From May 25, 2018, General Data Protection Regulation (GDPR) will be enforced by data protection regulators across Europe. It will change how businesses and public sector organisations can handle the information of their customers. This is the biggest change to Data Protection laws and comes after years of negotiations with all European Governments.
These outdated personal data rules will now be up to speed with the digital age.
Cyber crime has been on the increase over recent years in fact; In 2016, companies in the UK lost more than £1billion to cyber crime. Major data breaches at even some of the biggest firms have given criminals access to names, birth dates and addresses and even bank details and pension information. In fact within the last 12 months, there’s been some massive data breaches, including millions of Yahoo, LinkedIn, and MySpace account details.
So, What is GDPR?
The GDPR is Europe’s new framework for data protection laws which will replace the previous 1995 data protection directive.
It will give greater protection and rights to individuals and will mean significant changes to the way businesses and public bodies handle our personal information.
How will this impact my organisation?
According to the ICO if your organisation is a ‘controller’ or ‘processor’ of personal data then it will be covered by the GDPR. “If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR,”.
So, what’s different?
In the full text of GDPR there are 99 articles setting out the rights of individuals and obligations placed on organisations covered by the regulation. Now I am not going to cover all 99 of these but highlight to you some of the big ones.
These articles include allowing people to have easier access to the data companies hold about them, a new fines regime and a clear responsibility for organisations to obtain the consent of people they collect information about.
So here are some of the bigger changes to look out for:
Accountability and compliance
Companies covered by the GDPR will be more accountable for their handling of people’s personal information. This can include having data protection policies, data protection impact assessments and having relevant documents on how data is processed.
If there was to be a data breach and it could have a detrimental impact on those who it is about. This can include, but isn’t limited to, financial loss, confidentiality breaches, damage to reputation and more. The ICO has to be told about a breach 72 hours after an organisation finds out about it and the people it impacts also need to be told.
For organisations with more than 250 employees, the company must provide employees documentation of why people’s information is being collected and processed, descriptions of the information that’s held, how long it’s being kept for and descriptions of technical security measures in place. Yes, this is a minefield for not just marketing teams across the country but HR departments too!
If your company has “regular and systematic monitoring” of individuals at a large scale or process a lot of sensitive personal data (such as a bank or hospital) then they have to employ a Data Protection Officer (DPO).
And finally, the one that most people know about, as I am sure you have already received dozens of emails from companies you subscribe to. Businesses need to obtain consent to process data in some situations. This is a “positive opt-in” option rather than opt out.
Access to your data
The GDPR is also giving individuals a lot more power to access the information that’s held about them. Currently you can request something called a Subject Access Request (SAR) allows businesses and public bodies to charge £10 to be given what’s held about them.
This is being scrapped under the GDPR and requests for personal information can be made free-of-charge. What’s more when someone asks a business for their data, the business must provide it within one month.
The GDPR also gives individuals the power to get their personal data deleted in some circumstances.
This is one of the biggest elements of the GDPR. If an organisation does not process an individual’s data in the correct way, it can be fined.
It is expected that these fines will be considerably higher than they are currently.
So now you know the highlights, it’s time to get busy (although you probably already have been!)