You may have heard about the new legislation coming into effect soon called the GDPR, but what is it, and how will it affect you and your small business?
What is GDPR?
GDPR stands for General Data Protection Regulation and will replace the current Data Protection Act (DPA), standardising data privacy laws across Europe. The new legislation will come into effect on 25th May 2018 and will affect all organisations that process the personal data of EU residents.
What’s the difference between the GDPR and the Data Protection Act?
Within the GDPR the conditions for consent have been strengthened. This means companies will no longer be able to use long, complicated terms and conditions full of difficult terminology, as the request for consent must be explicit. This means it must be given in a clear and easily accessible form, using plain and understandable language, with the purpose for data processing attached to that consent. It must also be as easy to withdraw consent as it is to give it.
This explicit consent is only required for processing sensitive personal data, where, in this context, nothing less than “opt in” will meet the requirements.
What about Brexit?
Regardless of Brexit, all UK organisations that process data about individuals in the context of selling goods or services to citizens in other EU countries will still need to comply with GDPR. The new legislation will come into effect before the UK leaves the EU, and the government has confirmed that the regulation will apply.
However, if your business is limited to the UK, then it is much less clear as to your position post-Brexit. The UK Government has suggested that it will implement an equivalent or alternative legal procedure. It has been indicated that this legislation will largely follow the GDPR, given the support to the GDPR by the UK Government. Therefore, even if you are solely a UK business, we suggest you also implement the relevant procedures to ensure your business is GDPR compliant.
What are the Penalties?
For breach of the GDPR legislation, organisations can be fined up to 4% of their annual global turnover, or €20 million. These fines can be imposed for the most serious infringements, for example, not having sufficient customer consent to process data. There is a tiered approached to the fines, for example, a company can be fined 2% of their annual global turnover for not having their records in order.
What is deemed as personal data?
Personal data is any information that is related to a data subject that can be used to directly or indirectly identify the person. This includes but is not limited to: name; email address; computer IP address, a photo, bank details, and medical information.
9 Key changes introduced by the GDPR
- Data should only be collected when necessary to fulfill specific purposes, and must be discarded when it is no longer required, to protect data subject rights.
- Even if your business is not in the EU, you will still have to comply with GDPR.
- The rules for obtaining valid consent have been changed and should be laid out in simple terms.
- Parental consent will be necessary for processing children’s data under the age of 16.
- The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection, with processes being built on the principle of privacy by design
- The definition of personal data has been broadened, bringing more data into the regulated boundary.
- Mandatory Data protection impact assessments have been introduced, whereby, a risk-based approach must be adopted before undertaking higher-risk data processing activities.
- There are new requirements for data portability which will allow a user to request a copy of personal data in a format usable by them.
- The appointment of a data protection officer (DPO) will be mandatory for certain companies.
If you have any further questions regarding the changes that need to be made in your small business in order to comply with the new GDPR legislation, please get in touch.