You may have heard the acronym ‘GDPR’ being used a lot lately without really knowing what it means or understanding it. As recently as January, nearly 40 percent of businesses in the UK reported never having heard of the GDPR and just 27 percent were actually actively doing something about it.
Given these statistics, you might be surprised to learn that complying with the GDPR is compulsory for almost all businesses across the EU, and failing to do so can result in fines of up to €20 million. It is important, then, to take a close look to understand the GDPR and how it is going to affect you.
What is the GDPR?
The GDPR stands for ‘General Data Protection Regulation’ and it is EU legislation regarding data protection. The aim of the regulation is to give individuals more power over how their data is used by companies and organisations. Current legislation governing data protection was brought in before the rise of the internet, and as such it does not accurately reflect the possibilities in using and exploiting data – the GDPR looks to update this.
The new rules mean that there will be harsher fines for businesses that lose or incorrectly handle data and give people the opportunity to have complete control over how, why and when a company is able to access and use their personal details.
However, the GDPR is not designed purely as a punitive measure for companies. It also seeks to provide businesses with a simpler and more equal legal environment so that everyone has the same rules governing them.
Does it apply to my business?
In simple terms: yes. The GDPR applies to every business that handles, stores or uses the data of any individual EU citizen – this includes both customers and employees. This means that if you run a business you must take steps urgently to comply with the GDPR.
The rights to individuals granted by the GDPR
To understand how to deal with the GDPR you need to know what rights the regulations grant to individuals so that you can alter your system accordingly. Some of the rights granted by the GDPR include:
- The right to data consent – one of the key issues that the GDPR looks to address is that of consent. Many businesses currently establish consent to capture data with ‘soft consent’ using messages such as ‘By using our service you agree to have your data captured’ but under the GDPR this is not acceptable. Business must gain explicit consent that is transparent and in which the individual understands what data is being collected and why.
- The right to be forgotten – if an individual is no longer the customer of a business or no longer grants consent for the business to hold their data, they can request to be forgotten and have their data removed. Alternatively, there is also the right to restrict the use of the data, so that an individual allows the record to stay in place but does not allow for its use in direct marketing.
- The right to access data – one of the key principles of the GDPR is that individuals must have more control of their own private data even when it is being captured, stored and used by businesses. This means that if a company stores an individual’s data, that individual has the right to access their personal data at any time and can ask how the data is being used.
- The right to be notified in the event of data theft – in the event of a data breach, businesses are required to notify an individual if there is a risk that their data has been stolen with 72 hours of becoming aware of the breach.
The GDPR additionally grants individuals the right to have incorrect or out-of-date data updated, and the right to have their details transferred from one service provider to another.
What if I ignore the GDPR?
Remember that if your business stores any kind private data of individuals, you will need to comply with the rules of the GDPR. If you are found to be in breach of the rules after 25 May 2018 you can be fined. These fines can be extremely high – up to €20 million or 4 percent of the annual turnover of the business, whichever is greater. So, it is in your interest to comply with the regulations as soon as possible.
The Brexit factor
Some businesses wonder whether the UK’s Brexit ruling will affect the GDPR. It is true that this is a regulation created by the EU and the UK is set to leave the EU in March 2019. However, this does not affect whether British businesses will need to comply with the regulation. Firstly, the UK will still be an EU country when the GDPR comes into force. Secondly, however, even post-Brexit, any UK business that handles the data of EU citizens will need to fully comply with the GDPR. There is also no indication that the UK government is interested in repealing these reforms.
Ultimately then, when it comes to the GDPR, Brexit will not be a factor in whether your business needs to comply.
Steps you need to take
To comply with the GDPR it is important for you to take action as soon as possible. Start by identifying exactly what personal data you currently collect from individuals, where that data is stored, who can access it and whether there are currently any risk factors in data breaches surrounding the information you hold.
Consider what information you really need to capture and make changes to the way it is collected. You should also look at your current privacy statements and ensure that they are re-worded and presented to individuals so that they can give informed consent for you to use and store their data.
You should also look into having new and more thorough security measures put in place to ensure that the risk of data breaches is minimised. It is advisable, in any case, to work with GDPR compliance experts to update your whole system for the new rules.