With the GDPR deadline fast approaching in May, time is running out for organisations to get in-line with the new legislation. Read our 10 step guide below to help you prepare for the upcoming changes and ensure your business will not be at risk of penalties.
What is GDPR?
GDPR, or General Data Protection Regulation, is a significant piece of EU legislation that will result in huge changes to online data protection. It will bring about the biggest change to data protection in 20 years, replacing the UK's Data Protection Act of 1998.
Why is change needed?
The main purpose of GDPR is to improve the protection of personal data gathered by organisations. A change in legislation has become increasingly necessary as online data is being used in ways that original guidelines did not anticipate. In brief, it will give individuals more say over how their data is being used, with the hope that this will improve the trust of the digital economy.
What are the changes?
Organisations which use personal information (processors), in addition to those which hold or obtain it (controllers), will have to become more transparent when collecting personal data. Consent for the organisation to use the information must now be given directly; passive consent, pre-ticked permission boxes for example, will no longer be sufficient. Furthermore, the data controller must keep an accurate record of how and when an individual gave their consent.
8 key rights are outlined for the individual. Within 72 hours of a serious data breach, companies must notify the owners of the data. Data owners will also hold the right to request their data, free of charge, and receive it within one month. These subject access requests will be one of the biggest challenges for many businesses, and it is recommended that you have processes in place that reduce the impact these requests will have on your organisation. In addition, the individual will hold the right to be forgotten, with the data being deleted if it is no longer needed for business functions.
What counts as personal data?
Personal data is any data that can be used to identify an individual and could impact them in some way. All data included under the Data Protection Act, with some additions, is also covered by the GDPR. The GDPR separates data into two categories: Personal Data and Sensitive Personal Data. Both categories will be subject to new regulation under the legislation. Examples of Personal Data include anything which can be used as an identifier, such as name, date of birth, and IP address. Sensitive Personal Data includes sexual preference, medical and genetic information, and it is this kind of data which most urgently needs explicit consent to be collected and used.
Consent is a major component of the new regulations. Under GDPR this consent must be freely given and not a result of coercion. As a result, companies can no longer insist for personal data in exchange for products or services. This excludes data necessary for a specific, non-marketing function, such as an address for postal services. Expressed consent must be gathered, which cannot be obtained by opt-out boxes. The terms and conditions, and the consent agreement, should be separate. Different types of marketing mail (post, SMS, email) should also be separated, allowing consent for just one type of personal information to be given. Organisations should be very aware that consent must be explicit for sensitive data, and that all data can only be used in ways approved by the data subject.
Who will it affect?
Both small and large businesses will be affected by the new regulations, and should take care to prepare well. The regulations cover the personal data of all EU residents. Even if the controllers/processors are from outside the EU, they are still required to abide by GDPR. It is important to remember that passing data to a third party does not remove your accountability. In these situations both parties need to be explicit with how the data is going to be handled. Businesses should be fully satisfied that third parties are abiding by GDPR, and should document the measures they have taken to ensure this.
The Privacy and Electronic Regulations (PECR) are also changing. Many areas of the PECR do overlap with GDPR. However, the collection of data on other businesses will likely incur less stringent regulations than the collection of private individuals' data. It is worth reviewing these changes alongside your GDPR preparations.
Do I need to appoint a Data Protection Officer (DPO)?
Under GDPR it will become a necessity for organisations to appoint a DPO if they are a public authority. Alternatively, companies whose core activities involve processing sensitive data, or that undertake regular systematic monitoring, such as targeted advertising, will also require a DPO. The role is necessary to ensure that all people within the organisation are aware of their responsibility and obligations for keeping personal data secure and to act as a contact point with the ICO. Ultimately, the DPO should ensure that a company takes adequate measures to keep stored data secure.
What will be the consequences for not abiding by GDPR?
A key issue with GDPR is that it is not yet known exactly how it will be enforced. We do know, however, that tougher fines are being put in place for those not abiding by the new legislation from the 25th May. These could reach 20 million Euros or 4% of annual turn over.
What effect will Brexit have?
As the UK will still be a part of the EU on the 25th May, British businesses must comply with GDPR legislation. After Brexit, the government intends to put in place a new Data Protection Bill, the contents of which will be very similar to GDPR, with similar penalties also in place. As a result, organisations are unlikely to have to undergo further major changes to their data protection policies and procedures after leaving the EU. It should also allow data from the UK to move freely around Europe, and vice-versa. In addition, the Data Protection Bill will also include the UK's policy on collecting immigration data.
What should you do now?
From the 25th May 2018, all organisations that handle personal data must be in-line with GDPR. Each business should assess the actions they are required to take individually. The ICO has created a 12 step guide to aid in this, outlining processes such as Data Audits and Privacy Impact Assessments that can help you review and regulate the personal data you hold. For more details, visit their website at https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr.
We advise that if your organisation has not begun GDPR preparations, the first step should be to spread awareness of the issue to the appropriate departments within your business and to seek support from a GDPR specialist (courses are available through your local Chamber). If you want to develop your website in a way that is GDPR compliant, get in touch with Hydra Creative today. Find out how else we can help you by heading over to our services page.