What is the GDPR?
The EU General Data Protection Regulation (GDPR) is the most significant piece of European privacy legislation in the last twenty years. It replaces the 1995 EU Data Protection Directive, strengthening the rights that EU individuals have over their data, seeking to unify data protection laws across Europe and will come into force on the 25th of May 2018.
Whilst this may seem a long way off it is important that you consider the implications for your organisation and start preparing immediately. It is crucial to plan your approach to GDPR compliance now and to gain ‘buy in’ from key people within your organisation. You may need, for example, to put new procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. In a large or complex business, this could have significant budgetary, IT, personnel, governance and communications implications.
In order to assist, we have put together this brief guide for you – further information can be found at the ICO website.
We would recommend that should you have any doubts as to what your obligations are that you consult an appropriate professional service.
Will it affect my business?
The simple answer to this is yes if you control or process any personal data.
What information does the GDPR apply to?
The ICO defines the data as:-
Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – e.g. an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customer lists, or contact details etc., the change to the definition should make little practical difference. You can assume that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This is wider than the DPA’s definition and could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – e.g. key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
Sensitive personal data
The GDPR refers to sensitive personal data as “special categories of personal data”. These categories are broadly the same as those in the DPA, but there are some minor changes.
For example, the special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
What should we be doing now about GDPR compliance?
The ICO have issued a 12-step guide covering all the areas for preparing for the GDPR, which is very helpful. Further to this all the essential content about the definitions of data and what is needed going forward can be viewed here.
One of the big priorities for a business owner is ensuring you and your staff are clear that new legislation is coming and why, and to begin to be more thoughtful and diligent around the use of data.
You should consider how your business will comply with the new requirements by looking at the following 4 key areas:
1. Data identify
2. Data protect
3. Monitoring data usage
4. Notification of a data breach
The journey to the GDPR compliance will continue to evolve as more details and facts are issued by the ICO. It is likely many businesses will look to source answers for themselves.
As we have stated now really is a great time to begin preparing for the GDPR.
With this in mind please consider these tips:
Familiarise yourself with the provisions of the new regulation, particularly how they may differ from your current data protection obligation/s. Be aware that new requirements may require new agreements with service providers or completely new solutions that meet the stringent requirements ahead.
Consider creating an updated and precise inventory of personal information that you process (there are tools to help with this like Data Loss Prevention which can help).
Review your current controls and processes to ensure that they’re adequate, and build a plan to address any gaps.
What are the consequences of not complying?
The potential consequences for not complying with the GDPR are massive. The EU will be able to fine organisations up to €20m or 4% of annual turnover whichever is greater.
‘Our clients and partners can count on the fact that TextAnywhere is committed to GDPR compliance across all our services, when the GDPR takes effect on May 25, 2018. ‘
Resources and for further information:-
*Please note that this guide is for informational purposes only, and should not be relied upon as legal advice. We encourage you to work with legal and other professionals to determine how the GDPR might apply to your organisation.