What is the GDPR?
The General Data Protection Regulation will replace the existing Data Protection Directive (in place since October 1995) with the aim to provide structure and consistency around data privacy laws within the European Union. In doing so, the GDPR will empower consumers and give them more control over their personal data.
What are the important changes you should be aware of?
EU residents are now the main focus
Unlike the previous directive, the boundaries of the GDPR will be defined by the consumer’s country of residence, and not the company’s location. Specifically, if your business handles data belonging to residents of the European Union, it will have to comply with the new regulation.
Businesses must provide clear and transparent privacy notices
The existing law generally allows business owners to decide what information is fair to include in their privacy notices. From 25th May, this strategy will no longer be applicable. GDPR gives a detailed list of information which must be provided to individuals, including:
- The purpose for which their data is collected
- Their privacy rights
- The way in which their data will be used, stored and retained.
Your privacy notices also need to be concise, transparent, use simple English and be easily accessible.
Your customers have increased privacy rights
Right to access
GDPR gives individuals the right to access and understand how their personal data is being used. If someone requests to see what information you hold about them, you must respond without undue delay. You will need to give full visibility on the personal data you hold about that person and provide them with an electronic copy. GDPR also removes the right to charge a nominal fee for responding to a request, unless the request is clearly excessive or unfounded.
Right to be “forgotten”
Should anyone no longer want your business to process their data, you need to make it equally easy for them to be withdrawn from your data.
In certain circumstances, individuals have the right to have their personal data “erased”. This right can be exercised when the data is no longer necessary for the purpose for which it was collected. It can also be used where consent has been withdrawn and there is no other legal basis for using the data. This right is not absolute and some businesses may have a legal or regulatory requirement to retain data for specified time periods.
Data portability allows your customers to access their personal data and share them with another company or “data controller”.
Does your business need a Data Protection Officer?
The GDPR will rely on Data Protection Officers (DPOs) to make sure that companies respect the legislation. However, only companies meeting certain criteria will require a DPO. So, unless your business monitors consumers, or processes sensitive data related to criminal convictions and offences on a regular basis, it is very unlikely that you will be required to hire a DPO.
Not complying could be (very) expensive
After 25th May, if your business does not comply with the data privacy laws, it could be subject to fines and penalties of up to €20 million or 4% of annual global turnover (whichever is greater).
Your GDPR checklist
Now you understand GDPR in more detail, here’s a checklist that will help you get your business ready:
- Consent – If you rely on consent for any activities (such as marketing) it needs to be clear, specific and explicit.
- Know your data – You’ll need to show an understanding of the types of personal and sensitive data you hold, as well as where you’re collecting them and how you’re using them.
- Create Fair Processing Notices – As mentioned above, you’re required to describe to individuals what you’re doing with their personal data, how long you’ll be holding it for and their privacy rights. It must be easy to find and be written in plain english.
- Data security – You need to update any security processes you have to ensure that personal data is protected from accidental loss, destruction or damage. If you don’t currently have any then you start now. Using encryption or other methods can help avoid a penalty if you have a data breach.
- Train your staff – All employees should be trained on GDPR and the process for reporting a suspected, or actual, data breach. In the case of a serious breach, a report should be made to the ICO within 72 hours. Ensure they understand what constitutes a personal data breach and build processes to pick up any red flags.
- Respond to requests quickly – As mentioned above, you need to respond to data requests in a timely fashion, typically within a month.
- Due-diligence on your supply chain – You should also make sure that all suppliers and contractors are GDPR-compliant to avoid being impacted by any breaches and consequent penalties.