GDPR – You Really Need To Know This!
Last week I attended a workshop on getting ready for GDPR.
GDPR affects any business that stores or processes personal information about individuals – so in other words most businesses.
It is an important piece of new legislation that you need to be aware of and also prepare for. Because it’s so important I thought it was worth sharing some of what I learnt as you start to think about how you will apply GDPR in your own business.
What is GDPR?
GDPR stands for the General Data Protection Regulation. It is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states.
GDPR is expected to set a new standard for consumers rights regarding their data, and is replacing the Data Protection Directive 1995 and the Data Protection Act 1998.
Although it is a piece of EU legislation, it will not be affected by Brexit and will still apply in the UK from next year when it comes into force.
GDPR will leave much to interpretation. It says that businesses must provide a “reasonable” level of protection for personal data, but does not define what constitutes “reasonable”.
So, here’s some thoughts to help you begin to understand the implications of GDPR.
Who will be affected by GDPR?
Any company that stores or processes personal information about UK and EU citizens within EU states must comply with GDPR.
So, if your company handles, stores or processes data this affects you.
When does my company need to be compliant?
Companies and businesses must be able to demonstrate compliance by 25th May 2018
What happens if my company is not compliant with GDPR?
GDPR allows for steep penalties of up to €20 million or 4 percent of global annual turnover, whichever is higher, for non-compliance.
A big unanswered question at the moment is how penalties will be assessed. It seems however that one of the big areas of non-compliance will be not obtaining the necessary consent from individuals to store and process their data.
In my own industry, we are looking closely at how we will interact with individuals during the initial stage of a transaction, how we will obtain consent, and what it will look like. Obtaining consent is definitely one to be aware of.
What types of privacy data does the GDPR protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address and cookie data
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Which GDPR requirements might affect me?
The GDPR requirements could force you to change the way you process, store and protect personal data. For example, companies will only be allowed to store and process data when the individual has provided consent, and for “no longer than is necessary for the purposes for which the personal data are processed”.
Individuals also have the right to be “forgotten” and to have their data erased, although there are exceptions, so for instance GDPR does not supersede any legal requirement you may have to maintain and retain certain data.
So for example, in my own business, I have certain FCA requirements in relation to data retention which would supersede GDPR.
Another requirement that companies must comply with is that any data breaches are reported both to the supervisory authorities and also the individual affected by the breach within 72 hours of the breach being detected.
What should you be doing to prepare for GDPR?
- Start now – don’t wait until next May!
- Create a data protection plan:most companies already have a plan in place, but they will need to review and update it to ensure that it aligns with GDPR requirements.
- Conduct a risk assessment:you need to know what data you store, how that data is processed, and understand the risks around it. Remember, the risk assessment must also outline measures taken to mitigate that risk.
- Check where your data is stored – for instance if you back-up to Dropbox and that data is stored in the USA then you won’t comply. It needs to be stored in the EU. The data being stored also needs to be encrypted. This also applies to email – emails will also need to be encrypted.
- Implement measures to mitigate any risks:once you’ve identified any potential risks and how to mitigate them, you must put those measures into place.
- If your organization is small, ask for help if needed. Smaller companies will be affected by GDPR, some more significantly than others. You may not have the resources needed to meet GDPR requirements. Outside resources are available to provide advice and technical experts to help you through the process. So ask for help.
- Test incidence response plans:GDPR requires that companies report breaches within 72 hours. How well you respond to breaches will directly affect the company’s risk of fines for the breach. Make sure you are able to adequately report and respond within the time period.
- Set up a process for ongoing assessment:this is important. You want to ensure that you remain compliant, and that will require ongoing and continuous monitoring and assessment.
What the workshop this week taught me is that like it or not, GDPR is here to stay and as business owners we must prepare.
However it is important to remember, GDPR is meant to protect the individual not catch out the business owner and with some thought, good preparation and a request for help when needed there is no reason why you shouldn’t be ready for next May.