We could be about to ruin your day.
How much do you know about GDPR? Touted as the biggest threat to UK businesses since Brexit, not paying attention to what it means and its implementation could mean huge fines for your company. Alas, don’t fret too much, I’m here to take you through everything you need to know.
Once you get over the several stages of grief – shock, disbelief, and doubt – you’ll probably realise it’s not so bad. Really. And the next step on the road to recovery is to make sure you’re prepared and ready for it come May 2018.
You might still be wondering, just what is GDPR? Let us explain…
GDPR stands for General Data Protection Regulation, and it’s a more strict and proactive upgrade from the DPA Data Protection Act, with much more severe consequences.
As individuals, we are considered to be the owners of our own data and as data owners, we have the right to know what data is being held, by who and for what purpose. The aim of General Data Protection Regulation (GDPR) is to protect all EU citizens from privacy and breaches of data. It will also define the minimum standards for handling, securing and sharing personal data of EU residents.
In short, the new stricter and higher consequence legal requirements include;
• Explicit and continuous consent from data owners (data includes things such as names, emails, phone numbers etc.)
• Respond to every request for information and the right to be forgotten
• Maintain an audit trail (what legitimate source you acquired the data from)
• Adhere to ‘data minimization’ protocols (once data has been used for a specific purpose, it must be purged)
• Cannot contact contacts that haven’t opted in after May 2018. (If you hold information or contact someone more than once without opt-in permissions you are in breach of the GDPR)
The UK currently follows the Data Protection Act of 1998 but this will be suspended once GDPR is introduced, giving people more say over what companies can do with their data. The most important part of the new regulations that you need to know about is the tougher fines for non-compliance and breaches that will be introduced, which we will come to!
What is GDPR, why and how is it different from earlier legislation?
The EU have made the conscious decision to give more control over how personal data is used and the new GDPR seeks to address the issue of the current legislation being introduced before internet and cloud technology brought in new ways of exploiting data.
From a legal standpoint, GDPR is different from earlier legislation that relates to the protection of private data because of the now paperless, digital and transactional parts of data available. This is also the first time in legislation that data is being considered without borders and may bring about a host of serious issues in cyber security. However, in strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve the trust in an emerging digital economy.
When will GDPR start?
After 4 years of debate, General Data Protection Regulation was finally approved in April 2016 and enforcement will begin on the 25th of May 2018.
What types of data does GDPR apply to?
Just like the Data Protection Act (DPA), GDPR regulations will apply to both personal data; ie name, address, phone, email and sensitive data. Sensitive data are referenced as special categories that include genetic and biometric data that is processed to uniquely identify the individual, along with racial or ethnic origin, political opinions, religious/philosophical beliefs and other health data.
This time the new regulations will also apply to even more detailed information such as online data including; online identifiers, device identifiers, cookie IDs and IP addresses, which will now be declared as personal data.
Basically, not one piece of data goes unregulated…
Does GDPR apply to me?
Do you hold any form of data in your business? Such as employee, client, customers, finance records, emails, database notes and contacts? Then GDPR will apply to you!
The new GDPR regulations will apply to you if you are a ‘Controller’ or ‘Processor’ of data.
A data controller states how and why personal data is processed such as an organisation, charity or government body, whereas a data processor is a group/organisation doing the actual processing of the data, for example, an IT firm.
Both the controller and processor are responsible for being compliant with the new regulations and if both are located outside of the EU, GDPR will still apply if they are dealing with data that belongs to EU citizens.
The controller is responsible for ensuring their processor abides by data protection law and equally the processor must abide by the rules in maintaining records of processing activities. (This also means that if you are involved in a data breach, you are far more liable under GDPR.)
A major change that is likely to affect many businesses is the introduction of the ‘Increased Territorial Scope’.
Which means that GDPR will apply to all companies processing the personal data of people that reside in the European Union, regardless of the company’s location. – Whether your business is located in the UK, China or the US GDPR will still apply if your data resides in the EU.
Subsequently, this means GDPR and the new requirements it brings, will apply to all businesses that offer goods, services to or monitoring the behaviour of EU citizens.
What does GDPR mean for my business?
If you don’t take action in making sure you aren’t in breach of GDPR law once it comes into effect, then you will be fined!! The fines include a maximum of 20 million or 4% of your company’s turnover, whichever is greater!
You must put in place an active opt-in process and record this to ensure that for every scrap of data you hold, you have active opt-in consent for you to hold it and for a specific purpose.
We are Brexiting, so does GDPR still apply?
Despite the confusion of Britain’s position in data protection following the triggering of Article 50, the UK’s impending departure from the EU will not stop GDPR changing how data is controlled and secured by UK companies. As we mentioned before, this is because it isn’t based on boundaries of where your business is located but wholly concerns the personal data of EU citizens.
The UK Government have indicated that it will implement equivalent or alternative data protection regulations after Brexit, however, according to recent talks, it is likely that the UK will be mirroring a major part of GDPR EU data protection law. With the UK Digital Minister Matt Hancock stating that “The government wants to ensure unhindered data flows after Brexit” – confirming that the government will be harmonising domestic law with the incoming EU GDPR in May.
There are many talks and conflicting views over whether the UK will abandon GDPR standards following the 2-year process of Article 50 to take full effect, but in order to do business with the EU, all companies will still need to adhere to the new standards.
Ignore GDPR with caution!
Let’s assume the UK keep GDPR in some form or if you work outside of the EU you may be thinking you can get away with just ignoring this. Perhaps you’re thinking “they won’t really mean it” “They won’t worry about a small company like us”, “How are they even going to police it?”.
However, looking at similar regulation changes or rulings in the past that caused mass shake-ups and huge penalties, for example, PPI, what did we learn from this? That since 2011, banks have paid out £23bn for miss-selling PPI and this is not only down to individuals personally contacting their banks but PPI claims businesses calling to claim on their behalf. In some instances, claims that banks received even dated back as far as the 1980’s.
When it comes to GDPR, there is again a risk of companies out there that will use the new regulations and costly fines as a ploy to exploit businesses that are in breach of the new data regulations, calling out the breaches and pushing individuals who would not even question their data being used to claim and sue for money. If you’re not careful, your business could be at risk of this once the new regulations come into effect.
If you have any further questions regarding what is GDPR and how it may affect you, do not hesitate to get in touch with us.
Alternatively, if you are currently expanding your technology team or looking for tech talent across Development, Sitecore, Data Science, Database Administration and Testing we can help with all your hiring needs, get in touch with us here.
On data protection Brexit means mirroring EU rules, confirms UK minister