GDPR – What businesses need to know
The General Data Protection Regulation (GDPR) is a new piece of EU legislation that overhauls the UK’s laws on data protection and cyber security. It will come into force on 25th May 2018, and will apply to businesses and public-sector organisations of all sizes, enforcing new guidelines and regulations for data handling.
It’s something every business needs to prepare for, as it impacts how you communicate with your customers and how you handle any information you store about them. Read our guide below to understand what GDPR will mean for businesses, or you can register for our free ‘An Introduction to GDPR’ online overview.
Who does GDPR apply to?
If you’re currently subject to the Data Protection Act 1998 (DPA), the new GDPR legislation should also apply to you and your business. As under the DPA, the GDPR defines businesses as data processors and data controllers.
As the names suggest, a data controller decides how and why a person’s data is stored or used. A data processor carries out those instructions on behalf of the data controller.
Data processors are subject to the specific regulations of the GDPR, but data controllers are also responsible for ensuring the data processing firms they employ are compliant with the law.
GDPR at a glance
GDPR has been introduced to create more rigorous regulations around how companies use and store data they collect from customers, and to encourage them to take cyber security and data protection more seriously. So, what are the important changes being introduced under GDPR?
Under the Data Protection Act, security breaches could result in fines of up to £500,000. Under the GDPR, this will increase to a maximum of €20 million, or 4% of annual global turnover.
The right to access
Under GDPR, customers of any business or organisation will have the right to access any personal information held about them.
The right to be forgotten
Customers can also ask to be ‘forgotten’ if they withdraw consent for their data to be used, which means companies will have to securely delete their data.
Data Protection Officers
Any company employing over 250 people must employ a Data Protection Officer to oversee the business’s data protection and cyber security measures and procedures.
Smaller reporting window
Any security breach likely to result in ‘a risk for the rights and freedoms of individuals’ must be reported within three days. Data processors will also have to immediately inform their clients (the data controllers) after becoming aware of a data breach.
Personally Identifiable Information (PII)
The definition of PII data is being expanded to include IP addresses, genetic information (DNA), social media posts, photos, and more.
Opt in and not out
Companies will no longer be able to use pre-ticked, or opt out options to gain data consent from customers. A clear, positive opt in tick-box must be used.
Clear terms and policies
Complicated and long-winded terms and conditions will no longer be allowed for gaining consent from customers. Any request for consent on personal information will need to be in a clear, concise and easily accessible form.
The GDPR and the EU
While there may be some uncertainties around GDPR and what happens on the UK’s withdrawal from the European Union, the UK government has stated that the decision to leave the EU will not affect the adoption and enforcement of GDPR.
The scope of GDPR means that any company or organisation with customers who are EU citizens will need to abide by its regulations, no matter where in the world the company is based.
Our team have created a number of animated GIFs for you to share with your staff to highlight key pieces of information relating to GDPR.
These can also be embedded on your website by using the embed code provided.See animated GIFs
How to prepare for GDPR
Preparing your business for the arrival of GDPR can seem daunting, but there are simple ways you can improve your everyday cyber security and personal data handling to make sure that your business is compliant.
An Introduction to Cyber Security
Making sure your staff are confident of their duties and responsibilities is one of the most important things you can do. Increasing awareness of viruses and phishing scams, improving email etiquette, and keeping their physical working spaces clear and secure.Find out more
Data Protection at Work
Along with increasing everyday cyber security measures, your staff will need to be confident of how to handle personal data. This includes how and why you hold personal data, determining if it’s necessary and that it’s held for an appropriate amount of time.Find out more
Confidentiality in the Workplace
Confidentiality of information is enforced on the 'need to know' principle, which forms the cornerstone of information security in today's corporate world. The 'confidentiality bubble' restricts information flows, with both positive and negative consequences.Find out more