GDPR is active – have you done everything you can to comply?
Now that the GDPR has come into force (the Information Commissioners Office guide can be found here), it's absolutely essential that businesses ensure they're following the new regulations. The consequences of non-compliance have the potential to cause great financial damage and the enforcement agencies operating in each of the EU nations will be taking their new responsibilities incredibly seriously. Here, we take a look at a few GDPR basics, examine what's changing under the new regulations, and what non-compliance could mean for your business.
The General Data Protection Regulation (GDPR) came into effect on the 25th May 2018. It applies to all member states of the EU and introduces a number of new processes, procedures, rights, and responsibilities concerning the way organisations handle personal data. The regulations aim to standardise data management practices across Europe and ensure that businesses and public bodies are collecting, storing, transferring, and deleting data in a secure and ethical manner.
How should data be handled?
The GDPR is predominately focused on the management of both personal data' and sensitive personal data.' The first of these terms is considered to mean any piece of data that can be used to identify an individual. This includes names, addresses, phone numbers, and IP addresses, among other things. Sensitive personal data is that data which is not readily available, like religious or political beliefs, sexuality, and genetic information.
In terms of the major implications of GDPR, there are a number of important factors businesses must consider if they're to ensure compliance. They include:
- A clear process for obtaining the permission of individuals whose data is being collected and stored.
- The implementation of a process that allows individuals to request information pertaining to their stored personal data. This data must be provided within one month and organisations must do so for free. Similar processes that allow personal data to be deleted should also be implemented.
- The reporting of any data breach or loss to the relevant enforcement agency within 72 hours. Those individuals affected by the data breach must also be notified.
- Those companies that employ more than 250 members of staff must detail why the information is being collected, how long it will be stored for, and what security measures are being taken to protect it.
- Any organisation that carries out regular and systematic data collection must appoint a Data Protection Officer (DPO).
One of the most eye-catching aspects of the GDPR is the willingness of EU authorities to back their policy with extremely large fines for non-compliance. Organisations that are found to have breached the regulations will face a financial penalty of up to £20million or 4% of global annual turnover, whichever is greater. While only the worst offenders will be hit with the maximum fine, the ability to tailor the punishment to represent both the severity of the crime and the financial clout of the infringing company, makes the GDPR a powerful regulatory tool. However, enforcement agencies in each of the EU nations covered by GDPR will aim to encourage and reward attempted adoption of the regulations - even if there are early issues with compliance - rather than immediately punishing businesses with severe fines. If organisations can demonstrate that they're making concerted efforts to comply with GDPR, the UK government has offered reassurances that their approach will be defined by its leniency.
While implementation of the GDPR will result in widespread changes in the vast majority of UK businesses, it's not as radical a departure from existing data protection regulations as has been portrayed. However, threatened with large fines and damage to their reputation, businesses need to ensure that they're complying with the new measures.