A year today (on the 25th May 2018) the General Data Protection Regulation (GDPR) will come into force in the UK (and across Europe) and replace the UK’s own Data Protection Act 1998.
According to the Flavourfy Digital State of Data Security in Dorset 2017 survey, 51% of the county’s businesses are yet to start thinking about their approach to the GDPR; we get a sense that is probably a good indicator for the whole of the UK, and worryingly it is also being reported that a quarter of UK businesses have suspended their GDPR compliance plans because they think it won’t be relevant as the UK’s leaving Europe – not true: the UK will Brexit around a year after the Regulation becomes UK law and is likely to be a key part of UK legislation post-Brexit too.
So, if you haven’t already started thinking about your business’s own journey to compliance and how your business will be impacted by the GDPR, now’s probably a good time to start. To get you on your way we’ve summarised the top 10 changes that the GDPR will bring to most businesses across the UK on 25th May 2018.
As well as the Regulation applying to the whole of Europe, the Regulation extends the data protection principles to data processors, those organisations who process data on behalf of other organisations (the data controllers).
Whilst not a big change, the GDPR does extend the current definitions for personal data to definitely include online identifiers. So, whether you’re wondering about whether an email address, an online username/nickname or an IP address is personal data, now there’s no doubt.
The GDPR introduces new rules which will impact business whose services and products that are of interest to children. Not only will they now need to verify the age of the data subject (for the data they’re collecting) but they’ll need to seek guardian consent and provide information and privacy notices which can be understood by a child.
This is probably the biggest issue for most businesses. The whole consent mechanism is changing. At the points businesses collect data they will need to provide clear messaging about the purposes of collecting the data, only allow for positive opt-in (no more “untick this box” or implied consent) and record how and where they collected consent.
5. Individuals’ Rights
The Data Protection Act already provides comprehensive rights to data subjects around the use of their data (e.g. subject access requests and the right to remove consent for marketing), but the GDPR introduces a couple of new rights: the right to be forgotten and the right to have your data exported in machine readable format (so it could be used elsewhere)
Business with over 250 employees or (where less than 250 employees) who carry out high risk processing are required to record their processing activities and processes.
7. Data Protection by Design
Currently Privacy Impact Assessments (PIAs) are an ICO best practice, but under the GDPR all businesses will need to be able to demonstrate they have carried out impact assessments on the data protection and users’ rights impacted by all new services and technologies.
8. Data Protection Officers
Large businesses and those who process large quantities of data will have to employee (either directly or outsourced) a Data Protection Officer, an individual responsible, at Board level, for GDPR compliance across the business.
9. Breach Notifications
The GDPR requires all organisations to report certain types (where there is potential for harm) of data breaches to a supervisory body and in some circumstances to the data subjects themselves.
Fines for organisations found to be in breach of the rules of the GDPR can be as high as 4% of global turnover or €20m, whichever is the highest
So, if you’re looking at that list and thinking you could be impacted, then now’s the time to start thinking about a plan of action which will need to take in preparing your business, auditing your data and systems and reviewing and updating your company policies. Your approach to ongoing management of data protection across your business will also be changing.
And remember, you can always sign up to the Digital Compliance Hub for help with reaching compliance within the deadline.