As of next May, businesses operating in the UK and European Union (EU) must comply with the General Data Protection Regulation (GDPR) which will replace the current Data Protection Act.
Whether you’re ready for it or not, the General Data Protection Regulation (GDPR) is coming, and it will have an impact on your business wherever you’re operating within the UK or European Union (EU).
As of May 25th 2018, the current Data Protection Act will be updated and replaced with the GDPR. Not only will the new regulation detail existing laws surrounding data protection, but it will also contain laws regarding newly enhanced technology, and obligations and responsibilities organisations will have when it comes to handling the data they hold on EU citizens.
Across Britain, MPs and government authorities are urging businesses to prepare for the upcoming regulation to avoid facing fines of €20 million or four per cent of a company's annual global turnover - whichever is higher. Ahead of this, it is crucial that businesses understand and are fully aware of the facts surrounding GDPR. Here we take a look:
Any company that processes the personal data of an EU citizen, whether this be B2B or B2C related, the GDPR will apply to you and wherever your business operates across the world. While the GDPR is technically an EU initiative, it will have a global impact, regardless of the UK’s Brexit decision.
However, although it was already rather broad, the definition of ‘personal data’ will be expanding further. This means that as of next May, it will include any information that can be used to identify an individual, such as business contact data, genetic, mental, cultural, economic and social information.
If your business allows the processing of data on a large scale, whether this be by public bodies or other entities, you will need to appoint a Data Protection Officer (DPO).
This does not depend on the size of your business or organisation but instead the amount of data that you are processing on a regular basis. This means that SMEs and small businesses may have to hire somebody to ensure that personal data processes, systems and storage conforms to the GDPR and can also be evidenced should a data breach occur.
Because the risk of a data breach has increased, Privacy Impact Assessments (PIAs) will be introduced to businesses to facilitate taking steps to mitigate the knock-on risk to individuals.
Projects within a business that involve personal data must have a PIA carried out ahead of this. The DPO will then have to make sure they comply with the GDPR during the project.
The information a business provides to an individual regarding ‘valid consent’ must be clear and simple under the GDPR. In addition to this, the business will have to communicate fully how this will processed.
Valid consent from a user also needs to be obtained, rather than by an assumption that it has been given.
Once the GDPR is enforced, businesses will not be able to hold or retain any data for longer than is necessary. Individuals can request the ‘right to be forgotten’, where an organisation must delete all data on a person in full. In addition to this, companies will not be able to manipulate data from what it was originally agreed to be for. If they wish to do this, a new and updated consent must be obtained.
Be prepared for the upcoming GDPR changes by signing up to our free online course. Click here to learn more.