Currently, we put a lot of trust in companies we don’t know. We agree to their terms and conditions just to make the checkout quicker, so we can purchase new shoes or book a flight. We do all of this without knowing what they will then do with our data, how it will be processed and who it will be issued to.
The EU General Data Protection Regulation will be used to specify how consumer data should be used and how it should be protected. GDPR will replace all data protection legislation in the EU member states, including the UK’s Data Protection Act 1998. Adopted by the European parliament in April 2016, it will become enforceable throughout the EU in May 2018.
It applies to everyone included in the processing of data for or about individuals, in the context of selling goods and services to the citizens in the EU. This will even apply if the organisation is located outside of the EU but trades within. For example, Facebook have set up their entire non-US operations in Ireland; this means everyone signed up to Facebook and living in a European country is bound and must comply to the Irish Data Protection Law. Even though we are due to leave the EU, Britain has promised to mirror the law when we leave and will comply fully whilst we are still in and during the leaving process.
Currently the EU Data Law is patchy and outdated. Companies and organisations pick and choose which parts of country’s laws they wish to adhere to and can find many ways around complying with specifics. The impact and reason for EU GDPR means the law and forfeits will be of the same level across the entire of Europe.
The impact of GDPR on businesses and organisations
GDPR means there will be a restriction on commercial use of data. This means business will now be limited as to what they can and cannot do with data to gain commercial benefits. In the run up to the enforcing of GDPR, businesses will need to comply with the key requirements. This will involve spending thousands of pounds for most companies. Employing Data Protection Officers, buying new software to cater for some of the requirements and even putting in place safety procedures to alert customers to any risks within 72 hours will cause huge expenditure to some organisations.
On a positive note GDPR will strengthen customer trust as well as customer confidence in your company.
What are the requirements?
7 Key Requirements
Consent – It must be just as easy to opt in as it is to opt out. Sentences must be clearly written, cannot include legalese and cannot ‘fool’ anyone in to opting in.
Breach notification – If a breach of data does happen, data processors must notify anyone involved, including notifying customers of any risks within 72 hours.
Right to access – The data subject now has the right to obtain confirmation from the data controller as to whether their personal data is being processed. The data controller should then provide an electronic copy of personal data. This copy should be free of charge and electronic.
Right to be forgotten – Every data subject now has the right to have the data controller erase their personal data and cease its dissemination when the data is no longer relevant to its original purpose.
Data portability – The ability to provide smooth data portability for a data subject. This means the individual can obtain and reuse their personal data for their own purposes across different services. Companies should provide a service that allows the individual to move, copy or transfer personal data easily from one IT environment to another.
Privacy by design – Each new service or business process that uses personal data must take the protection of data into consideration. An organisation needs to be able to show that they have adequate security in place and that compliance is monitored by a data protection officer. This means that an IT department must take privacy into account during the whole life cycle of the system or process development.
Data protection officers – Professionally qualified data protection officers must be appointed in public authorities or organizations that engage in a large scale with systematic monitoring, processing or sensitive personal data. Those workplaces require a professionally qualified data protection officer if the company has more than 250 employees.
For non-compliance with these 7 requirements by May 2018, the company can be fined 4% of their global turnover or 20 million Euros, whichever one is greater.
So how can we prepare for the change?
Here are our 8 top tips taken from ico.org.uk
- Document the personal data you hold, where it came from, who you share it with
- Review your current privacy notices and put a plan in place for making any necessary changes in your business in time for the implementation of GDPR
- Check and update your procedures to ensure they cover all the rights individuals have
- Review how you seek, record and manage consent and whether you need to change or refresh these processes
- Start thinking now about whether you need to put in place systems to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity
- Make sure you have the right procedures in place to detect, report and investigate a personal data breach
- Designate someone to take responsibility for data protection compliance and assess where this role will sit within your business
- If your organisation operates in more than one EU member state, you should determine your lead data protection supervisory authority
For more information, head over to the Information Commissioner’s Office website https://ico.org.uk/for-organisations/data-protection-reform