The General Data Protection Regulation (known as GDPR, and formally as EU regulation 2016/679) is a law coming into force in 2018 that is designed to ensure that all EU citizens have improved control over their own data, and that the law is unified across the EU. In an age where customer data is gathered at a rapid pace, in bulk, and with no certainty over how it may be used, the EU feels that it is important that the general public have a much better understanding and say in how their data is used. GDPR will have fairly large implications for a significant number of UK businesses, especially those that conduct the majority of their business online, or direct to consumers. In this article, we’re going to go through the specifics of it, what it will mean for your business in practice, and how you can prepare.
GDPR legislation was adopted in April 2016, with a two year transition period to allow for businesses to understand and prepare for it. On the 25th May 2018, it will become fully enforceable, which means that all relevant EU businesses must adhere to it or face potential prosecution. As GDPR is an EU regulation, rather than a directive, there will be no corresponding UK law introduced, and it will supersede the UK Data Protection Act 1998 where applicable. Fines for failing to adhere to GDPR can run into tens of millions of euros, making this a hugely important consideration.
At its core, GDPR means that those that collect and use data in the EU (whether they are based in the EU or not) must have a genuine reason for doing so, that people are aware of what data is held, and that those people can have data erased if they have grounds to do so. One of the most common questions asked in relation to the incoming law is “does GDPR apply to my business?”. GDPR will be applicable to both ‘controllers’ and ‘processors’. Controllers are those that use the data, which would be anyone from a one-person online retailer, to multinational corporations. Processors are any person or grouping that handle the data even if they don’t actually use it. This could for example be a data collection agency or perhaps even your email marketing agency if you use one.
The EU also gives a fairly broad definition as to what personal data actually entails. Their statement on the matter is as follows:
"Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
In addition, the EU sets out a variety of reasons that a controller or processor might have legal grounds for collecting and retaining such data:
In practice, GDPR will mean that small and large businesses alike will need to make sure that they have a sound legal reason or collecting data that they do, or they have acquired specific consent for doing it. These are the two biggest considerations to make. Even if you run a small cafe and want to collect emails from customers so you can inform them of promotions or events, then you must explain why, and gain their consent.
There is still time for businesses to get their affairs in order before GDPR becomes enforceable. Larger organisations should have their IT department working on the transition, but small businesses need to be thinking about their plans too.
There is a fairly large number of resources freely available to help, but those businesses that believe GDPR will have a significant impact should undertake training. Cyber security courses in particular are likely to cover information relevant to GDPR. The Virtual College Data Protection course for example covers your responsibilities to the current law set out by the 1998 Data Protection Act.
Some of the major considerations and questions you should think about prior to the enforcement date include the following:
Understanding & Awareness - Does everyone relevant in the business understand what GDPR entails, and what their particular responsibilities to it are? Are there specific people responsible for overseeing GDPR implementation? Do they need to learn about GDPR in detail?
Currently Held Data - Do you have comprehensive knowledge of what data you currently hold about EU citizens, and do you need to conduct an audit?
Dealing with Requests - Under GDPR, citizens will be able to make access requests to find out what data is stored about them. Have you considered how you will deal with these requests?
Lawful Processing - Have you considered the legal basis for collecting the information that you do? Do you need to gain consent?
Gaining Consent - What processes are you going to put in place to make sure you have consent from your customers/users, and how will you store this? If you are collecting information on children, how will you gain consent from their parent or guardian?
Cyber security - GDPR requires that any data breaches are reported swiftly - do you have policies in place to guard against them, and do you know how to report a breach? For cyber security training, which may help you adhere to certain elements of GDPR, our course on the subject may be useful. Click here for more information.