10 things your business should know about GDPR
Key facts about the most important data privacy regulation change in 20 years
It’s been described as the most important change in data privacy regulation in 20 years. So, what is the GDPR and how could it affect your business?
1. What is “GDPR”?
The GDPR is the EU General Data Protection Regulation. Its introduction has been described as the most important change in data privacy regulation in 20 years.
2. Why is the GDPR being introduced?
Its makers believe it will better protect EU citizens from privacy and data breaches, because existing EU regulations and data protections laws are 20 years old and the world has become much more data driven. According to the EU GDPR website it will “harmonise data privacy laws across Europe, protect and empower all EU citizens and reshape the way organisations approach data privacy”.
3. When is the GDPR being introduced?
Although the EU adopted the GDPR in 2016, it won’t be enforced until 25 May 2018, which gives UK businesses time to comply.
4. What if businesses don’t comply with the GDPR?
They risk fines of up to 4% of their turnover or as much as €20m for more serious breaches or failure to meet GDPR compliance.
5. What about GDPR policies with Brexit?
The GDPR will apply to all business that store and process the personal data of data subjects living in the EU. So, UK companies processing data relating to goods or services sold to citizens in the EU will need to comply with the GDPR, regardless of Brexit. And, in any case, the UK isn’t scheduled to leave the EU until after May 2018.
6. What if UK businesses only sell to UK customers?
According to the EU GDPR website, things are “much less clear” in this case, although “the UK Government has indicated it will implement equivalent or alternative legal mechanisms” that will “largely follow the GDPR”.
7. What is “personal data”?
It is defined as: “Any information related to a natural person or ‘data subject’ that can be used to directly or indirectly identify the person”. This could be their name, a photograph of them, their email address, their bank account details, their medical information, their computer IP address, etc.
8. What should my business do to prepare for the GDPR?
The Information Commissioner’s Office (“the UK’s independent body set up to uphold information rights”) has published a handy guide – 12 steps organisations can take now to prepare for the GDPR.
9. What major changes should I be aware of?
The previous Directive’s key data privacy principles remain, but the GDPR will apply to all companies that store and process the personal data of people living in the EU, whether the data is processed in the EU or not.
Penalties will apply to controllers and processors, so “clouds” will also be subject to GDPR enforcement. And consent from data subjects must be given in “an intelligible and easily accessible form, [for the purpose of] data processing attached to that consent”.
Data subjects can obtain confirmation from the data controller about whether their personal data is being processed, where and why. They also have the “right to be forgotten”, which means controllers will have to erase their personal data, stop disseminating it and prevent third parties processing it.