How will GDPR affect my business?
Are you prepared for GDPR? Find out what your business needs to do to comply.
As you are probably aware by now, there’s a new European data protection regulation due to come into force next year, on the 25th of May to be precise. It’s the General Data Protection Regulation (GDPR) and if you run a business that uses computers it’s something you most definitely need to know about.
Until now, all EU states have had their own data protection legislation. The UK’s version is the Data Protection Act, but this dates from 1998. That’s a lifetime in technology terms, it’s the year Google was founded and when Amazon celebrated its fourth birthday. Most people in 1998 were still accessing the internet using slow dial-up connections.
The idea of GDPR is to bring data protection legislation into the 21st century and also to pull together the rules across the European Union. It’s aimed at giving citizens more protection in terms of how their personal information is stored and used. There will be an effect on companies both inside and outside the EU, so you may be asking ‘How will GDPR affect my business?’
Feel like a natural person
When Aretha Franklin sang about feeling like a natural woman in 1967 she clearly didn’t have GDPR in mind. But the GDPR legislation is built around the concept of a ‘natural person’. This is EU-speak for an individual. The legislation is intended to ensure that any data held about individuals by companies and other organisations is looked after in such a way as to protect their rights and privacy.
GDPR will ultimately ensure consistency of all data protection laws and of citizens’ rights surrounding what happens to their data across the EU. It will, therefore, affect pretty much everyone, from ‘natural’ people to businesses, charities and other organisations.
For individuals, it means having the right to be able to see what data is being held about you and, in some circumstances, having it removed. For businesses and other organisations, it means having to abide by rules on how to look after data and report any breaches in a timely manner.
The business implications of GDPR
So, it will help me as an individual but how will GDPR affect my business? Organisations that hold data are divided by the legislation into ‘controllers’ and ‘processors’. The controller – who doesn’t need to wear a top hat and tails al-la Thomas the Tank Engine – looks after how and why personal data needs to be held and what it’s used for.
The processor does the actual processing on the controller’s behalf. Although both controller and processor may well be within the same organisation, for the purposes of GDPR they are treated as separate entities. None of this is all that different from the requirements of the existing UK Data Protection Act, so if your business already needs to comply with that you can be pretty much certain you’ll need to comply with GDPR as well.
But what do you need to do to comply? For processors, GDPR sets out a number of requirements that must be met. As a processor, you have to keep records of any personal data you hold and any processing activities that you carry out on it. GDPR imposes some penalties for non-compliance, so it’s worth making sure you get things right. Although someone else may be doing the processing of your data it doesn’t mean you can get away without doing anything. Under GDPR, controllers will need to ensure that all the dealings they have with their processors are in accordance with the GDPR rules.
GDPR applies, as you would expect, to data processing carried out by organisations that operate within the EU. But it has implications for organisations outside the Union that supply goods and services to EU citizens.
There are some exceptions to GDPR but they are pretty specialised. They are concerned with cases such as data used for law enforcement, for national security, and for processing done by individuals simply for their own household or personal use.
What must your business do to comply with GDPR?
When you ask yourself ‘How will GDPR affect my business?’ the key thing is what you have to do to make sure you comply with the rules. The first thing is that you have to make someone in your company responsible. Under the GDPR, you must appoint a data protection officer (DPO) if you:
• Are a public authority (except for courts acting in their judicial capacity)
• If you carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking)
• Carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.
It’s vital to understand what data is covered by the act and identify if you actually hold any of it. GDPR is all about data from which an individual can be personally identified. As well as the obvious items such as names and addresses, account numbers and the like which already fall under the umbrella of the Data Protection Act, GDPR extends the definition of this data to take in things like IP addresses which may allow someone to be identified.
The first thing you need to do is carry out an audit of what information you have that’s likely to be covered by GDPR. Once you’ve done that, take some time to think about whether you really need all of this information. The less you hold the less you need to worry about compliance issues.
As we’ve already seen, GDPR divides business functions into controllers and processors. It may be that processing gets contracted out to another company, for example, if your IT isn’t in-house or if you’re using a cloud service. In these situations, both parties need to understand what is required of them in order that they can comply with GDPR rules.
