The EU’s new General Data Protection Regulations (GDPR) come into force next spring. As soon as they do, any non-compliant business is at risk of hefty fines – up to €20 million or 4% of an organisations annual global turnover, whichever is greater. The time between now and the start of the regulations is your business’s chance to prepare for the changes and make sure you don’t get caught out.
Will GDPR affect my business?
GDPR will affect every business in the UK as long as we remain in the EU. Once we leave, it will only apply where businesses are processing data from EU citizens or offering them products and services directly. If your business fits that criteria, you need to pay serious attention to the upcoming changes.
Even if your business will have no involvement with the EU post-Brexit, you may find that you have to comply with similar regulations in the near future. The recent Queen’s Speech mentioned plans for new UK data regulation that would bring our policies in line with the European changes anyway, so it is possible, perhaps even likely, that the recommendations we make for GDPR preparation will apply to you as well.
What’s changing with GDPR?
Compliance with the Data Protection Act is already a requirement for UK businesses, so what difference will GDPR make?
Some regulations are new, whilst others are stricter versions of existing rules. Some key points are:
- You must clearly and intelligibly ask for consent to obtain and store an EU national’s data.
- Where the subject of the data is under 16, their details can only be processed with the express consent of their parent or guardian.
- All individuals have a ‘right to be forgotten’ that must be respected. This means that they can request to have all of their data wiped.
- If there is a security breach, organisations must notify all affected parties within 72 hours or face sanctions.
In general, GDPR introduces regulations that are wider reaching and that give more power to individuals. They also represent a proper unification of the data laws across different EU countries, making it easier for businesses to know how to process their EU data, regardless of its origin. For a more comprehensive overview of the changes, take a look at the official GDPR website.
How can I make sure my business is compliant?
There are a few different ways to make sure that you don’t fall afoul of GDPR. How much you need to do will depend on the size of your business and the amount of data you process.
If you believe that GDPR will have a big impact on you because you do a lot of business with EU nationals, it could be worth creating a temporary role within your company for a compliance officer, who would be tasked with managing the transition to the new regulations.
As part of their role, they would need to know every little detail about GDPR (and any new UK data laws) and be able to apply it. They could be responsible for reviewing where and how your business obtains consent to process data, to ensure that individuals’ right to be forgotten will be upheld and, importantly, to educate others in the company about how the new regulations will impact their role. Just as implementing new software is easier if someone in your company ‘champions’ it, you might find that appointing a GDPR ‘champion’ is the easiest way to ensure compliance.
If you don’t have the resources to create a transitional role, you will have to find another way to review the same things. It is particularly important to look at how your data is obtained and stored, as a lack of security in these areas could be how a lot of businesses are caught out. The earlier you start preparing, the less likely it is that you’ll be caught out.
What are other businesses saying?
Cameron Craig, group head of data privacy at HSBC, and Steve Wright, group data and information security officer at John Lewis, were both involved in a GDPR panel at the most recent INFOSEC conference. As Naked Security reports, Wright said, “interpretation is the biggest challenge,” suggesting that the regulations are not as clear as existing international standards. He expressed additional concerns about what to do with old data.
Craig shared Wright’s feelings, adding that the regulations are clearly meant to exert greater control over tech giants like Google and Facebook. In focusing on these businesses, however, things are being made tricky for businesses in the financial sector who process data very differently.
It is always better to be proactive rather than reactive in situations like this. Don’t waste time waiting for further clarification, or even for GDPR to come into force, before you make changes. Use the information that is currently available to do what you can and keep checking for updates so that, come May 2018, you’re fully prepared for the new regulations.