Taking data protection seriously has always been important, but from the 25th May 2018 it’s going to be vital.
GDPR (General Data Protection Regulation) is a new EU-wide directive that comes into force on this date. Businesses large and small found to be not meeting the requirements could soon find themselves exposed to reputational risk and significant (potentially huge) fines. So, if you run a business or are self employed in the financial services sector, or you provide a service to a company that is, you need to put GDPR awareness and preparation at the top of your to-do list, because from the 26th of May this year, you must be able to demonstrate that good data protection is a fundamental part of your business’s policies and practices.
Here are some of the key things you need to consider:
You can’t afford to ignore it
If you’re reading this, it probably affects you. If your business involves handling, processing or storing personal data of EU citizens or you contract other businesses or organisations to do the same, the business is either a ‘controller’ or ‘processor’ of data and therefore will fall inside the realm of the GDPR. Non compliance could mean fines of 4% of global turnover or 20 million Euros, whichever is the greater.
Brexit doesn’t affect it
However Brexit affects our trading relationship with the EU in future, the GDPR affects UK businesses until at least the end of March 2019 and in all likelihood will be carried on in UK law after Brexit anyway.
The definition of personal data is changing
If you are aware of the Data Protection Act, 1998 then you should also be aware that under GDPR, personal data now includes IP Addresses and Pseudonymised Data. For information, pseudonymised data is that which is that held in such a way that it can’t be identified as a specific individual without another layer of information being added. For example, a customer is given a username (XYZ321) which is used on all records but can’t be identified as being John Smith unless it’s processed with a separate mapping table matching names with customer numbers. Following GDPR this sort of data will be considered the same way as all other data currently covered by the Data Protection Act, 1998.
Rules around ‘consent’ are getting tougher
Those ‘by using this site you are agreeing to xyz…’ website messages will no longer cut it. Other changes include:
1. Consent not being given by a pre-ticked opt-in box on your website
2. You must make it very easy and straightforward for people to withdraw consent
3. Use clear and plain language when explaining consent to users
4. If you already have consent from users, you’ll need to make sure it passes the above tests or it might be deemed invalid.
GDPR is all about strengthening the rights of the individual
Here are eight things that individuals will have the right to under GDPR:
1. The right to access – the right to request access to your personal data and to ask how your data is being used by the company. The company must provide a copy of the personal data, free of charge and in electronic format if requested
2. The right to be forgotten – the right to withdraw consent from a company to use their personal data and to have that data deleted
3. The right to data portability – the right to transfer personal data from one service provider to another. This must happen in a commonly used and machine-readable format
4. The right to be informed – the right to be informed before data is gathered. Consumers must opt in for their data to be gathered, and consent must be freely given rather than implied
5. The right to have information corrected – the right to have your data updated if it is out of date or incomplete or incorrect
6. The right to restrict processing – the right to request that your data is not used for processing. A record can remain in place, but not be used.
7. The right to object – this includes the right to stop the processing of your data for direct marketing. This right must be made clear to you at the start of any communication.
8. The right to be notified – the right to be notified of any data breach that compromises your personal data within 72 hours of the company first becoming aware of the breach.
GDPR, combined with the growth of cyber-attacks, makes digital security vital
If your business is successfully attacked by hackers you’ll need to be able to demonstrate that you took all reasonable steps to protect your users’ data. It’s a good idea to carry out a security review of your digital assets now.
How to find out more
The Information Commissioner’s Office (ICO) is the UK’s independent authority created to uphold information rights in the public interest, promoting openness by public bodies and data privacy by individuals. They have created a frequently updated guide to the GDPR for those who have day-to-day responsibility for data protection. It’s a useful resource for anyone wishing to learn more. https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
For GDPR compliance you will need to work with your own advisors.