The rights of the individual
While GDPR requires you to look after data properly, as does the current Data Protection Act, GDPR gives individuals some rights that will have an impact on businesses. For example, they have the right to find out what information is being kept about them. As a business, you will need to be able to handle these requests. Requests can be for an overview or for something more detailed.
What’s key is that all access requests have to be dealt with ‘without undue delay’. This means that you must have a mechanism in place to deal with them when GDPR comes into force from 25th May 2018. If you don’t respond to a request quickly enough it could lead to you becoming ‘non-compliant’ and if this happens you could be hit with a penalty.
GDPR also gives individuals a right to have their data removed, the so-called ‘right to erasure.’ You may also have seen this referred to as the ‘right to be forgotten’. What this means is that an individual can ask to have their personal data removed from your systems. This isn’t an absolute right, however. Under GDPR, right to erasure only applies in some situations. Among these are; where the data is no longer needed for its original purpose; where the individual has withdrawn their consent for you to hold the data; or when a person objects to the processing and there is no legitimate reason for you to continue it.
In addition, removal of records may be requested where the data is unlawfully processed – for example if it’s held in breach of GDPR; where the data has to be removed for legal reasons; and where the data is processed in order to offer services to a child. GDPR has specific provisions for processing data relating to children so you will need to understand these if your business or organisation deals with children in some way.
The UK already had a right to removal under the old Data Protection Act, but it only applied where the data was processed in what the act described as a way that caused ‘damage or distress’. GDPR doesn’t say this, but in the event, that distress or damage has been caused there is likely to be a much stronger case for the subject to demand removal of their information.
In certain circumstances, an organisation has the right to refuse to remove data. Again these are fairly specialist including areas such as freedom of expression, public interest or legal obligation, public health, archiving in the public interest, and data that’s held only for research and statistical purposes.
If you share data with other organisations for some reason then there is some added complication. If you have shared data about an individual with another company, for example, and you are subsequently asked to delete it then you will need to inform all of the third parties to which you have disclosed it of the removal request. This means it’s important for compliance purposes to keep accurate records of when, why and to whom you disclose information.
Planning for disaster
If things go wrong and you experience a breach where personal data gets exposed, then you have more responsibilities in order to comply with GDPR. The key thing is that you will need to notify a regulator of the breach within 72 hours of it happening. In the UK this regulator will be the Information Commissioner’s Office (ICO).
But before you make the disclosure, you’ll need to have gathered some information. You’ll need an understanding as to how the breach occurred. This must include detail on how the hackers got in, what data has been, or may have been exposed, and where the attack has originated. In the heat of dealing with a breach, this might prove difficult so before GDPR comes into force you really need to think about putting in place a plan to gather information and all of the other actions you need to take to respond to a breach.
Nobody enjoys planning for disaster, but doing so means that if the worst should happen, you won’t end up rushing around to locate all of the detail needed to make a report. Once more GDPR imposes penalties if you don’t comply.
We’ve mentioned a couple of times that you can be penalised for non-compliance with GDPR. These penalties can be quite severe so, just in case just in case you weren’t taking this seriously enough, you need to understand what they are.
Under GDPR, non-compliance can land you with a fine of up to four percent of your business’ annual revenue (global revenue, by the way, not just in the EU) or €20,000,000, whichever happens, to be the higher figure.
Fines levied under GDPR are meant to reflect the severity of any breach that occurs as well as how your organisation has dealt with it. This is just another reason why it’s important for you to have plans in place well before the legislation comes into force. If you can prove that you have taken all of the necessary steps and made suitable provisions to safeguard the integrity, confidentiality and accessibility of the personal information you hold, any fine you do receive will take that into account and won’t be as severe.
At the time of writing, there is not yet a mechanism for anyone to check up on whether you are complying with GDPR in the way you hold data. However, this doesn’t mean there won’t be in future. But if a breach does happen, the way you held and safeguarded the information is going to come under the spotlight. If there’s any evidence of non-compliance then any fines imposed are likely to be higher.
According to EUGDPR.org, the EU General Data Protection Regulation is the most important change in data privacy regulation in 20 years.
Learn more about the UK’s leading leased line comparison site.Call Us On 0808 115 4281