A simple guide to the new data protection legislation
Big data is big news. From the current Cambridge Analytica scandal to the TalkTalk hacking court case, there’s no escaping it. In a digital age, governments, businesses and consumers are becoming more and more concerned about the collection and use of personal data, and rightly so!
By now you should have heard about the impending introduction of the GDPR – a new legislation being brought in by the EU this year. But exactly what is it and what impact will it have on your business? Grab a cuppa and we’ll run you through the basics.
What is it?
GDPR stands for General Data Protection Regulation. It’s designed to give EU citizens more protection and control over their personal data, as well as to unify data protection standards across the European Union. It comes into play on the 25th May 2018, which means businesses need to be ready – and soon.
Does my business have to comply?
The new rules will apply to any organisation operating within the EU, as well as those based outside of European shores but doing business within. Whether you’re a huge conglomerate with offices on every continent, or a sole trader working from home, if you offer goods and services to anywhere in Europe, you’ll have to comply.
What do I need to do?
Well, as you might expect with a new law from Brussels, the answer is, ‘it depends’. Rules are different for SMEs with fewer than 250 employees, and it is changeable according to exactly what personal data and how much you hold but broadly speaking, you must:
- Understand what personal data you hold, where you hold it, and where it came from. In larger firms this will need to be carefully documented. If an individual comes to you claiming their ‘right to be forgotten’, this will mean you can easily delete their information.
- Ensure personal data is gathered lawfully and with consent. This applies to data you’ve already collected. Consents such as email addresses for marketing information may need to be refreshed.
- Review your current privacy policies and ensure they’re GDPR compliant.
- Ensure you have processes in place to detect and report any privacy breaches within 72 hours of it taking place. This includes breaches from inside your company, which is where most data violations happen.
- Understand if you need to appoint a ‘Data Protection Officer’ – this is dependent on the type and amount of personal data you process, and is mandatory for companies who collect sensitive information such as records of health, criminal convictions, religious or political affiliations etc on a ‘large scale’.
- Educate yourself and all your employees on what GDPR means for your business. Ignorance is not an excuse.
If you don’t comply, you could get slapped with a fine of up to 4% of your annual global turnover.
What about Brexit?
It doesn’t matter – when May 2018 rolls around, the UK will still be part of the EU and will have to comply with the GDPR.
What happens after we bid our cousins on the continent goodbye is – much like the rest of the finer details – currently unknown. But evidence given to a Select Committee in 2016 stated that after the split, they would ‘look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.’
Put simply, the idea of regulated data protection for businesses is not going away any time soon.
As with most new legislations, it’s kind of complicated and its full impact depends on a myriad of factors that are unique to every business. While we’ve covered the basics, if you need a little more help, the Information Commissioner’s Office is currently offering GDPR advice to small businesses via its helpline and they provide a host of no-nonsense guides and detailed advice directly on their site.