On 25 May 2018, strict new regulations will come into force that will change the way organisations handle personal data. This overview looks at what it means for your business, at what you need to know to stay compliant, and how you can prepare for GDPR in time for next year’s deadline.
What is GDPR?
On 25 May 2018, the General Data Protection Regulation (GDPR) will be introduced, replacing the 1995 Data Protection Directive, and developed by the EU to update data protection policies and how companies store, secure and manage personal data.
Current legislation was passed before the internet and technology – such as cloud technology – offered companies new ways to exploit data, and the GDPR seeks to address that. The EU says it wants to hand control back to the owner of the data, and improve citizens’ trust in the emerging digital economy.
For example, GDPR introduces the ‘right to be forgotten’, enabling a citizen or organisation with a reasonable wish to be deleted from a database to have the right for every record relating to them to be removed without trace. The onus is on the database owner to ensure that they have kept track of relevant interactions to be able to readily comply with such a demand.
GDPR provides EU citizens with control over their personal data through a set of ‘data subject’ rights. This includes the right to:
• Access readily-available information in plain language about how personal data is used
• Access personal data
• Have incorrect personal data deleted or corrected
• Have personal data rectified and erased in certain circumstances (the ‘right to be forgotten’ – see above)
• Restrict or object to the processing of personal data
• Receive a copy of personal data
• Object to the processing of data for specific uses, such as for marketing or profiling
The EU also aims to give businesses a clearer legal environment in which to operate, harmonising how data is handled across the EU. It estimates that removing red tape requirements will bring collective cost savings to businesses of around €2.3 billion a year.
What data is covered?
The data could be usernames, location data, bank details, medical records, online identifiers – such as IP address or cookies – or passwords, and with GDPR the definition of sensitive personal data has expanded to include genetic and biometric identity.
The theft of personal or work-related information – whether that’s access details, passwords, or any other customer data – is endemic today; almost 1.4 billion data records were stolen in 2016 alone, an increase of 86 percent compared to the year before.
Who will GDPR affect?
GDPR will affect the whole of the EU Zone, which currently spans 28 member countries and half a billion citizens. However, companies outside these zones will still have to meet the standards if they want to continue using data from customers in the EU.
How will GDPR personally affect my business?
If a consumer requests access to their data, businesses will no longer be able to charge a fee for doing so, and will have 40 days to disclose the information.
And one of the biggest changes UK companies should be aware of is the significantly increased fines for non-compliance, with organisations facing up to four percent of annual global turnover or €20 million, whichever is greater, for a data breach.
In addition, organisations will have 72 hours to disclose a serious data breach to the relevant authority – in the UK that’s the Information Commissioner’s Office (ICO) – as well as to the victim of the breach. The penalty for failing to notify a breach will be up to €10 million, or two percent of revenues.
Therefore, the consequences of any data loss will be financially devastating for any company.
How should I prepare?
Despite the threat of large fines, reports estimate that more than half of businesses won’t be compliant by the end of 2018.
It’s important for any business that hasn’t yet started preparing for GDPR to do so now – and we’re here to help!
We’ve created a GDPR content hub, where you can find links to the most relevant and useful articles and pieces of information generally. We've also published our own eBook - GDPR: A Guide for Business.
We’ve also organised a webinar, Are you ready for GDPR in 10 questions? to be hosted by independent GDPR Implementation Consultant Pierre Westphal, on Thursday 22 June, 2-2.45pm.
You can also contact any of the Cobweb team on 0333 920 6841 or at firstname.lastname@example.org.