On the 25th May 2018 – the new General Data Protection Regulations (GDPR) will come into force. Yet, according to recent research by Experian, nearly half (48%) of UK businesses are still not prepared for the changes.
The new rules are being introduced in response to advancements in technology, data collection, and the increasing threat of cyber-attacks and data breaches. The GDPR includes some significant enhancements on previous regulations, giving consumers greater control over their data, while increasing the onus on companies to keep this information safe.
Key changes include a shift from the allowance of "opt out" consent to the requirement for consent to be explicitly "opt in", as well as greater powers for customers to access their data. There is also a greater obligation for businesses to document what they're doing to protect customer data, while incorporating 'privacy by design' into everything they do.
The potential fine for non-compliance will also increase, with fines of up to €20m or 4% of annual turnover – whichever is higher. So, if you're not already on top of your responsibilities, it's time to get prepared. Here's an outline of your responsibilities, highlighting the key changes under the EU GDPR:
What data is covered? Personally Identifiable Information (PII) is anything that can be used to identify an individual, including their name, email address, telephone number, date of birth or anything more specific such as an IP address, GPS data or health information.
Register with the ICO If you plan to collect, store and/or use personal information, you must inform the Information Commissioner's Office (ICO). You can find out more about registering with the ICO here. There are a few exceptions, but most businesses need to register.
The key principles that you must comply with are:
Process data justly and fairly
You must have a good reason for storing and using personal data. The data may be necessary to providing your product or service - therefore incorporated in your contract with the client – or the customer must have given their permission for you to store and use it. And under the new rules it must be an 'opt in' rather than an 'opt out' - no sneaking a tiny opt-out box where nobody can read it!
Only use data for specified lawful purposes
Data must be adequate and not excessive
You should only hold as much information on individuals as you need. Anything you don't need should be destroyed.
Personal data should be accurate and up-to-date
If you're holding a lot of data, it may be tricky to ensure it's all completely accurate. But you need to take reasonable steps to ensure it is as accurate and up-to-date as possible, putting processes in place to update or destroy old or inaccurate records.
It shouldn't be kept longer than necessary
There is no minimum or maximum length of time that you can keep personal data, but you should consider how long you need it and destroy it once it's fulfilled its purpose. This also helps with point four, as it reduces the chance of you holding out-of-date, inaccurate data.
You must have sufficient security to avoid data being either deliberately or accidentally compromised, including both technical security and robust processes and procedures, including training your staff sufficiently. You must also be ready to respond to a breach if the worst happens.
It should be processed in accordance with individuals' data rights
There are now eight rights to be aware of, enhancing on the six listed in the prior Data Protection Act (DPA). These cover an individual's right to have access to their data, have it erased, restrict usage and move it from one IT provider to another. Companies also have less time to comply with customer requests than under the DPA – only one month, rather than 40 days.
This aspect of the law has been strengthened significantly in the GDPR, stating that businesses must put in place measures to show that they are complying with the rules. This includes tools such as internal data protection policies, staff training, internal audits, and reviews of internal HR policies. The idea is to carry out 'privacy by design', whereby data protection is hardwired into the processes and behaviours of the organisation. If you carry out large-scale tracking of individuals, or are involved In processing specialist data then you will also need to appoint a Data Protection Officer.
Incorporating the changes is likely to be more straightforward for startups and small businesses than for larger organisations. But even so, it's advisable to run through all the data you hold, where, and how it's stored, while checking all your processes, privacy and security policies for any gaps. If you need more detail on the requirements and your responsibilities, you should consult the ICO.
And don't forget, if the worst does happen, cyber insurance can protect you for a breach of data protection laws (where insurable by law) and your liability for handling data. It can also provide cover for extortion, system rectification costs, plus PR expenses and financial loss due to system downtime. To find out more, drop us a line at email@example.com, or give us a call on 0333 772 0759.