One month to go: what does GDPR mean for your business?

The word GDPR has been sending companies of all size and scale into a frenzy for the last two years since being announced as the new framework that will supersede the previous data protection laws namely the 1995 data protection directive that UK law is based on and set out in the Data Protection Law 1998.

GDPR will begin on the 25th May 2018 enforcing new stronger rights for individuals to have access to the information that companies of any size hold on them. It will create new obligations that  companies will have to adhere to. This will include better and more transparent personal data management and collection with a new regime of fines for non-compliance no matter the size of the organisation. 

With a huge shift in both the volume and the way companies access and hold personal data – GDPR is certainly timely and necessary to protect the rights of individuals but the impact to organisations across both the UK and the EU is huge as companies ready themselves for the change.

Many large organisations have  decided to use this time to really get their ‘house in order’ data wise and have ploughed huge investment into doing so.  However a McDermott- Ponemon study found that levels of readiness are rather mixed. 40% of all companies surveyed will not be GDPR compliant until after the May 25th deadline and of that 8% really were not sure when they would expect to be compliant.

GDPR in a nutshell

‘The GDPR is a step change for data protection. It’s still an evolution. Not a revolution. ‘Denham – UK Information Commissioner

Denham is keen to tackle the myths and scaremongering that has been rife since the announcement of the new regulations coming into force.

So what does GDPR mean for us all?

Consent and compliance

The GDPR sets out stronger requirements in how personal data is gained, processed and how it is stored. This includes having clear data protection policies, data protection impact assessments and further documents stating how data is processed.

For organisations with a workforce that is 250 strong or more the requirements are also to have clear public documentation as to why individuals information is being collected and processed and technical descriptions of the security used to keep the data in place.

Companies that systematically monitor data or process large scale sensitive and personal data will be expected to employ a Data Protection Officer as first point of contact for all employees and  customers regarding all data protection matters.

There’s also a requirement to actively obtain consent for future data collection and processing. It will require a ‘positive opt-in’ from individuals rather than the automated opt in that has been historically used by large and small organisations alike.

Breach notification

From the 25th May speed will be key under the GDPR to notify publicly of any breaches in data much more than ever before. With some huge data breaches making headlines over the last two years from the likes of Yahoo, My Fitness Pal, Facebook and Deloitte not coming to light for weeks or even months after the breach has happened. The Information Commissioner’s Office has set down that they now expect to be informed of any breach within 72 hours after an organisation finds out about it and the individuals impacted must also be notified as well.

Access to your data

The GDPR gives individuals more extensive power than ever before to access the information that is held on them by organisations.

Previously a Subject Access Request was the only route an individual could take to request access to information held on them.  Costing £10 per request to the individual, a business could take up to 40 days to respond. The GDPR has scrapped the fee and reduced the response time frame to 30 days or less. Individuals gain more control over their data with organisations having to confirm whether data is or isn’t held, a summary of what data is held, access to this as well as any supplementary information.

Right to be forgotten

The GDPR will for the first time give individuals the right to be forgotten. Each person will be able to request any data held on them by an organisation be permanently erased. This can include data that has been illegitimately collected, data that no longer has consent from the individual and  data collected that no longer has a necessary purpose. 

What actions should you be taking to be fully prepared?

Many large organisations have a flurry of consultants and legal teams supporting them through the process to ensure GDPR compliance. For those without a support team to help wade through, the tips below give a good starting point to help ready your organisation for the new era of transparent data protection:

Identify your personal data

What data should you even consider? Information which identifies, or could lead to the identification, of an individual is considered personal data. This includes names, addresses, identification numbers and online identifiers. Once this is established, the next step is to record how it was captured, how it is held, how you use it, and where it is going.

Run an impact assessment

Help to identify any potential issues which could cause a high risk if the data was revealed – before it happens. Various checklists and guidance are available with the Information Commissioner Office providing good support for self assessment.

Ask for consent

Requests for consent must be clear— not hidden in the small print or via automatic enrollment or subscription. Companies must be able to show exactly where consent was obtained after the GDPR comes into effect.

The right policies and systems in place

Individual data rights – the power is now far greater for the individual. They have the right to ask where their data is held, how much data is held about them and have the right to refuse to give further data for information purposes. They also need to have this reported back to them within one month of making the request to a company. Each individual also has the right to be completely forgotten and all their data held by a company deleted.

Making your policies clear and understandable

Organisations must be seen to be removing the jargon from any data protection policies and be clear in their explanations of holding of any personal data and what it will be used for in the future. Transparency is key here and policies need to be clear and easily accessible for everyone, no longer hidden away!

Failure to comply: the penalties

The penalties for non-compliance under the GDPR are far steeper than under existing data protection laws which has left many organisations, particularly SME’s fearful. Depending on the severity of the breach- organisations could face fines of up to £500,000 or 4% of turnover (this would be scaled according to the size of the organisation).

Denham – the UK’s Information Commissioner is keen to assert that it is not looking to make an example out of the first few organisations found to be breaching the new regulations, rather that ‘the ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.’

Proof of this is perhaps supported by the statistics. In 2016/2017 the ICO concluded 17,300 cases. Of these 16 were given fines. The ICO is so far yet to invoke its maximum powers.

For more information and guidance: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf