It’s certainly the question of the moment yet everyones’ head still seems to be spinning! But don’t worry, that’s what we’re here for. We’ve done the hard graft to get to grips with the new legislation and condensed it to save you a job.
We’ve highlighted the main elements here, but are always on hand to go a bit further into the details, should you need it…
Announced back in 2016, the imminent arrival of GDPR and the affects it will have on data management across the UK will be in force from 25th May 2018. GDPR does not affect data about individuals outside of the EU.
What is GDPR?
In short, it’s an update to data protection law. The General Data Protection Regulation will be enforced by the European Parliament and will cover both online and offline data. This new law is set to bring data protection into the 21st century and cover users in the digital age. This will replace the Data Protection Act of 1998.
Consequences for not complying with GDPR
The new legislation covers much more than the 1998 law and comes with much tougher punishments for not meeting the new regulations.
Covering both the handling of data and the storage of that data, the new regulations could see businesses face fines of up to €20million or 4% of global turnover (whichever is higher). The consequences for not complying do not change depending on the size of your business.
The affects of GDPR
Every business within the UK that has not already updated their data management systems to suit, will have to do so by May 2018. Every business that stores data and uses data will be affected. Meaning from sales to finances, your storage and management of data will need to be amended.
The legislation will;
- Make it simpler for people to withdraw their information and consent
- Gives people the right to be forgotten
- Ensures that firms gather explicit permission when they collect data, from a double opt in process
- Expands the types of data that companies can gather, with the right consent of course
- Allows people to see exactly what data a company has on them.
The main aim of GDPR is to make sure the users’ data is safe and that companies are handling that data in the right way.
The update in data protection is set to have a huge impact on UK business.
According to itgovernance.co.uk; The fact that the UK is currently in Brexit talks does not affect the implementation of GDPR which will be implemented regardless, later this year.
What should you do to comply with the new regulations?
If you collect or store any information in the form of personal data, you need to look at what kinds of data you’re collecting and whether you need it all. You will also need to look at what you do with this data (i.e. market using this data), whether you control that data, or simply process the data, and your current data policies in place for each.
Part of the legislation requires certain companies to appoint a Data Protection Officer (DPO). The companies that are required to do so will fit the following statements;
- The processing of any data is carried out by a public authority
- The core activities of the business require regular and systematic monitoring of data subjects on a large scale
- Where core activities of the business involve large scale processing of special categories of personal data and relating to criminal convictions and offences
From 25th May 2018, data collection will involve a double opt-in option from users to confirm that they are happy for your company to use their data. This opt in will need to be stored and confirmed. Double opt-in is not a strict requirement but is advised for added assurance. A single opt-in should be enough, as long as you can produce evidence of that opt-in. Every business should be able to produce evidence of any opt-in at any time. No matter what level of opt-in you obtain, you need to ensure in the strictest sense that you only contact them under the circumstances that the individual opted in-to.
Data that you already have may need to be reviewed and you may need to gather consent again from those who have been in your database for a while.
Whilst it may sound like a huge change to your day to day business, in reality, your data management system should only need to be tweaked in order to comply. Small amounts of training may be needed to keep you staff up to date too.