GDPR - Have you heard about it? Have you thought about it?
This is the most significant regulatory change of the last few decades in EU data protection law and is looming ever closer!! 25th May 2018 is really not going to take long to get here!
The General Data Protection Regulation (GPDR) is the new legal framework in the EU and the government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GPDR. There are questions as to how the GPDR will apply in the UK upon leaving the EU on 29th March 2019, but at the moment it is important to focus on compliance.
The regulations will affect ALL of us and have a massive effect on promoting your business.
If your business collects any of the following;
Personal Data:
Name
Address
Phone
Gender
NI no.
Website traffic - cookies, IP address, etc.
Sensitive Personal Data:
Race/ethnic origin
Political opinions
Religious beliefs
Trade Union membership
Genetic data
Biometric data
Health
Sex life/orientation
for any reason:
Customer Relationship Management
Marketing
Recruitment
Sales
Employees
Suppliers
CCTV
Third Party
Photos
Yes? Then you must start paying attention!
What data do you collect?
Where is it stored?
How long do you store it for?
These are the basic questions to start with.
It will be down to us, as business owners to prove accountability for how we store and use data. For instance - you can only keep CVs for a max of 6 months.
CONSENT will be the biggest thing changing. We will have to get active consent from every single person we keep data on, and that it is OK to send them marketing communications (mailing lists are going to suffer a huge hit)
When it comes into effect on May 25th, 2018, it intends to give European citizens back control over their personal data. It will give them the ‘right to be forgotten’ – meaning they will be able to request businesses delete their no longer necessary or accurate data, as well as this the law hold provisions that could potentially increase consumers’ rights over their personal data. For example, in theory a personal could ask social networks like Facebook to delete their profile entirely, however the laws relating to freedom of expression will not allow the ‘right to be forgotten’ to be extended to news articles. Further to this, there is potential to have control over data being transferred from one service to another more easily – making it simpler to swap utility providers or insurance companies.
While great news for individuals, the new legislation presents complex problems for companies meaning they could face fines running into tens of millions of Euros if they breach the new laws. Whilst giving EU citizens back the control over their complex data is a good thing, it is not necessarily easy, plus working out how to give it back to them, yet ensuring it is stored adequately throughout employment and the deleted securely is a bit of a technical nightmare!
GDPR will also have implications for companies outside of the EU, if they old data belonging to anyone within the EU, they are liable. So, in short, if you hold or process any data relating to individuals living or working within the EU, you will be subject to aspects of the GPDR.
GDPR is for those who have day-to-day responsibility for data protection. It applies to ‘controllers’ and ‘processors’ – the controller deciding on how and why the personal information is processed and the processor actually handling and processing the information. If you are currently subject to the DPA, you will more than likely also be subject to the GDPR.
The ICO have released a set of guidelines to help businesses prepare for GDPR. https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf It recommends that companies review privacy notices and ensure there is a plan in place that allows them to make any necessary changes to be in compliance with GDPR. However, don’t panic yet, the ICO insist that there are many similarities between it and the existing UK Data Protection Act. This means that the companies already successfully abiding by the UK Act will probably be covered, however, the GDPR is a ‘living document’ – it is evolving and being worked on to expand it in key areas, each EU member state has representatives which make up the Working Party responsible for this work and the UK is represented by the Information Commissioner’s Office (ICO).
Once GDPR comes in there may well be an increase in companies facing legal challenges from individuals and groups taking up privacy issues - expect to see any increase in the large companies recruiting data protection officers!
For more information, there are many places holding workshops & seminars, many of them free. Have a look online for one local to you.