In 2016, the EU passed legislation governing the standards by which companies collect and secure personal data (so-called ‘controllers’ and ‘processors’).
The aim of this legislation was to encourage companies across the European Union to think seriously about data protection. In practice, the new General Data Protection Regulation lays down some fairly stringent requirements for both large and small businesses as regards data protection.
Although the UK subsequently voted to leave the EU, the UK government has since confirmed that it will abide by the new General Data Protection Regulation (GDPR), which is due to come into effect from 25 May 2018. To help UK businesses understand how they could be affected by the new laws, here’s a guide to the GDPR legislation.
What is the General Data Protection Regulation (GDPR)?
The General Data Protection Regulation (GDPR) is a new legal framework to be applied within the EU. It is principally designed to cover all those businesses which have day-to-day responsibility for personal data. It aims to achieve uniformity in data protection legislation across the EU thereby streamlining data exchange and security between member states.
The GDPR is complex, but its key stipulations are clear:
- Firms of a certain size (over 250 employees in theory but see next section) must employ a Data Protection Officer (DPO). This person ensures that a business collects and secures personal data responsibly.
- Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but certainly within 72 hours.
- Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.
- Failure to comply with the GDPR will lead to heavier punishments than previously. Under current rules, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for malpractice but the GDPR will be able to fine up to €20 million or 4% of annual turnover (whichever is higher).
These criteria are designed to ensure that businesses are doing enough to secure the personal data of their clients. It is possible that many companies already fulfil their obligations under the GDPR, especially if those companies already comply with the UK’s Data Protection Act (DPA) of 1998.
What does GDPR consider ‘personal data’?
Like the Data Protection Act, the GDPR governs how companies process and store personal data. The key difference between this new legislation and the DPA is that the definition of what construes ‘personal data’ is both more stringent and detailed: any information which could be deemed a personal identifier falls under this new definition.
This means that IP addresses or any other electronic tag which may be used to identify a person in combination with other information may be defined as personal data and thus subject to the GDPR.
A good guideline for deciding if data is personal or not may be to ask yourself whether a piece of information relates or is linked to an individual such that knowing that information would be able to tell you something about that individual.
An example might be a job listing with a marked salary. This would not qualify as personal data on its own. But if the salary details were linked with a name (such as if the position was filled) then that information would relate to an individual and therefore become personal data.
What does GDPR consider a ‘small business’ and am I affected?
The GDPR does not cover small businesses. Article 30 of the regulation declares that organisations with fewer than 250 employees are not bound by the GDPR unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9, or personal data relating to criminal convictions and offences referred to in Article 10.
In addition, if a company’s processes deal routinely with personal data, then that company should abide by the regulation.
As a rule of thumb, ICO has stipulated that any business which is affected by the Data Protection Act (DPA) will also be affected by the GDPR. The GDPR should, in fact, be seen as an enhanced version of the UK’s own DPA.
Even if your company is not directly affected by the new legislation, it is important that there are effective rules in place governing the collection and safe storage of personal data as a matter of course.
All businesses, large and small, should both maintain control over the way it processes data and be able to demonstrate that they are keeping that data secure.
If businesses fail to meet this standard, they are likely to face criticism from their customers, if not from regulators.
So what do I need to do to ensure I am GDPR compliant?
It is likely that many companies already fulfil the criteria stipulated by the GDPR. This is not only because it enshrines many of the regulations already contained in the DPA, but also because many of its measures may seem common-sensical.
Here are some first steps your business should consider as regards personal data:
- Ensure that all personal data is stored responsibly and securely. This means sharply distinguishing between ordinary business data and its personal equivalent. Under the GDPR, the act of recording and listening to non-work related conversations is a breach. Fortunately, any iOS or Android mobile can hold dedicated numbers so business and personal communications can be split on the same device.
- Consider using a central vault for personal data with effective security protocols. A Cloud-based app on employees’ smartphones would suffice.
- Ensure that all data security arrangements are regularly reviewed and updated.
- Prepare a security framework and an emergency preparedness plan which outlines clearly how personal data is to be handled and secured, and what employees should do if there is a breach.
- Consider hiring a dedicated Data Protection Officer (DPO) to handle all of the above. A study by International Association of Privacy Professionals (IAPP) estimates that, as a result of the GDPR, around 28,000 DPOs will be hired in Europe in the next two years.
The GDPR is here to stay irrespective of the UK’s decision to leave the EU. Its implementation is expected to shake up how data is handled.
Ireland, for instance, which has been an attractive location for big business because of its relaxed data protection laws, will lose its status because the GDPR empowers any European data protection agency (like the UK’s ICO) to act against organisations worldwide. It is, therefore, important that businesses take steps to prepare for the GDPR legislation’s appearance in May 2018.
About the author
This guide has been written exclusively for ByteStart by Cheeky Munkey, the Hertfordshire-based IT support company. If your business needs help or advice on how best to protect its data online, visit the Cheeky Munkey website for expert information and consultancy.