What is GDPR?
The existing Data Protection Act (DPA) of 1998 is no longer fit for purpose as in recent years the internet has fundamentally altered the way that we access, create, share and store information. The European General Data Protection Regulation (GDPR) comes into force on 25 May 2018. The regulations have been designed to unify the European business environment and encourage companies to think seriously about data protection. This new piece of legislation is set to bring about some significant changes to data security and privacy. Individuals will possess greater rights of access to personal information, there is an elevated requirement for businesses to manage their data better, and a new penalty structure will be put in place.
By the 25 May 2018, the UK will still be classed as a member of the EU, and thus the GDPR compliance deadline is still an important one for UK businesses. In addition to this, the regulations will still apply post-Brexit if your business holds or handles information about EU citizens.
Furthermore, the Brexit process will not have an impact upon the implementation of these regulations in the UK going forward, as a new Data Protection Bill, which will largely include all the provisions of the GDPR, is to be introduced. The Data Protection Bill, which was introduced to the House of Lords on 13 September 2017, is designed to give people greater control over their data and assist businesses in their use of data whilst preparing Britain for Brexit. By implementing the GDPR directly into UK legislation, it is hoped that the free flow of information across Europe will be maintained even post-Brexit, which will be essential for the UK’s future trade relations.
How will this affect me?
All businesses must develop policies that demonstrate their compliance with GDPR if they have not already done so. The new regulations recognise that smaller businesses require different treatment to larger or public enterprises. Businesses that employ less that 250 employees are treated with greater leniency as they have fewer resources and pose less of a risk to data protection. However, smaller businesses must still comply with GDPR principles if they regularly process personal data.
The UK's Information Commissioner, Elizabeth Denham, has been increasingly frustrated by the misinformation and scaremongering surrounding the impact of GDPR on businesses. "The GDPR is a step change for data protection," she says. "It's still an evolution, not a revolution". She adds that for businesses and organisations already complying with existing data protection laws the new regulation is only a "step change”.
The Information Commissioner’s Office, the GDPR’s governing body, states that, “If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR.”
Most small businesses will not have to appoint a Data Protection Officer, but someone in your organisation must take responsibility for implementing the principles and ensuring company-wide awareness.
For larger businesses that have over 250 employees and who work with bigger or more specialist data sets, (particularly sensitive personal data) a Data Protection Officer will need to be appointed to oversee your company’s compliance to these new regulations. They will answer directly to the highest management levels, whilst acting independently in their role. Their job will include duties such as: conducting information audits, training staff, monitoring performance, managing data processing records and being a point of contact for data protection authorities and data subjects alike.
What more do I need to do?
You must begin to develop and implement policies that demonstrate your compliance with the GDPR. Here are a few pointers on what you need to be doing:
- Conduct an audit of the personal information that you currently hold, where it came from, how you are storing it and who it has been shared with.
- Ensure the management and key employees in your organisation are aware that regulations are changing to the GDPR.
- Review your current privacy notices to discover if you need to update them ahead of the GDPR deadline.
- Plan how you will respond to subject access requests within the new timescales.
- Check your company’s processes to make sure you are covering the rights that individuals now hold.
- Identify how your data processing activity complies with the GDPR, document it and update your privacy notice to explain it.
- Analyse how you pursue, record and manage consent and whether you need to make changes in this area in light of the GDPR.
- Investigate whether you have the right procedures in place to detect and handle personal data breaches.
- Nominate someone within your organisation to take responsibility for compliance and consider if your organisation needs a formal Data Protection Officer.
- Think about whether your business needs to identify an individual’s age or needs to obtain parental or guardian consent.
- If you are an international business that operates in more than one EU member country, identify your primary data protection supervisory authority.
- Familiarise yourself with the ICO’s code of practise on Privacy Impact Assessments and locate the latest guidance from the Article 29 Working Party - an advisory body made up of a representative from the data protection authority of each EU Member State.
What are the penalties?
The principles of accountability are significantly elevated under the GDPR. Penalties for non-compliance are much more severe than under the previous DPA, with fines of up £17M or up to 4% of annual global turnover (whatever is greater).
What we are doing
We take data protection very seriously and are fully compliant with ICO directives. Our team are aware that GDPR rules are changing and we understand the impact of this upon the way we hold and manage data. We have already taken the required steps to protect our clients’ data.
We have strict security procedures covering the storage of personal information in order to prevent unauthorised access and to comply with ICO data protection rules.
In the unfortunate event that our security systems are compromised, we would notify all our clients immediately, even if it wasn’t directly related to their accounts.
All client data that we request, or that is sent to us via email, is either encrypted or password protected. The information we hold is secure, accurate and up to date. Any data that is no longer current, is destroyed.
Our internal computer systems are password protected and regularly updated. We have recently conducted an internal audit of the information that we hold in order to ensure that it is current and complies with the new legislation.
How we can help your business
When the GDPR comes into effect, it is likely that your company will possess data that you will no longer be able to utilise. However, Air Social is able to precisely match your data sets through social media profile matching and creating lookalike audiences of that data that can then be targeted. This means that the data that you currently hold can still be put to use to generate new leads for your business.
Get in touch with us to find out more about how we can help you make the change to become GDPR compliant, whilst ensuring that the data you currently hold doesn’t lose its effectiveness.
For more information and clarification on the specifics of the GDPR and how it will be implemented into UK law, it is best to contact the Information Commissioner’s Office directly. It includes a helpful GDPR checklist for your business.
The full GDPR can be found here.