GDPR: Four letters that might not mean much to many. Yet….
In May 2018, under a year from now, the UK government is set to implement the EU’s General Data Protection Regulation. GDPR applies to all organisations or businesses handling the data of EU citizens; regulating data collection, sharing and usage.
Whilst the fallout from Brexit rumbles on and remains somewhat unclear in some areas, The Information Commissioners Office (ICO) has made it quite apparent that if we (The UK) are to trade with the single market on ‘equal terms’, then the UK will be required to adhere to the data protection standards administered by the EU.
Regardless of the parallels with the existing Data Processing Act, GDPR will ultimately supersede the existing regulations. At the top end of the scale, breaching GDPR’s policies can result in fines as eye watering as 4% of global turnover under accountability principles. Whether you’re a data controller or processor, it’s undoubtedly a change we must all be aware of.
To further compound the importance of being ‘GDPR prepared’, we’re not just talking about holding third party data here. Business specific, internal data such as HR records or documentation, CV’s and any employee sensitive information must be handled from a GDPR standpoint.
So what do we need to do to assure compliance? As processors that hold or manage personal data, you will have the same liability as the data owners. Acknowledgment of this should be highlighted in any business agreements or contracts. Liability issues aside, the way you handle the data itself needs to be scrutinised, as all data must be encrypted to protect personal information in the event of a security breach.
Another key variation from the existing DPA is the necessity to record and show, with evidence, the steps you have taken towards data minimisation and documenting all of your data protection impact assessments, for audit purposes.
We could continue with the specifics in more detail as the changes are both extensive and exhausting, but the above should be a preview into how handling data is about to change, and give you some food for thought on what you need to do to prepare for it.
For now, we’ve compiled some fundamental areas to be aware of:
- GDPR applies to everyone – “I only handle a few hundred records, surely I’d be exempt? Unfortunately not. The European commission is exporting GDPR to the rest of the world, meaning any business that handles or processes information pertaining to EU citizens must be compliant.
- GDPR broadens what is actually meant by personal data – Whilst the term ‘personal data’ has always been relatively broad, GDPR brings some perhaps previously unconsidered data under scrutiny. Things like economic, cultural, mental, genetic and social information must now be considered.
- GDPR really screws down on obtaining valid consent for using personal info – Most likely the greatest challenge presented by the new GDPR regulations will be proving valid consent for using personal information. Businesses will need to ensure they are clear and concise when requesting consent for using personal data and be completely transparent on how they intend to use it.
- Mandatory Data Breach Notification – Any breach of GDPR regulation must be reported within 72 hours, unless the breach is unlikely to result in any risk to the rights and freedoms of individuals.
- GDPR Penalties are much harsher than DPA equivalents – Fall foul of GDPR and at the very worst, you can expect a fine of 20 million euro’s or 4% of Global Turnover, whichever is highest. Scary stuff!
Some Key Recommendations:
- GDPR is happening and is less than a year away, so be prepared as best you can. Consider implementing training programmes within your business to ensure that all data handling employees are compliant and aware of the guidelines they must follow.
- Audit and record the personal data your company holds, documenting where it was obtained, how and who it is shared with and for how long it has been stored.
- Delete, securely, any data you no longer have use for. Where data retention or storage is not necessary, disposing of such data will help reduce your risk.
- See point one… Act now! The forthcoming changes are by far and away the most significant amendments to the existing DPA regulations since the EU Data Protection Directive in 1995. It’s a process that will no doubt be lengthy and laborious, so ensure you are prepared nice and early with support across all areas of your business to implement the changes.
Change can and sometimes will be daunting, but considered preparation and careful due diligence will alleviate those fears before they become a reality.
We’ll expand on some of the points mentioned today in the coming months, as well as highlighting some we’ve not yet mentioned. After all, it’s a process we here at Herald Chase are currently working through, so we share the same trepidations and frustrations.
If you need any advice or further information on the impending GDPR changes, feel free to give us a call on 01189 474 888 or alternatively, drop us an email at: enquiries@heraldchase.com