A new set of data protection guidelines is coming into play on 25th May 2018. If your business handles personal data in any way, you'll need to be ready for this implementation.
What is the GDPR?
The GDPR stands for the General Data Protection Regulation, and it's a privacy ruling for companies that are doing business in Europe. Although our departure from the EU is looming, we should assume that British businesses will still have to adhere to the GDPR after we leave (the regulations will probably be copied into British law for sake of ease).
Under the GDPR, your business is required to protect the personal data of both customers and employees. It applies to Business-to-Consumer (B2C) and Business-to-Business (B2B) organisations - in fact any organisation which stores or processes data of EU citizens. Your business does not need to be based in the EU for these regulations to apply.
What constitutes 'personal data'?
Personal data includes, but is not limited to an individual's:
- Name
- Email address
- Home address (or any other associated addresses)
- Banking details, including card details
- Driving Licence (and associated numbers)
- Passport (and associated numbers)
- National Insurance Number
- Online names or personal identifiers
- Medical records (including genetic and bio metric data)
The data does not have to be 'sensitive'; if the data your business is collecting, processing or storing is personal, then your business will need to apply the regulations outlined by the GDPR. Whether its customers, other businesses or staff, this privacy ruling applies.
What could happen if my business doesn't comply?
Your business could be fined up to 20M Euros, or 4% of your global annual turnover. But you should be more worried about the potential loss of reputation with your customers and employees.
So how can I prepare my business?
There are plenty of guides out there to help with more specific GDPR enquiries (you can even ask an advisor from the ICO to visit your business and help you in person) but here are the general steps that all businesses need to take.
1. Get GDPR aware
Make sure that management and any relevant individuals within your business know about this change to data protection law. They should understand the impact this will have on your business.
2. Start documenting
You should start making a record of what data you hold, where it comes from and where it goes to. That means everyone you share personal data with, including internal and external individuals, other businesses and applications.
3. Check your privacy notices
Review all of your current privacy notices, and plan any additions and amendments based on the GDPR. These privacy notices will be internal, such as employee contracts, and external, such as business proposals for customers. Find out more about the requirements for this here.
4. Know your (and their) rights
With the introduction of the GDPR there's a ton of rights for individuals that your business will have to abide by. Make sure you know them, and plan how you will meet them (e.g. the right to erasure, where personal data must be deleted on request).
5. Subject access requests
The way you will be required to process people requesting access to their data will change. For example, under the GDPR your business will be restricted from charging for the majority of access requests, and you must respond to requests in a shorter amount of time.
6. Identify why you're collecting data
This might be an obvious one, but you have to be able to clearly identify the lawful basis for your collection, sharing and storing of personal data. This must be updated in your privacy notices so it's explained internally and externally.
7. Check for consent
The ICO states that, 'Consent must be freely given, specific, informed and unambiguous.' This means that when you request personal data, you'll be required to ask individuals to opt in, rather than out. There are a few requirements for consent, check them out here.
8. What about children's data?
One of the big changes brought in by the GDPR is that additional requirements will have to be met for the personal data of anyone under 16. You will have to use age verification where necessary, and get consent for children from a designated parent or carer.
9. Data breaches
Make sure you have systems in place to detect, notify and investigate data breaches. Under the GDPR you'll be expected to let individuals know that their privacy has been compromised in no more than 72 hours after you've become aware of it - if it affects individuals' rights and freedoms.
10. Data Protection By Design
The GDPR is introducing, 'privacy by design' a legal requirement for businesses, under the term ‘data protection by design and by default’. That means that ‘Data Protection Impact Assessments’ (DPIAs) will sometimes be mandatory - so you'll have to think about privacy impacts of decisions at the beginning of projects.
11. Pick a Data Protection Officer
You'll need to have a designated Data Protection Officer within your business, which you might have to formally identify if your business meets certain requirements. This should be the person ensuring GDPR compliance throughout your organisation.
12. Going international?
If you do business in more than one EU member state, you'll need to identify your lead data protection supervisory authority (whoever's in charge of data protection in that country/location) and document it. You can find more guidance on this here.
What if I can't get my head round any of this?
Keep in mind that there's a fair few months between you and this deadline, so if you haven't started with this yet, that's ok. Read up on the GDPR and the requirements for your business, and don't be afraid to ask for help from the ICO (or your friendly IT support team) if you need it.
It might seem a little overwhelming on the face of it, but a lot of the GDPR requirements will build on your pre-existing privacy regulations. You'll have a lot of data protection policies in place already, and adjusting them to meet the requirements for the GDPR will help you check and consolidate them.
Check whether you're ready for the GDPR with this quiz from the ICO