The General Data Protection Regulations (GDPR)
The count down for the introduction GDPR has begun, as these regulations come into force on 25th May 2018, You may have heard or read about GDPR? Are you still unsure about what it is? And what it means for your business, be rest assured you’re not alone. In this article I’ll give you a brief outline on what GDPR actually is and the implications it has on your business.
What is GDPR?
These regulations are the biggest shake up of data protection laws in 20 years; it governs how collection and processing of personal data the EU. It will come into force on 25 May 2018.
Currently in the UK, data protection legislation is currently covered by the Data Protection Act (1998). A new Data Protection Bill has been put to the House of Lords, which will update the UK’s legislation with a new Data Protection Act.
Why have they been introduced?
Since the last Data Protection Act was introduced in 1998, there has been an explosion in digital technology, and with it a proliferation in the use and transmission of personal data.
These new regulations are aimed to make data protection laws fit for the current digital revolution, empowering people to take control of their personal data, and ensure businesses are using any personal data fairly and responsibly.
The only references “personal data” this is information that relates to an identifiable person rather than a business, so GDPR will cover any information you hold for marketing, finance, or HR management purposes. The new regulations cover:
- Collection and storage of personal data
- Use of, or processing, or personal data
- Alteration, disclosure and destruction of personal data
It’s important to note that Brexit will not have an impact on the UK’s implementation of these regulations.
What are the aims of GDPR?
The principle aim in introducing these regulations is to ensure greater harmonisation of data protection regulations across Europe, with a single standard for all countries. Meaning that businesses will have to take greater ownership over the data they collect, reducing risks associated with storing personal data and implementing ways to avoid the misuse of data.
What are the key points I need to know?
GDPR applies to all organisations that store or process EU citizen’s data:
- The individual’s rights to their data are stronger and more extensive;
- The rules apply to both physical filing systems and electronic data;
- GDPR breaches can incur much larger fines – up to 4% of annual turnover or €20 million;
- Organisations are held accountable for demonstrating compliance, and this needs to be evidenced;
- Consent to process data must be unambiguous: verifiable, clear and affirmative.
It’s also important to note that organisations will be responsible for self-reporting any breaches within 72 hours. Any third parties who handle data on your behalf (data processors) will also be liable for breaches going forward.
Your organisation’s responsibilities
Your organisation may be classed as a ‘Data controller’ or a ‘Data Processor’. In some situations, you may be both.
- A Data Controller is an organisation that collects, keeps or processes data. They dictate why and how data is processed.
- A Data Processor is a third-party which may process certain data for a specific function e.g. A payroll provider, or IT company. A data processor has new obligations under GDPR and takes on greater liability if they breach regulations.
So what do I do next?
Our first recommendation is to understand what GDPR is really about reading this blog is a good starting point! You need to understand the changes, and how they will impact on your business and we suggest that you provide training to your staff on the implications to them in their role.