With around a year to go until General Data Protection Regulation (GDPR) is scheduled to come in to effect in May 2018, businesses across Europe are gearing up during the current transition period, which began on 27th April 2016.
As with many EU-wide regulations, the scope of GDPR is pretty vast and highly complex, which has led to a lot of confusion and uncertainty surrounding what it means for businesses.
Because many of Industry’s activities are rooted in the safe and compliant use of data, we’ve spent quite some time getting up to speed, so we wanted to share our knowledge and highlight some of the vital details and potential pitfalls of GDPR.
What is GDPR?
GDPR replaces the Data Protection Act (DPA) 1998, which has been deemed insufficient to deal with the complex technological and legal changes over the last 18 years.
GDPR will affect how businesses of all sizes manage, protect and administer personal data. The aim is to provide a unified legal framework, rather than the uncoordinated mix of EU-wide regulations that currently dictate how data is used.
As a result of the regulation, you will undoubtedly have to review the collection, storage and use of personal data, as GDPR has a direct effect on every business that holds personal data, in every format.
What is ‘personal data’?
The best summary of what is meant by ‘personal data’ in GDPR comes from the regulation itself:
“Personal data means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” – definition of personal data, Article 4 of the regulation.
To sum up: pretty much all data that can be associated with an actual person falls under this definition, right down to an IP address. Because of this, businesses will have to be meticulous with how they treat all of their data.
What’s the thinking behind GDPR?
The key principles that make up the rationale behind GDPR all concern the protection of data and control over how it’s used by businesses. Make sure these tenets are central to your data policy and you’ll be on the right track.
- Accountability and transparency
- Consent for data use
- Right to be forgotten
- Subject access request
- Portability of data
- Protection of data by default
Keep these in mind to make sure that you adhere to the new rules – if any of the principles of GDPR are in question, make sure you are absolutely clear with how to manage the issue.
How does this affect my business?
Because it’s so far-reaching, the new regulations will affect many areas of your business. The key ones for you to consider first include:
Data you already hold: This will have to be audited to ensure it was correctly gathered and is being stored and used appropriately, or else removed.
Gathering new data: You will need to ensure that a framework is in place to ensure this is done correctly from now on.
Proof of compliance: you will need full audit trails of the source of all data currently been held, whether from third parties, incoming enquiries or your own sales force.
Existing privacy statements: these will need to be revised, and are likely to require updating to ensure compliance
Along with reviewing existing processes, you will need to be conscious of data collection and handling in the future. With hefty penalties a distinct possibility, there’s no point in taking any risks with data.
Finally… how does Brexit affect GDPR?
GDPR applies to all UK businesses that trade with EU countries, and the UK Government will likely reform the existing UK data protection legislation in keeping GDPR.
In order to comply with the requirement of GDPR and continue trading with the EU, similar compliance standards will be necessary to avoid additional administrative burden.
Because of this it’s definitely worthwhile keeping an eye on GDPR, as the regulation will likely have a significant effect on your business.
Find out more
For further information on the details of GDPR, we recommend taking a look at the ICO website – alternatively get in touch at falon@ideas-industry.com or on 01635 884808 for help with any data issues.