Major new data protection rules are coming in next year in the form of the General Data Protection Regulation, better known as GDPR. The rules, which are thought to be the biggest changes in data protection in 20 years, are set to come into force on 25th May 2018, in a bid to give European Union citizens more control over their data and how it is used. Though the UK has voted to leave the EU, the timing of Brexit will mean that we are still subject to GDPR regulations.
These new rules aim to tackle issues related to the growth of cloud technology and the prevalence of the internet, on which we share our personal details without a second thought. GDPR intends to strengthen current legislation, pose tougher enforcement measures and make businesses think harder about how they deal with the personal information they collect. It also works to set a level playing field for businesses, giving them clarity and an easier environment in which to operate by making the laws around data protection the same for everyone.
But GDPR doesn’t just apply to businesses operating within the European Union. It also affects companies doing business with or analysing the behaviours of EU citizens.
With the deadline for GDPR fast approaching, it’s essential to make sure your business is compliant. Those who fail to adhere to new GDPR guidelines face fines of up to €20 million or 4% of their global annual turnover – whichever is higher.
So what do you need to do to be compliant with the GDPR requirements next May?
Carry out early assessment of how GDPR will affect your business, and you’ll be well placed to create a plan of what you need to do to become compliant. You’ll need to determine whether you or your partners handle data from EU citizens, and whether you intend to do business within the EU, or employ EU workers in the future.
Tackle it as a business
The implications of GDPR will most likely affect every department in your organisation, so it makes sense for the company to tackle it together, and come up with a unified strategy to deal with it. Make sure to take into account all the data your business collects, and have a clear understanding of how it’s stored and backed up. It’s important to know how this data moves through your business and who has access to it. You also need to make sure that you have received specific, freely and informed consent to obtain and use that data. Consent from silence, pre-ticked boxes or inactivity just won’t cut it, and designated controllers must ensure that data is used transparently and for a specific purpose.
Depending on the size and needs of your business, creating a team or appointing a compliance officer specifically for GDPR could be invaluable as the changes get underway.
Create clear and concise records
Document the way your processing procedures are audited to ensure the correct steps are being followed. It’s also important to create an incident response plan – any data breach must be reported to the relevant supervisory authority within 72 hours. Failure to do so could land you a fine of €10 million, or 2% of your global turnover. It may also be worth bringing in regular training for employees, so everyone is aware of the risks and the procedures for handling issues, as well as introducing internal audits of processing activities, and reviews of internal HR policies.
The implementation of GDPR has meant a number of myths have come to light about what does and does not affect company compliance. Being absolutely clear about GDPR requirement and what your business needs to do in order to comply is crucial.
Myth 1: It’s only related to digital data security
The focus of GDPR is often placed on the way we store and protect digital data, but it stems much further than this. It works to protect all of your data, including anything stored via hard copy. Paperwork must be stored in line with GDPR legislation as well as what’s on your hard drive.
Part of GDPR requirements include the right to have data deleted, or the right to be forgotten. If you can’t correctly handle this information within your paperwork, you run the risk of failing GDPR compliance. There’s also the threat of printed documents falling into the wrong hands, which is just as much a danger as someone hacking your computer network.
Investing in lockable storage such as filing cabinets and creating a system for filing away paperwork can prove useful when trying to locate it.
Myth 2: It’s quick to implement
While it may be easier to manage in the long run, GDPR will most likely take some time to implement into your organisation, so it’s worth taking the steps to become compliant now. That way, when GDPR regulations come into force, your business will be ready.
Myth 3: It’s only about imposing fines
GDPR is changing how personal data is used by companies. Right now, the Data Protection Act says that personal data can be used by companies but the new GDPR legislation will change how it can be used. It will give people easier access to the information that companies hold about them – in most cases businesses will have to respond to a request within one month.
Due to the complex demands in the EU’s new legislation, it’s essential you and your business are fully prepared for the implementation of GDPR and what you’re expected to watch out for. Data protection is a serious matter for everyone, and the new guidelines serve to build trust, by strengthening and unifying data protection for individuals – and it’s crucial that businesses fall in line.