First of all, GDPR stands for General Data Protection Regulation. The publication was in preparation for 4 years, before its official approval on the 14th April 2016. However, GDPR will be officially enforced on the 25th May 2018 – meaning you now have 324 days to prepare!
The aim of GDPR is to protect all EU citizens from privacy and data breaches in a world where data is the new oil. The document will replace the current 1995 directive that outlines the key principles surrounding data protection in the EU. All organisations within or selling goods/services in the EU must be compliant with these new laws or face heavy fines.
What will change?
While the key principles surrounding data protection from the 1995 directive remain the same, there are some changes outlined in the main GDPR website.
1. Increased territorial scope
The biggest change to the current data protection laws is that GDPR is relevant to all companies processing personal data in the EU, even if the company is not physically located in the EU. Non EU companies will need to appoint an EU representative. In the current laws, territorial scope is ambiguous.
Probably what has made businesses most conscious of GDPR are the heavy penalties for non compliance. If you are in breach under GDPR law, expect a fine of 4% of annual turnover or 20 million (whichever is greater).
Businesses must now get clear consent from data subjects under GDPR. They can no longer use complicated terms and conditions to ask data subjects for consent through any medium. Instead companies must provide terms and conditions in an understandable manner and provide an equally simple way for subjects to withdraw consent.
4. Breach notification
Under GDPR, all data processors must record a breach 72 hours after initial awareness. Data processors will also have to tell data subjects within this time.
5. Right to access and the Right to be withdrawn
Data subjects now have full rights to ask data controllers about their data – where it is processed and for what purpose. The data controller must provide a free copy of the personal data in an electronic format. Similarly, data subjects have the right to ask controllers to erase their data.
6. Data Protection Officers
All companies who process data on a large scale, are public authorities or fall within special categories like criminal offences, must appoint a Data Protection Officer. Under current law, all data controllers must submit their data processing activities to the DPA. From the 25th May 2018, only internal record keeping will be necessary.
An internal DPO should meet the following requirements:
- They must have an expert knowledge on data protection law and practice
- May be a staff member or external
- Contact details must be given to local DPA
- The officer must have appropriate resources
- Must report to highest level of management
- Must not carry out other tasks that risk a conflict of interest
How to prepare for GDPR – Now
1. Prepare a data audit
At the TechConnect Live event at the end of May, Gareth Davies – Data Protection Officer at the Kerry Group – said a data audit before GDPR enforcement is vital. A data audit involves analysing the amount and kind of data you have, who is holding it and how the company will handle data in the future.
2. Start collecting consent
As mentioned, you must clearly explain to data subjects what you will do with their data, before they provide consent. For example, you can no longer go to an event, collect hundreds of business cards and contact these businesses without consent. While some businesses may need to hold data for medical/legal reasons, this consent is particularly concerned with the further use of data for marketing purposes.
3. Create clear employment contracts
As we build recruitment software, we couldn’t leave this point out! Barry Rudden – Senior Director at Sigmar Recruitment explained the necessity of making employment contracts clear and transparent for employees, at Tech Connect Live 17. This ensures there is no ambiguity regarding consent. He also suggested that businesses can expect more internal requests from past employees about their data.
So is GDPR an opportunity or a threat?
Many articles focus on the heavy penalties and the overall effort, but GDPR may be good for business. For one, businesses may gain a competitive advantage in being fully GDPR compliant. With many data breaches in the last few years, people are more concerned about the handling of their personal information than ever before. By implementing GDPR laws, you are safeguarding personal information and building relationships with clients based on transparency and trust.