How will GDPR affect your business?
Find out all you need to know about the EU General Data Protection Regulation (GDPR), how it affects your business and what you need to do to ensure compliance.
The new EU General Data Protection Regulation (GDPR) came into force on 25th May 2018. The new regulations affect every business in the UK and carry heavy fines for non-compliance. It is therefore critical that businesses take action now to ensure compliance. With this in mind, we highlight the key facts below.
Why is GDPR needed?
With the internet and cloud computing, data processing has changed significantly since the late 90s when data protection laws were last reviewed. At the same time, data breaches have continued to rise, with 2017 coined the Year of the Data Breach. A recent report by Juniper Research revealed that almost three-quarters of UK SMEs think they are safe from cyber-attack. However, half of these suffered a data breach. Against this backdrop, it is clear that personal data needs better protection.
What is GDPR?
GDPR requires any business that operates in the EU or handles the personal data of EU residents to implement a strong data protection policy to protect client data. It replaces the Data Protection Act 1998, with the following key differences:
- Broader scope: the regulation affects any business that collects, processes or stores personal data from EU-based individuals. This includes businesses based outside the EU. The definition of personal data has broadened to include genetic, mental, economic, cultural and social identity, thereby covering more data.
- Tougher penalties: non-compliance carries heavy fines of up to 4% of annual global turnover or €20 million – whichever is greater. Fines are dependent on data loss and the systems and technology put in place.
- Shorter notification of breaches: businesses must report data breaches to the relevant Data Protection Authority within 72 hours of detection.
- Accountability and privacy by design: GDPR places onerous accountability obligations on business systems and processes. Data controllers must maintain documentation and conduct a data protection impact assessment for riskier processing. In addition, only necessary data to fulfil specific purposes should be collected and discarded when no longer required.
- The appointment of a data protection officer (DPO): a mandatory requirement for all public authorities and for companies whose core business activities are data processing.
- Consent required to process children’s data: parental consent is required to process personal data of children under 16. Individual EU Member States may choose to lower this age to 13.
- Access to data: individuals have the right to request all information that an organisation holds on them, in a usable format. There is currently a 40 day time limit to respond to the request, and companies cannot charge for providing this information.
- The right to be forgotten: data subjects have the right to erase their data. Businesses must ensure they have the processes and technology to delete data in response to these requests.
GDPR is designed to strengthen the protection of personal information. Regardless of size, all companies in the UK are required to collect, store and use personal information more securely.
How to prepare your business?
Under the new regulations, a business that suffers a data breach will have to notify any individual of that breach. This is potentially very damaging financially, but also in terms of reputation. It is therefore vital that organisations review their IT Security. Achieving the UK Government Cyber Essentials certificate can help. Customers are the lifeblood of any business so ensuring you have the correct processes to handle their data is vital. Establishing a plan to deal with any potential breach or cyber-attack is equally important. This will avoid further damage to client or supply chain relationships. For a practical approach to preparing your business, read our step-by-step guide to GDPR compliance. For more advice on GDPR and protecting your data within your IT systems, please get in touch.