How GDPR will affect your business
- Posted by:
- Sally Luk
- Privacy, Data Protection, GDPR
- Posted date:
GDPR- How will it affect your business?
In an increasingly data-driven world, data security and protection is becoming an important agenda. The new EU General Data Protection Regulation was approved on 14th April 2016 and is set to take effect on the 25th May 2018. However, there are still a lot of uncertainty regarding compliance and what needs to be done. Here is a brief explanation as to what it is, how it will affect you and what you need to do.
What is EU General Data Protection Regulation (GDPR)?
You can think of GDPR as an improvement on the current Data Protection Act, established in 1995. It was designed to give data subjects (a person who gave their data) a more transparent overview of data management. This includes who has their data, what data they had, why they have that data and how they could use that data. GDPR also focuses on giving data subjects more rights when it comes to giving consent. It has explicitly banned the use of pre-ticked opt-in boxes. The definition of "personal data" under GDPR is classified as any information which could be used to identify an individual. Some examples include, but not limited to: name, address, phone number(s), e-mail addresses and photographs.
GDPR was also developed with the purpose of simplifying relevant regulations within the European Union. When it comes into effect, it will apply to all businesses and organisations within the EU, including some international companies. Anyone who collects or process personal data of EU citizens should comply with GDPR. This doesn't include domestic uses such as personal address books. The UK government has confirmed that GDPR will take effect immediately on the agreed date, even though the UK is pending to leave. Once the UK has left the European Union, the new Data Protection Act will mirror GDPR.
The Rights of a Data Subject
GDPR has introduced some new rights to data subjects and reinforced several existing ones. Here are some of the main changes to the rights of a data subject:
The Right to be Informed
This is one of the fundamental principles in GDPR; the data subject have their right to be informed that their personal data is being collected. The collector will need to specify the following:
- What data is being collected
- Why it is being collected
- How long you retain that data
- How you will use it
- Who it will be shared with
The information provided to the subject must be in readable in a plain and concise language.
The Right to Rectification
This gives the data subject the right to contact their data processor and correct any inaccurate personal data. This includes a change of address or phone number. Rectification requests can be made in person or writing; the processor must respond within one calendar month.
The Right to Erasure
Also referred to "the Right to be Forgotten", data subjects can request for their data to be completely removed from a processor's database. An example of this may be because the data is no longer relevant to the original purpose.
The Right to Data Portability
Data portability has been introduced as another way to give data subjects more access and control over their data. This right allows the user to request a copy of their data in a "commonly used and machine-readable format". The subject then has the right to transfer or copy this data to another processor.
How do I ensure that I am compliant?
The severity of non-compliant penalties has seen global corporations such as Google rewrite their current privacy policies and terms and conditions. The maximum fine for the most serious breaches is 4% of the annual global turnover or €20 million (whichever is greater). Serious breaches include not having enough consent when processing data.
Conduct a Data Audit
For a UK business, this could include private information of clients, suppliers and contractors. You should document what data you currently hold, where it came from and who it has been shared with. This complies with the accountability principle of GDPR, which requires any data processing activities to be documented.
When you are collecting personal data from a subject- be it a client, past/present employees or a trade partner- you are legally required to offer some of your information in return. This includes explaining your identity, your lawful basis for collecting their data and how you plan to hold and use that data. This is what is generally referred to as "privacy information" and must be provided in a concise, easy-to-understand language without any jargon. If necessary, you should also review the lawful grounds from which your company collects and processes data. This can help you determine how and when your company should seek consent before processing and collecting data. Under the GDPR, previously obtained consent will no longer be valid.
Review your current Privacy Procedures
Given that there are new rights for data subjects, you should also review your current responsibility allocations. If a customer or a supplier requests to amend or erase their personal data, will your system be able to locate the precise data required and destroy it in a safe and secure manner? If the subject has requested a copy of their data to be transferred to another processor, can your system provide the most accurate data in a suitable format?
Ensure that all of your employees, no matter how many, are fully informed and understand the impact and key principles of GDPR. For large scale businesses in the UK, you may need to appoint a Data Protection Officer. They should oversee the data protection strategies of the company and ensure compliance with the latest regulation. You should also ensure that any business associates, such as suppliers and trade partners, are also GDPR compliant.
If the data processing "is likely to result in a high risk to the rights and freedoms of natural persons", you will additionally need to conduct a Data Protection Impact Assessment (DPIA). This is mandatory if your company processes a large amount of sensitive data, or systematically monitor a publicly accessible area (such as CCTV). The DPIA helps to clarify the flow of data collection and processing, highlighting any potential risks and how they can be addressed.
Data Breach Procedures
If you do not have one in place already, you should implement a procedure to inform your subjects in the event of a data breach. This is one of toughest challenges that the GDPR has presented to businesses and organisations, particularly small businesses. You must inform your data subjects within 72 hours of a discovered breach. Additionally, you must report this immediately to the supervising authority with as much information as possible. Under the GDPR, you should also incorporate a procedure to detect and investigate data breaches.
This may seem a lot of work for small-scale businesses, but full compliance will not only mean that you are on the right side of the law, but you may also avoid a hefty fine. In the future, we are expected to see certification of compliance which will help boost consumer confidence. This regulation will also significantly enhance the security and control over your own data on a personal basis.