Despite Brexit, the UK government has confirmed it will abide by the new General Data Protection Regulation (GDPR), which is due to come into effect on 28 May 2018.
The aim of General Data Protection Regulation is to encourage companies across the European Union to think seriously about data protection. In practice, the new GDPR lays down some fairly stringent legislation, for both large and small businesses, governing the standards by which personal data is collected and stored.
To help UK businesses understand the new laws, and avoid the heavy punishments failure to abide by them bring, here’s a guide to the GDPR legislation.
Introduction to the GDPR
The General Data Protection Regulation (GDPR) is a new law that significantly extends and strengthens the current law and regulatory regime in relation to data privacy and data protection.
The new regime is, in part, intended to force a cultural change in how organisations protect the personal data of private individuals and bring the law up to date with advances in technology and the proliferation of the internet, shared digital networks and social media.
It is, therefore, much stricter than the current regime and the regulator (the Information Commissioner’s Office) will have the power to impose much greater financial penalties.
Businesses and organisations that hold and process the personal data of individuals must be compliant with the new regulations. They will also be required to actively demonstrate compliance with the new regulations when they come into force.
The changes are significant and are likely to take many months to fully implement across an organisation. It is crucial that all organisations – including small and medium enterprises – take action now in order to adequately prepare for GDPR.
What is GDPR?
General Data Protection Regulation is a new data protection regulation which allows greater protection for consumers and gives them more control over how their personal information is collected, stored, shared and used.
What does GDPR consider a ‘small business’ and am I affected?
Just like the Data Protection Act (DPA), the GDPR does not apply to people who are processing personal data in the course of their own exclusively personal life or household activity. But as soon as you begin undertaking commercial activities, even if you’re only a sole trader working from home, you are highly likely to be covered.
The GDPR contains a definition of an ‘enterprise’ within Article 4(18) as “any legal entity engaged in economic activity”. But the regulations do include some exemptions for SMEs employing less than 250 people.
What does GDPR consider ‘personal data’?
Under the Data Protection Act 1998, ‘personal data’ means data which relates to a living individual who can be identified from the data (or from the data and any other information which is in the possession of, or is likely to come into the possession of, the data controller) and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
However, GDPR’s definition of personal data is much more detailed. For example, under GDPR, information that constitutes an online identifier (such as an IP address) can amount to personal data. This is to reflect changes in technology and the way organisations collect information about people.
Personal data that has been pseudonymised (e.g. key-coded) can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
For most organisations that keep HR records, customer lists and contact details, the change to the definition should make little practical difference. If you hold information that amounts to personal data under the Data Protection Act 1998, then it is safe to say that it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems. This is wider than the definition under the Data Protection Act 1998.
Under the Data Protection Act 1998, ‘sensitive personal data’ means personal data consisting of information as to;
- the racial or ethnic origin of the data subject,
- their political opinions,
- their religious beliefs or other beliefs of a similar nature,
- whether they are a member of a trade union,
- their physical or mental health or condition,
- their sexual life,
- the commission or alleged commission by them of any criminal offence and/or
- any proceedings or outcome of any such proceedings relating to an offence or alleged offence.
The GDPR refers to sensitive personal data as “special categories of personal data”. These categories are broadly the same as those in the Data Protection Act 1998 but they now include genetic data, and biometric data where processed to uniquely identify an individual.
What are the key GDPR requirements?
- That companies collect and hold informed, specific and ongoing consent for all types of data processing and direct marketing campaigns.
- When and how consent was given should be stored by businesses so it is quick and easy to find if requested to do so.
- That consent cannot be assumed and before direct marketing is sent you must have freely given, explicit consent to store and use personal information.
- New rules will be enforced which will affect how long you can store client information for and what personal information can be collected.
- Consumers have a “right to be forgotten”.
What are the changes in detail and how they affect SMEs?
- GDPR applies to ‘Data Controllers’ and ‘Data Processors’ alike. Data Controllers will be responsible for any data breaches committed by a Data Processor. The regulations say that “each [data] controller … [and] processor … shall maintain a record of processing activities under its responsibility” but small businesses of less than 250 are given leeway unless they are involved in some kinds of data processing.
- The way that businesses record their customers’ consent will change significantly. Businesses will need to ensure that they have adequate, GDPR compliant consent if they are to process an individual’s personal data.
- Businesses will need to provide customers with much more detailed Privacy Notices.
- Businesses will not be permitted to process customer data if they do not have a legal basis for doing do. The legal basis will need to be adequately documented.
- A principle of “accountability” will apply. Businesses will need to be able to adequately “demonstrate” compliance with the data protection principles.
- The rules regarding Subject Access Requests are changing significantly. Failure to comply with the new rules on Subject Access may result in a very large financial penalty.
- Some organisations will be required to appoint a Data Protection Officer – but many SMEs will be exempt from this.
- In certain circumstances, companies will be required to self-report a data breach to the ICO within 72 hours.
The ICO will have the power to impose fines for non-compliance of up to 4 per cent of a company’s annual global turnover for the preceding financial year or the equivalent of 20 million Euros – whichever is greater.
So what do I need to do to ensure my SME is GDPR compliant?
Firstly, as GDPR is complex, I’d strongly advise you to seek professional advice. A legal expert in data protection will be able to guide you through the finer points of the new legislation and tailor your organisation’s response to it.
The steps needed to address the GDPR regime are comprehensive and complex. However, a basic summary of the initial steps any organisation should take are :
- Make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR.
- Research to understand exactly what your firm’s responsibilities are in relation to the regulation
- Complete a risk assessment on any systems you use for controlling and processing data, including those used by third party providers
- Identify the biggest areas of risk and prioritise systems that hold sensitive personal information
- Create an in-depth action plan which lays out the tasks that need to be implemented. You will need to consider all departments, including information management and governance, human resources, legal, marketing etc.
- Train your staff, IT team, management, security people, etc. They all need to be aware of what the GDPR in practice means for them and their compliance. This is typically done via workshops and training days to move from being aware to compliance
- Search for innovative and specialist technology to choose a solution designed to support your business. Make sure it can facilitate normal workflow while preventing data loss and providing any risk detection analytics.
About the author
This guide has been written exclusively for ByteStart by Stuart Crook, a data protection expert and Associate at the national law firm, Stephensons.