GDPR?
Consent must be active and confirmed by the person, rather than a tick box or opt out form as is currently acceptable.
Controllers must keep a record of how and when a person gave you consent and that person may withdraw their consent whenever they like.
You will need to change your current methods of capturing data if it does not comply with this new regulation.
What counts as personal data under GDPR?
As well as the usual personal data, online identifiers such as IP addresses will now be categorised as personal data.
Additional data such as economic, cultural and health information will also be considered as personal data.
Anything that was previously categorised as data under the Data Protection Act will still qualify as personal data.
What is the right to be forgotten?
Individuals have the right to demand that their data is deleted if it is no longer necessary.
This is known as the right to be forgotten.
Under this law, a person can demand that their personal data is deleted if they have withdrawn consent or object to the way their data is being collected or processed.
The controller is then responsible for ensuring that any other organisations that have a copy of this data also delete it.
What is someone wants to move their data elsewhere?
Controllers must ensure that personal data is stored in commonly used file formats such as a csv, so that a persons data can easily be moved to another service provider.
Controllers must do this within one month of the request.
What if we suffer a breach of data?
You must notify the Information Commissioners Office (ICO) within 72 hours of any data breach that may put the rights or freedoms of an individual at risk.
You must notify the ICO on the nature of the breach and the approximate number of people affected, upon discovery of any breach.
You must also detail the potential consequences for these people and what measures you have taken or that you plan to take.
You also need to notify the people affected by any data breach.
Failure to meet the 72 hour deadline could see you hit with a fine of up to 10 million euros or 2% of your global annual turnover.
These are much harsher penalties than what the UK is accustomed to under current DPA laws.
To give you an idea of the difference, the ICO issues fines totalling £880,500 in 2016.
Under the GDPR, these same fines would have totalled £69 million!
Many UK businesses are going to have to drastically change the way they store and process data under the General Data Protection Regulation (GDPR).
Start planning now to ensure you don’t fall foul of the new rules next May.
No one wants to be hit with one of these fines!
If you would like to discuss your compliance today, give us a call on 0151 538 1075.