What is GDPR? and how do I become GDPR complaint?
If you’re involved in business – whether that’s running your own or working within someone else’s, you should have heard about the GDPR (General Data Protection Regulation) by now. Since it was first announced, GDPR has been the subject of much scrutiny and controversy from the business world. But now that we are counting down to implementation (just over 6 months to go!), many business owners are starting to worry. ‘Am I compliant?’ ‘What do I have to do to become compliant?’ ‘What will happen if I’m not compliant?’. These are all questions we have heard from business owners across the country over the last few months. So now, we want to answer some of those questions so your business can get on its way to GDPR compliance.
What Is GDPR?
GDPR is an EU regulation designed to strengthen and unify data protection for the citizens of all EU countries. It replaces the existing 1995 EU directive (95/4/c) and our own Data Protection Act. GDPR will govern how the data of EU citizens should be handled, stored and destroyed at every point. It also addresses the export and handling of data outside the EU, which makes it much more wide reaching than any other regulation. Headline statistics about the regulation includes; hefty fines for non-compliance, mandatory security notifications, new rules around user consent, a clearer definition around what could be personal data (such as IP addresses) and greater rights for people to access – or request deletion of – the information companies hold on them.
That also means that even if we do exit the EU, UK businesses that deal with EU data will still need to be compliant. When it comes into full effect, it will update and replace current Data Protection laws in the UK. It aims to give a single set of rules for everyone to follow, and will help each member state (or country) to establish an independent Supervisory Authority of their own. This authority will be responsible for hearing investigative complaints, sanctioning administrative offences and so on. A European Data Protection Board will oversee all SA’s to provide compliance advice and coordination, ensuring that this single set of rules is followed by all. Any institution or business that deals with the data of EU citizens – even if it’s just 1 citizen – must adhere to GDPR. Unlike other EU laws (which typically come in the form of directives) this is a formal regulation, which means it doesn’t require individual governments to pass laws and is automatically legally binding for all EU member countries.
But despite all the talks of upcoming launch dates and a sudden mad panic to get everything in order, GDPR isn’t all that new. The EU (and by extension the UK) actually officially adopted GDPR in April 2016, and we are now coming to the end of a 2 year transition period designed to give businesses and other organisations time to get their systems ready and their house in order by the final implementation date of the 25th of May 2018.
How Do I Become GDPR Complaint?
But all of this sounds very complicated, especially for smaller businesses who might not have the resources to invest in heavy changes to their business. So what do you need to do in order to be compliant with GDPR?
Well, first you need to understand if you are a controller, processor or both, to help clear things up, the classifications breakdown is as follows:
Controller – The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
Processor – A natural person, public authority, agency or other body which processes personal data on behalf of the controller.
So, the organisations that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects. For example, a bank (controller) collects the data of its clients when they open an account, but it could be another organisation (processor) that stores, digitizes, and catalogues all the information produced on paper by the bank. These companies can be cloud providers or document management companies. Both organisations (controller and processor) are responsible for handling the personal data of these customers.
Under GDPR, some businesses will also need to appoint a data protection officer, depending on what type of business they are and the amount of personal data processed. They will be in charge of making sure your business is compliant with GDPR, assist with the running of Data Privacy Impact Assessments (DPIA’s) and liaising with the Supervisory Authority. This leads us to the main business area GDPR will impact. Most company data is now held digitally, so many businesses should be using this preparation period to analyse what data is held, what they need to hold, for how long and improve their IT and security systems. Digital storage now counts for 97% of all data storage, with the world’s total digital storage space now exceeding 600 exabytes (that’s 295 billion gigabytes).
GDPR defines personal data as:
Basic identity information such as name, address, phone numbers and ID numbers
Web data such as location, IP address cookie data and RFID tags
Sensitive Data would be:
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
So you will need to assess how your business stores this information and ensure it is up to the right security standards. You will also need to review your data acquisition processes, as GDPR only allows businesses to store and process personal data if certain rules are met. These include individual consent, if there is a contract exercised, when it is in the vital interests of the data subject, or when the legitimate interest of the data subject is to meet the legal obligation of the controller, to name just a few. Data must also be destroyed to ensure it is kept for “no longer than is necessary for the purposes for which the personal data are processed”. Personal data must also be portable from one company to another, and policies must be in place to allow companies to erase personal data on request.
What Happens If I’m Not Compliant?
Failure to comply with GDPR will leave your business open to some pretty hefty penalties. For starters, companies found in breach of GDPR will be subject to a fine of up to 4% of their global turnover, or 20 million euros – whichever amount is higher. For many businesses, fines of this scale could easily lead to insolvency, and the government won’t treat you with leniency just because you’re small. Data breaches are common and increase in severity and scale every day, so GDPR is one of the ways governments are going to be cracking down on poor data security. As the EU stated – no organisation is bulletproof – so it’s important that every organisation understand their obligations under the new regulation.
The Awkward Question
Of course, many of you may be thinking ‘but we’re leaving the EU, so surely it doesn’t matter?’ And that’s where you’re wrong. Because GDPR applies to any organisation that deals with EU citizen data, many British businesses will need to become compliant regardless. Even if that wasn’t the case, the regulation will come into force well before the UK leaves the EU, and the government has confirmed that it will be passed into UK law and have begun the process with the Data Protection Bill. So no matter what, you need to get compliant.
At Bridewell we have been helping businesses prepare for GDPR for a long time. Our consultants are fully trained in every element of GDPR, and are on hand to help you understand how it will affect you and the different element of your business. On top of general consulting, we can also provide hands on support, drafting of policies and practical remedial work to bring you up to speed in no time. For more information, get in touch with us today.