As of 25th of May 2018, the European Union’s General Data Protection Regulation (GDPR) will be enforced, improving upon the UK Data Protection Act 1998 (DPA). This means that all business must be compliant with the new regulations by this date or face sanctions. Penalties for not complying with the legislation are staggering, including fines of up to €20 million or 4% of annual global revenue – whichever is the greater. This regulation is going to be set in Britain regardless of Brexit, so it is imperative that British companies reassess their data protection methods now. For a full overview of the rules follow this link to the ICO’s page on GDPR.
The majority of professionals may have heard passing comments about GDPR already, but if you are unaware: it is a new set of regulations that will change the way businesses acquire personal data from employees and clients, how they store this data and how they use it. The most notable impact GDPR will have on businesses is on communications practices. Have you ever had a spam email? The new regulation means that spammers will not legally be permitted to send you anything, unless they obtain your consent first.
So how will this affect the day to day of data collection? Consent has a much stricter definition under the GDPR. An individual must now take some kind of clear, affirmative action that permits a company to retain their personal data. Unlike under the DPA, an automatically ticked consent box or otherwise inactivity from the customer does not constitute consent. Businesses must review the methods by which they obtain information and ensure that it meets the GDPR before it comes into practice in 2018, or face the penalties. Data management software, such as KMFM Technologies’ Onsite Management Systems (OMS) will also be affected by the GDPR and will therefore require reviewing and necessary amendments. The new regulation demands a more concrete and well-evidenced trail of consent; companies must now retain the records of the original act of consent so that it can be verified at a later date if required. It is worth noting that there are alternative legal bases for consent with regards to third party business, more information on which you can find here.
The regulation is designed to strengthen data protection for individuals throughout the EU. The constant, technological evolution of our society means that we now have more personal data than ever before. We have more accounts and more devices, not to mention the fact that most of these different technologies and platforms converge and intertwine to form our online identities. For these reasons, the introduction of the GDPR may seem long overdue. The new regulation has a much clearer, more detailed list of what constitutes personal data. It aims to ensure that personal data is stored with consent, for a specified purpose and for a duration of time that is in keeping with the reason for obtaining the data in the first place.
The GDPR’s impact will not be limited to businesses in the EU; any company anywhere in the world could be caught by this new legislation if said business processes personal data relating to EU citizens, has a European presence, or has a website offering goods or services to EU citizens. Businesses that hold personal data, such as data for marketing, human resources, or for more specific functions such as external payroll services, are also affected.
GDPR introduces new – and quite tough – data protection rules. Businesses may need to implement strict technical and organisational security measures, including pseudonymization and data encryption. They will be required to notify data breaches to the relevant data protection authorities within 72 hours. In certain circumstances, the breach will also have to be notified to the affected data subjects. Companies will have to conduct privacy impact assessments before carrying out high-risk data processing and build in privacy by design when processing personal data. In keeping with the DPA, “controllers” and “processors” will be held legally responsible for enforcing adherence to the GDPR. Organisations of a certain size with multiple departments will also have to appoint a data protection officer to oversee these practices.
The enforcement of the GDPR need not be a cause for concern, but it is essential that businesses review their personal data collecting methods. The GDPR aims to increase security and ensure that individuals have more control over who has their personal data, which should lead to healthier dynamics between the company and its employees, as well as the company and its clients. Start the reviewing process now so that you are not penalised for a lack of vigilance, nor risk compromising employee/client trust in your company.