What does the General Data Protection Regulation mean for me and my small business, how can I prepare for the new regulation and when should I start?
Myron Jobson, of This is Money, says: The General Data Protection Regulation is a piece of legislation designed by the European Union to which every citizen in the 27 nation bloc must adhere.
There is a lot to this new legal framework but, put simply, it will introduce stricter rules on how firms and organisations handle and use our personal data.
In particular, the new directive takes aim at how sensitive customer information is processed, stored and exchanged among businesses.
GDPR will also give more power to people over how their personal data is used and make it easier for them to access it.
One of the more notable measures of the GDPR is the fabled 'right to be forgotten' which allows EU citizens to request for a company to delete the personal data they have on file provided there are no legitimate grounds for retaining it.
The European Commission - which creates EU legislation - says it is all about protecting the privacy of individuals and not about erasing past events or restricting freedom of the press.
It adds that some nine out of 10 EU citizens have expressed concern about mobile apps collecting their data without their consent, while seven out of 10 worry about the potential use that companies may make of the information disclosed.
Data protection will be even stricter when it comes to handling personal data of children.
The idea is that they may be less aware of risks and consequences of dishing out sensitive information about themselves and should therefore be afforded to heightened protection compared to adults.
In short, GDPR is a biggie. It will have far-reaching consequences for your business and how you use customer data - even for those who haven't bought anything.
The directive is due to come into force from 25 May 2018. The UK's decision to leave the EU changes nothing.
The British government has confirmed it has no intention of backtracking on these arrangements now.
Bosses of firms both big and small should educate themselves on the changes and take the appropriate steps to ensure their enterprise is positioned to implement the changes ahead of time.
We approached Information Commissioner’s Office (ICO) - the watchdog responsible for guarding our personal information -and a data protection expert at business insurance firm Hiscox about the key considerations and the steps businesses should be taking now.
Garreth Cameron, group manager of Policy Directorate, at ICO , replies: If you’re complying with the current data protection law, you’ll be well on the way to complying with the GDPR.
The new legislation will apply to any organisation in the UK handling personal data from May 25 next year.
It is an evolution of current data protection law that will require businesses to be more accountable for their use of personal information and give consumers more control.
Many of the GDPR’s main aims and principles are the same as those in the Data Protection Act. So if you’re complying properly with the current law then most of your approach to compliance will remain valid under the GDPR and can be the starting point to build from.
However there are new elements and some significant enhancements, so you will have to do some things for the first time and some things differently.
Consumers will have more rights in areas such as being better informed about what businesses are doing with their data and having greater access and control over their data. For example, by having the right to access their data free of charge and to request data about them is erased.
It is vital that organisations are prepared to comply but they can also prosper in the new regulatory landscape.
Those organisations which thrive in the changing environment will be the ones that look at the handling of personal information with a mindset that appreciates what citizens want and expect.
This means moving away from looking at data protection as a compliance issue to making a commitment to managing data sensitively and ethically because it’s just as much part of good business practice as honest pricing or good customer service.
Now is the time for businesses to act and the ICO is here to help them through this important change.
Stephen Ridley, cyber and data risks underwriter at Hiscox UK and Ireland, adds: GDPR affects businesses of all sizes – even SMEs – that hold personal information like names, addresses, HR records, customer lists and even online identifiers such as a computer’s IP address.
There are now under ten months to make sure you are compliant by the time it comes into effect on 25 May 2018, so in terms of when you should start, the answer is now. The key things to consider include:
- Review the situation as it is at present - What personal data do you currently hold/process? How was it gathered? Where is it stored? What do you do with it?
- Check the data consents that you have in place - You may have given ‘opt out’ options when you collected specific data (for example from customers), but these are invalidated by GDPR, so using this data for any purpose where consent is required could lead to prosecution. You may have to re-obtain consent from individuals where you are unable to demonstrate that they have given affirmative consent.
- Businesses will have an obligation to make individuals aware of their rights as part of the data collection process, so consider whether you need to update your privacy policies or T&Cs. Review your supplier contracts, if you share data with them. The GDPR has some specific provisions which have to be included.
- Have a clear plan for what should happen in the event that you experience a data breach. Understand what data you hold counts as ‘personal’, where it’s kept, who has access to it, your mechanisms for spotting a breach and who it should be reported to. Non-compliance can have severe consequences, resulting in regulatory investigation and/or a fine.
The size of the fine could be up to 4 per cent of a company’s global turnover (for the previous year) or €20million (£18million) -whichever is the higher- for the most serious of breaches, or 2 per cent/ €10 million (£9million) for administrative errors such as not completing – or even just not documenting – privacy impact assessments.
Although it would be very surprising if a small business was fined anywhere near these figures, the ICO has already demonstrated its willingness to impose financial penalties against SMEs, so it is better to be safe than sorry.
Source: This is money