That sounds a long way off but, if your business handles data, you need to get up to speed sooner rather than later. There are fairly hefty financial penalties for organisations that don’t comply.
And small businesses shouldn’t look away just yet. GDPR isn’t just for the Facebooks or Googles of this world – it impacts any business that handles or stores data. Recruitment agencies, photographers, accountants, IT firms and marketing companies will be affected. In fact, it’s hard to think of an industry that won’t need to sit up and take note.
What’s it all about?
The general principle is to level the data protection playing field across Europe. All businesses and organisations handling EU citizens’ personal data will work to the same set of rules, eliminating the current patchwork of pan-European regulations. The regulations will still apply in the UK, regardless of whether we hard Brexit, soft Brexit or end up with something in the middle.
Importantly, accountability lies directly with businesses. You’ll need to show you have suitable policies, assessments and staff training in place.
Businesses not actively complying with the regulations, or who suffer a data breach, will be penalised.
Penalties for a data protection breach, or a failure to notify the Information Commissioner’s Office (ICO) of a breach, means a fine of whichever’s the greater of these two:
- Up to 4% of annual revenue
- Up to €20m
It’s fair to say most business, large or small, would find paying out these sorts of sums of money painful.
Protecting personal data
The types of personal data we’re talking about relate to anything that could be used to identify an individual, such as name, address, marital status, job title etc. Under the new regulations the type of data that needs to be protected now also includes genetic, cultural, economic and social identifiers – IP addresses, mental health information, religious or political beliefs, for example.
Individuals must actively give consent for their data to be collected, must understand exactly what information is being collected and specifically what it’s being used for.
This needs to be explained by businesses in clear and concise language. Also, businesses can’t now collect more data than is needed for a specific purpose. So no more huge forms with excessive data- capture fields and the dubious practice of pre-ticked consent boxes.
A new part of GDPR gives individuals the right to know what data is held about them by different organisations. That means an individual’s data must be stored in such a way that it can be identified quickly and easily. And if the individual wants their data transferred to a different organisation, removed from a database (including copies) or for collection of their data to be halted, they now have a right to ask for that.
These rules are called the ‘right to data portability’ and the ‘right to be forgotten’.
If a business suffers a data breach, it has 72 hours to notify the ICO. It’s not expected to have fixed the situation in that time but it does need to have taken steps – such as alerting individuals whose data’s been lost, altered, accessed or disclosed without authorisation.
The exact financial penalty applied depends on what steps the organisation has taken to protect the data and how severe the data breach is.
While businesses are getting their heads around the new legislation, you can be sure that consumers will also be getting to grips with their new rights. We wouldn’t be surprised if this leads to more people taking businesses to court for incorrectly requesting or handling their data. What’s certain is consumers are going to be much more savvy about their data protection rights than they have been in the past.
Sorry if all this sounds a bit heavy. But that’s because it is. With vast fines and your reputation at stake, it’s simply not worth getting this wrong.
For more information on the details of the new GDPR visit the ICO and read more about how GDPR impacts you.