The biggest shake-up of data protection regulations which is GDPR is nearly upon us. The new rules will come into force on the 25th May 2018.
If you haven’t heard of GDPR, or if you have but haven’t found the time to investigate how it might impact you and your business, then this is the guide for you.
But first, a very important disclaimer: Every business is different and that makes it very hard to give precise advice on GDPR as your circumstance may differ from the “average business”.
For that reason alone, the first piece of advice I’ll give is to seek out expert help on preparing fro GDPR. We’ll look at ways to do this later.
Now let’s take a look at a few questions that get asked frequently about GDPR.
GDPR stands for General Data Protection Regulation and is the culmination of a project to set one standard for data protection rules across the European Union.
In simple no, GDPR comes into force before Brexit is due to happen, and the British government has already indicated that it plans to follow GDPR rules regardless of Brexit.
Although there is no on fit answer here, it probably will. Almost every business, charity and non-profit collects data of some kind, whether it’s name and address, card details or something more complex.
The government will enforce GDPR by introducing a new data protection bill. When this bill becomes law, it will then replace the Data Protection Act, which will then be repealed.
From a more practical point of view, the good news is that the two acts will not be much different from each other. This means that if you are compliant with the Data Protection Act 1998, you won’t have to make too many changes.
That being said, don’t use compliance with the 1998 act as an excuse for complacency, as there are still some significant changes you may need to implement.
The GDPR article features 99 articles, so as you can imagine there’s a lot in there that needs to be digested.
With that in mind, here are the key changes that will come in to force.
Currently, if someone wants to access the data that you hold about them, they have to pay a £10 charge. That charge will be abolished under GDPR.
You’ll also have to provide any data you hold on them within one (1) month.
Essentially, people will have more control over their data, and you need to make sure you are in a position to provide them with their data upon request.
This is the GDPR change that has caused the most concern.
And although it is true that the maximum fine for failing to comply with data protection laws will go up to 20 million Euros for the worst offences (from £500,000), the Information Commissioners Office has indicated that it’s unlikely to use these fines routinely, and that the ICO will look to work with businesses to improve their compliance where possible rather than punish them.
Larger companies (those with 250 or more employees) will need to provide documentation detailing why they collect and process people’s data, what information they hold, how long they’ll keep hold of it and the security measures in place to protect that data.
In addition, companies that process people’s data on a large scale, or process a significant amount of sensitive data (such as medical records) will have to employ a data protection officer.
Clearly, the vast majority of smaller businesses won’t be affected by these changes.
However, what will affect businesses of all sizes is the need to get consent in order to use someone’s data for certain purposes (this includes marketing). This may sound familiar, but GDPR will require you to get positive consent from an individual in order to send them marketing material. (There are however some exceptions to this rule, read this article over at 123-reg for more information on how GDPR will impact marketing.)
The short answer is yes. The longer answer will be yes, but although initial steps will help, on their own they’re no where near good enough to ensure compliance with GDPR, so make sure you’re fully aware of the other steps you may need to take.
With that in mind here are those initial steps:
I would recommend viewing the ICO’s “Preparing for GDPR 12 steps to take now” guide.
There is also an ICO helpline which you can contact.