The EU General Data Protection Regulation (GDPR) is scheduled to come into force in the UK in May of this year. It will replace the Data Protection Act and represents a significant upgrade in the rights that exist to protect personal and sensitive data. However, survey data from late 2017 shows that just over half of UK small businesses are still unaware of the GDPR and the business changes required for compliance. Roughly a quarter of all those in charge of making the decisions at UK enterprises are still not familiar with the obligations introduced by the GDPR and what this means for their organisations.
Do you know what GDPR compliance requires?
This is a question that few businesses could answer in the affirmative today, as many are still unprepared for the GDPR, even with only four months to go. One significant change that the new data protection regime introduces is the penalty for a lack of compliance. Previously, it was possible to fail at data protection and avoid more than a rap on the knuckles. After 18th May this year that won’t be the case. For example, data breach notifications are much more stringent and fines are far higher - up to 4% of annual global turnover or €20 million – whichever is greater.
GDPR – the overview
It is essential to dedicate some time and effort to getting to grips with the requirements of the GDPR and the specific impact on your business. These are some of the key changes to compliance that are being introduced:
- The right to be forgotten. Individuals now have the right to be forgotten by your business, including all of the data you’ve collected on them.
- Parental consent. If you’re processing a child’s data you’ll need the consent of the parent.
- The definition of “personal data” is to become much wider so data protection obligations will be triggered by a much broader range of information. The GDPR will extend this, for example, to economic data and information that indicates cultural or social identity.
- Obtaining consent is now much harder. Pre-ticked consent boxes are no longer an option. Consent must be fully informed and freely given. It can also be withdrawn at any time.
- Data Protection Impact Assessments (DPIA). If your organisation is processing high risk data, or large volumes of data, DPIAs are going to have to become part of your processes.
- Data Protection Officer (DPO). It may be necessary to appoint a DPO, an expert in data protection.
- Reporting obligations. If you experience a data breach you have just 72 hours to report it once the GDPR is in force.
The GDPR is not a regulation that only applies to big companies or those handling high risk data. It is compliance that every business, large or small, needs to factor in to every process, from the way that data is collected to how it is held. If your IT systems are unprepared for the arrival of the GDPR in May and you’re looking for a way to quickly get up to speed we can help – contact a member of the Marathon team for more information.