GDPR – What is it and are you ready?
There’s now less than one year to go until a seismic change in data protection will take place with the launch of GDPR. If you are an organisation which gathers personal information about people, you will be affected. The separation between data controller and data processer effectively becomes redundant. The responsibility, obligations and consequences will extend to data processors so we can no longer be comforted by being “just” the data processor.
To give you some of the basics about what you need to know we’ve rounded up the key points below:
What is GDPR?
The General Data Protection Regulation launches on 25 May 2018. It’s an EU law which will bring in new rules regarding data protection and the ways in which companies can store and process personal data.
While the UK is set to leave the EU, Brexit won’t have happened by this time next year so businesses in the UK will be required to comply with these new regulations when they launch. The UK may need to comply with these rules beyond Brexit in order to access trade agreements. This is, obviously, all subject to the fine detail of Brexit negotiations!
Key points of GDPR
There are a range of changes coming in but the main ones to be aware of are:
- the right to be forgotten will be introduced,
- people will need to have given explicit consent before a business can store and/or process their personal data
- new rules about notifying people about data breaches swiftly.
The EU is imposing severe penalties to ensure compliance. Businesses found in breach of GDPR will face fines of up to €20 million or 4% of global annual turnover for the previous year – whichever is higher. It’s the sort of fine which could easily sink many businesses so investing your time in ensuring that you are compliant is essential.
GDPR will also mean that data protection regulations are the same across Europe so no matter what country a person is in, or is from, they can expect to be treated the same.
How to ensure your business complies
If you are a business which carries out checks on your employees or outsources it then you are likely to be storing vast amounts of personal data.
Under GDPR you will need to show that there is a legal justification for why you require such personal data and that reason will have to be documented somewhere. You will need to ensure your purpose for capturing, processing and storing the data is justified and it will extend to the type of data and how long you store it for. For example, “background checks” will not be sufficient justification to capture demographic information such as ethnicity. You’ll also need to show that your employee gave explicit consent for you to have this personal data and to use it for this purpose. In addition the individual has the right to withdraw their consent at any stage. This must be easy and straightforward for them to do, through the same channel that they granted consent in the first place.
GDPR also gives an individual the right to be forgotten which means that if an employee leaves your business – and so you no longer have a need to hold their personal data – they have the right to ask for everything you hold about them to be deleted.
Under GDPR organisations who handle significant amounts of personal data will also need to employ a Data Protection Officer whose role will be to ensure ongoing compliance.
In the event of a data breach, where personal data is at risk, there’s also new rules coming in about when such breaches have to be declared. Organisations, who have sometimes been reticent to announce a breach, will now have just 72 hours to complete a Privacy Impact Assessment and declare what’s happened.
It may seem like a year is a long time but GDPR will mean significant changes to the way in which they handle personal data, processes and systems. Even if you feel your company doesn’t handle much, the advice is to get prepared sooner rather than later in order to ensure you aren’t stung by a penalty this time next year.