GDPR data protection explained
Want to find out more about GDPR and what it means for you? You’ve come to the right place. The first part in our series on data security technology highlights the new regulations and explains how they might affect your business.
First thing’s first, GDPR is short for General Data Protection Regulation. It’s being rolled out by the European Union (EU) Parliament in May 2018, to make sure businesses look after people’s personal data correctly. It’s not too different from the current UK Data Protection Act 1998 (DPA), but there are a few changes and new features.
Here are the key points to bear in mind…
Customers have rights over their data
People sharing their personal data have a lot more rights under GDPR. They’re entitled to know what you’re doing with their data, and can ask for a free, electronic copy of it. They can even ask you to delete it. So your teams will need to know how to handle these kinds of requests.
Data protection is more important than ever
If your company designs any new processes or systems, you’ll need to make sure you build in data protection from the start.
Your data controllers should only hold and process the minimum amount of personal data needed to keep the business running smoothly. And they should make sure they limit who has access to the data.
Worst-case scenario, if there’s a data breach, you’ll need to report it within 72 hours.
There are big fines if you don’t comply
You’ll be charged a penalty based on a percentage of your annual global turnover, up to a maximum of 4% or €20 million (whichever is greater).
If you don’t have your records in order, for example, you’ll be fined 2%. For a serious breach, such as not getting customer consent, you’ll be in line for the maximum penalty.
You might need to put a Data Protection Officer in place
It’s not just big businesses that need a Data Protection Officer (DPO). Whatever your size, if your company is a public authority or engages in large-scale systematic monitoring or processing of sensitive personal data, you’ll need to have a DPO.
They don’t have to be an employee, but they’ll need to be fully clued up on data protection law and practices. It’s fine to outsource the role, but the person must report directly to your highest level of management.
It’s not just EU businesses that are affected
The new regulations apply to every company that processes personal data about EU citizens. It doesn’t matter how big or small you are, where you’re located, where the processing takes place or where the data is stored.
If your company is based outside the EU, you’ll need to assign a representative within the EU.
How to roll out GDPR across your business
Every decision-maker in your company needs to have a solid understanding of GDPR. A good way to do this is to get key staff from your Legal, HR and IT departments together. If you’re a smaller business, assemble the people who look after these roles. Then you can run through your processes for gathering and storing personal data, to see how they measure up against the new regulations.
Here are some of the key areas you’ll need to cover:
- Do employees know about new regulations, and have you put the appropriate training in place? Do you need to select a DPO?
- Do your IT team know how to respond to data requests? Do you have the technology and processes in place to help people exercise their rights?
- What data does your company hold, why do you hold it, and where did it come from originally? Who do you share it with, who has access to it, and how long do you plan to keep it for? Do you have a template for record-keeping?
- Do you make people aware you’re collecting their data? Do you let them know their rights and explain what you plan to do with their data? Have you used simple and straightforward language?
- How secure is the personal data you hold? Is it encrypted? Where is it held? Would your IT team be able to report a data breach within 72 hours?
Procedures and policies
- Do these demonstrate you’re aware of your privacy responsibilities? Do you have a general data protection policy, privacy impact assessment and data breach checklist?
- Can you demonstrate you’re functioning within the law? Can you make sure you’re getting consent? Can you prove it’s essential for you to collect, process and use personal data?
- Are data protection principles at the forefront of your business processes? Do your third-party data processors adhere to the new regulations? If you transfer data out of the EEA, is it in a way that aligns with GDPR requirements?