On 25 May 2018, the EU’s General Data Protection Regulation (GDPR) comes into force. A massive shake-up to data protection rules, GDPR was designed with two purposes in mind. First, it gives individuals more control over how their personal data is used. Secondly, it better defines how companies need to collect, process and store data, with the threat of bigger fines for companies found to be in breach of the regulations.
While the goals of GDPR are relatively straightforward, there is a great deal of confusion as to how they’ll be implemented and who exactly the new rules apply to. This is particularly true for small-to-medium businesses, as a lot of coverage of GDPR has focussed on the impact on large enterprises. The truth, for most businesses, is that while GDPR introduces some important changes, the impact should be minimal and you’re unlikely to suffer harsh consequences if you handle data carefully.
What does GDPR mean for my business?
The first thing to ask is, does GDPR apply to me? The answer is most likely, yes. At its most simple, GDPR applies to any company that handles personal data. According to the definition in the regulation, personal data: “means any information relating to an identified or identifiable natural person”.
So, if you store a customer’s name, address, email address, telephone number or location information, GDPR applies to your company and it replaces any obligations you have under the existing data protection act (DPA).
For most businesses, GDPR introduces a few main changes that have to be followed. First, you need to have consent from a customer to process their data. As the Information Commissioner’s Office (ICO), the independent body responsible for upholding information rights, puts it:
“Consent under the GDPR must be a freely given, specific, informed and unambiguous indication of the individual’s wishes. There must be some form of clear affirmative action – or in other words, a positive opt-in – consent cannot be inferred from silence, pre-ticked boxes or inactivity.”
Importantly, GDPR more severely restricts the sharing of data with third parties, which can have an impact on certain activities, such as marketing.
Next, individuals have more control over the data. They can request that you provide them, for free, a copy of all data that you hold on them. Also, people have the right to erasure, which is also known as the right to be forgotten. Simply put, an individual can request that you delete their data and stop processing it, and you have to comply (the only data you can retain is for legal reasons, such as for accurately reporting tax, for example).
Finally, GDPR requires security by design, with the onus on companies to protect private details. Should your business be hacked or personal data leaked, the incident has to be reported to the ICO. (Under the existing DPA, only certain categories of company had to report breaches.)
Underlining everything is a requirement to show GDPR compliance and that adequate steps have been taken to protect personal data. Failure to do so can result in a fine, although the largest fines (€20m or 4% of worldwide turnover, whichever is greatest) are most likely to be handed out to big businesses that have suffered more serious breaches.
Do you need a data officer?
With demonstrable compliance a requirement of GPDR, there has been a lot of coverage stating that companies will have to appoint a data protection officer (DPO). In reality, most small businesses will not have to do this and there are only three reasons a DPO would have to be appointed: you are a public authority; you carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or you carry out large scale processing of special categories of data or data relating to criminal convictions and offences.
Although a DPO is not a requirement, it makes sense to give an existing employee the responsibility to oversee GDPR compliance and create the required documentation. Director overview of your GDPR implementation is a sensible step to take, too.
What happens to GDPR after Brexit?
Brexit may mean sweeping changes in a lot of areas, but it actually means very little for GDPR. Regardless of whether the UK is in the EU or not, the British government has signed up to the new regulations. GDPR is also heavily backed by the ICO. In short, both the government and ICO see the need for change and want regulations that both enforce privacy and give them the flexibility to deal with companies that fail to protect personal data appropriately.
After Brexit, the UK will probably be free to make its own laws. There is a chance that GDPR could see some changes, but don’t expect its main tenets to be watered down. It’s also important to remember that any British customer dealing with EU customers will have to be GDPR compliant regardless of the current UK law.
What should I do now?
GDPR is not designed to catch companies out and raise money, but to give individuals more privacy and help businesses better protect and process data. The key thing with the regulations is to get companies to think both about how they collect data and store it.
We’ll cover some of the finer points in future posts, but for now, a good starting point is to look at what personal data you store, where you keep it and what you use it for. This will help you work out if the data is securely stored and if you have the right permissions to process it, and gives you the first steps towards demonstrating compliance.