With just over a month to go until GDPR comes into play, it’s quite alarming to think that 29% of UK business owners are either unaware of the changes or are confident that it won’t apply to them. With fines up to either 4% of global revenues (per business) or €20 million (whichever is greater), GDPR isn’t going to be ignored and it’s coming – soon!

What is GDPR?

GDPR – The EU General Data Protection Regulation, comes into legislation on 25th May, 2018 and will impact any business, regardless of size, that possesses personal data from residents of the EU. It is the biggest change to data privacy laws in 20 years and is an extensive change to the way businesses handle data.

What kind of data is included?

Anything that you ask consumers to give plus anything they give voluntarily, PLUS their web data – so basically, any data your business collects/holds on EU residents.

This includes identity, racial data, D.O.B, address, health data, gender and web data, such as IP addresses and cookies. This list is extensive and if you are unsure, refer to the ICO for further information.

What will you have to do?

This depends largely on the data protection processes you already have in place – at the very minimum, you should be law already have a cookie policy for your website, privacy policy, T&Cs, an email disclaimer and take all possible measures to only collect the data you need, explaining your purpose to consumers in all appropriate ways. Data should only be kept for as long as necessary, used fairly and lawfully, and only in ways that are relevant and adequate to the consumer. All data needs to be kept safe and secure and handled according to people’s data protection rights.

To comply with GDPR, you will need to ensure first off that you comply with the current data laws, as the foundation for GDPR is based largely on what is already in place. There are additional steps to take to meet GDPR, however; these are:

  • Ensure Awareness – Make sure those in your organisation responsible for making decisions are aware of GDPR
  • Document the Information you hold – This may include organising an information audit so you know what data you hold and where it came from, plus who it is shared with.
  • Know Individuals’ rights – Check your current procedures to ensure they cover individual’s rights to access their own data. This includes your policies on how you would delete data or provide it should a request be made.
  • Communicating privacy information – Ensure a plan is in place to meet GDPR, including how you notify users of your privacy practices
  • Subject access requests – you need to have a plan in place for how you will handle data access requests once GDPR is in place.
  • Consent – How do you currently manage consent agreements when you do collect data? Make sure your consent requests meet GDPR guidelines.
  • Handling data breaches – What happens if you suffer a data breach? What procedures are in place to keep user data secure? You need to be able to answer these questions and have proper procedures in place.
  • Children – Assess how you handle data related to age – do you verify user age, and if so, do you obtain guardian consent if the user is underage? This is part of GDPR and will need to be reviewed.
  • Data Protection by Design and Data & Protection Impact Assessments – The ICO have a code of practice on Privacy Impact Assessments and you need to familiarise yourself with this, as well as the Article 29 Working Party latest guidance. If these do not already exist within your organisation, you need to ensure they are implemented.
  • Lawful basis for processing personal data – You need to ensure your privacy policies identify the lawful basis as to why you are collecting data.
  • Data Protection Officers – you may already have designated Data Protection Officers, but of not, you need to designate at least 1 person to take responsibility for data protection compliance. This person will shoulder the responsibility of meeting GDPR regulations.
  • International compliance – If you operate in more than one EU member state then you need to ensure you know your lead data protection supervisory authority.

For further information from the ICO on preparing for GDPR, please visit the following link: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

Will Brexit Impact GDPR?

The UK will still be a member state of the EU when GDPR comes into force, so will be subject to all the regulations the same as all other EU member states.

When the UK leave the EU, a new Data Protection Bill has been proposed to take the place of GDPR; this will follow the basics of GDPR in British law, so businesses should expect these new practices to stay in place.

Whether we like it or not, GDPR is coming and it’s here to stay….make sure you’re ready!