In case you haven’t heard, we’re just a year away from the biggest change in data protection law since the 1990s.
The GDPR is a new regulation aimed at strengthening data protection for all individuals within the EU and yes, despite Brexit, UK companies are going to be considerably affected by its implementation. Evidence suggests that businesses in the UK aren’t properly equipped to deal with the regulations, or are simply misinformed on what’s required of them. However, with enough planning, preparing for GDPR doesn’t have to be the scary elephant in the room.
“Everybody needs to make GDPR a key organisational objective over the next 12 months,” says Andy Jarvis, Head of Sales at Falanx Cyber Defence. “The UK government has formally acknowledged that the UK will be adhering to the regulation, regardless of the ongoing Brexit process. With fines of 4% of global turnover or €20 million, it’s not something that can be ignored by any business, so it’s important to be properly informed.”
With that in mind, here are 5 things you need to know when preparing for GDPR.
What is GDPR?
As an EU regulation, GDPR will automatically supersede the current Data Protection Act 1998 in the UK. In essence, the law aims to enforce tougher regulations and fines for any business that holds the data of EU citizens, and give individuals more rights over their personal data. It also aims to address loopholes in the current legislation that do not account for digital advancements that have occurred since 1998, such as the cloud.
When does it come into effect?
GDPR comes into effect on the 25th May 2018.
What data is affected?
Under the GDPR, the definition of personal data has been expanded – anything that could be used to identify an individual is now considered personal data. For some organisations, there shouldn’t be a significant change in the data that is affected. However, for many, the expanded definition will cover more of the data that they hold. Effective preparing for GDPR includes familiarity with what data you hold and what data will be affected, as parts of a business that previously did not need to worry about data protection are now likely to be affected. Additions to the data affected include:
- Personal data: identifiers such as name and location data, but also online identifiers, such as IP addresses, mobile device IDs and cookies.
- Sensitive personal data: genetic data or biometric data, health and sex life information, political or religious belief, trade-union affiliations, and racial or ethnic information.
Am I liable if something goes wrong?
Previously, only the data controller would be liable in event of a data breach. Under the new regulations, however, any business that comes into contact with the data of EU citizens is liable – you don’t have to be in an EU member state.
Data processors and data controllers are now jointly liable for the security of their data, and can face huge consequences in the event of a failure to comply – 4% of global turnover, or a €20 million fine (whichever figure is higher). The penalties will also increase drastically from the current legislation. TalkTalk’s 2016 breach cost them £400,000 – under GDPR they would have been fined around £59 million. Fines at this rate would be enough to cripple smaller businesses, so documenting and revising data processing agreements and ensuring that your business meets the required standards is a must.
How do I ensure compliancy and what do I do in event of a breach?
Identify where your company’s data is, who has access to it, and how it is processed, as well as any gaps where your organisation doesn’t already comply. Implement a regular system to keep on top of your data.
Undertake a Privacy Impact Assessment (PIA). This is an assessment of your data, how it is collected and how it can be used, as well as how it is protected. This is essential when you’re implementing a new IT system, or sharing data in new ways or with new people.
You need a clear privacy policy and clear consent to collect data. Your privacy policy needs to be transparent and easy to understand by the parties you’re requesting data from. You also need to give them a clear opt-in option, rather than tacking on an opt-out.
Comply with the ‘right to be forgotten’. Under GDPR, you mustn’t change what the data is used for from its original use, and you must destroy any data held about an individual at their request.
Create a contingency plan. GDPR includes a new requirement that says businesses must inform the relevant data authority in event of a breach. Any business that suffers a data breach must inform the ICO within 72 hours. Make sure you’re equipped to identify what kind of data is compromised, who and how many are compromised, what the risks are, and what you are doing to recover and minimise risk.
How do I equip my staff and colleagues?
As a liable organisation, it is your responsibility to ensure that your staff and colleagues are well equipped to handle the demands of GDPR and ensure compliancy during the everyday handling of data. When preparing for GDPR, it is worth investigating what options are available for training staff to ensure familiarity with the regulations, secure handling of data, how to maintain your organisation’s data, and how to respond in the event of a breach. Some organisations, such as Local Authorities or other organisations that monitor data subjects on a large scale, will have to employ a Data Protection Officer (DPO). Again, it’s the employer’s responsibility to ensure that the DPO has sufficient training.
