What Is GDPR?
Many of you will already know all about General Data Protection Regulation (GDPR) but studies show that a worrying amount of professionals and business owners still aren’t aware of the massives changes to data protection law that were introduced back in 2016.
In the UK, we have been working under the Data Protection Act 1998, which was replaced by GDPR in 2016 and all organisations across the EU must be compliant with by 25th May 2018.
In a world where ‘data is king’, GDPR seeks to give individual’s more control over how organisations use their personal data and apply large penalties for organisations that fail to comply or suffer data breaches.
Why Did It Need Changing?
GDPR is the EU’s answer to bringing data protection into the digital age, where personal data is given away so freely in return for ‘free goods’. For example, Facebook offers their platform to you for free in return for your personal data, which is used through it’s advertising platform.
It also is updated to cover the modern types of personal data which weren’t included under old acts. These include online identifiers (such as IP addresses), as well as economical, cultural and mental health data.
In the UK, GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. This was often seen a ‘guidelines’ because the penalties for not complying were quite vague and it was hard to govern with each EU country having a different variation of the ‘rules.
GDPR is much stricter, comes with much larger penalties for non-compliance and gives individuals’ more rights to control their personal data.
Who Does GDPR Apply To?
Any organisation, whether it be profit-seeking, charity or government, must comply if they are based in the EU, or dealing with data belonging to EU residents.
While it is the organisation’s responsibility to ensure that data is collect in compliance with GDPR, data processors, such as IT companies who process data on behalf of their clients, must also work under GDPR guidelines.
If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
The penalty for non-compliance under GDPR is up to €20 million, or 4% annual global turnover – whichever is higher. You may also be liable for compensation claims for damages suffered and, of course, they’ll be reputational damage.
What Are The New Rules Under GDPR?
GDPR covers a lot of areas so I would encourage you to educate yourself about the finer details. However, the changes needed around consent and data control will probably be the most urgent to correct.
From 25th May 2018, organisations must ensure that all personal data is used lawfully, transparently and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
Explicit consent must be given by the data subject, rather than the ‘opt-out’ approach that many organisations used under the Data Protection Act.
Organisations must keep a record of when and how each individual gave consent, be able to give details of any personal data that is stored upon request and permanently delete data when required.
If you are not currently following these rules, you must update your procedures before the deadline on 25th May 2018.
Where Do I Start?
Click the banner below to download our checklist to help you prepare for GDPR. The 9 steps will point you in the right direction to being compliant before the 25th May.
Please note that these steps are guidelines and does not guarantee compliance.