Preparing your business for the new UK Data Protection law - implementing the General Data Protection Regulation (GDPR) in 2018
In May 2018 the new GDPR comes into force across the EU including the UK, and aims to ensure the demands of the digital world we now live in are met. Here we explain what it means in practice, and what needs doing to ensure compliance
Let’s start at the beginning with ‘what does GDPR mean’. The two central objectives of GDPR are: 1) give citizens and residents back control of their personal data and 2) simplify the regulatory environment for international business by unifying the regulation within the EU.
Overall the legislation has been introduced to encourage companies across the EU to think seriously about data protection. But beware if you think you can ignore it; GDPR also comes with some fairly harsh penalties for those that do not comply with new regulations. What’s more, individuals can sue you for compensation to recover both material damage and non-material damage, like distress.
Another point to remember is that although the UK has voted to leave the EU, UK business will still have to comply with new regulations if the data they handle is about EU citizens, or has the potential to identify individuals within the EU. What’s more, digital minister Matt Hancock has confirmed that the UK will replace the 1988 Data Protection Act (DPA) with legislation that mirrors the GDPR post-Brexit.
5 key principles of the GDPR
There are 5 underpinning principles for the GDPR which your business will need to demonstrate compliance with;
- Lawfulness, fairness & transparency - you will need to demonstrate you have consent for storing and using a person's data
- Purpose - data can only be collected and used for specific, explicit and legitimate purposes. THis menas any further processing of data is not allowed, although archiving may be ok
- Adequate, relevant and limited - data has to be kepy up to date, the use of it is limited to only what is necessary and storage of it only for as long as is necessary
- Securely stored - there is a lot of emphasis in GDPR on the security of storing data. Failure to comply will lead to some hefty fines.
- Controller compliance - each business will need to have a designated Data Controller. THis person will need to manage and be able to demonstrate your businesses' compliance with GDPR. There is now greater accountability for Data Controllers.
What businesses does it apply to?
Just like the Data Protection Act (DPA), the GDPR does not apply to people who are processing personal data in the course of their own exclusively personal or household activity. So just because you keep your Christmas card list in excel, or you have CCTV cameras on your house to deter intruders does not mean that you fall under the scope of the GDPR. But if you step outside of that definition, say you’re a sole trader working from home – as soon as you begin undertaking commercial activities for instance – you are highly likely to come under the scope of the Regulation and in fact the GDPR contains a definition of an “enterprise” within Article 4(18) as any legal entity engaged in economic activity.
- Firms of over 250 employees may need to employ a Data Protection Officer (DPO). This person is responsible for ensuring that a business collects and secures personal data responsibly.
- GDPR will also apply to small businesses under 250 employees. The only time the articles allow concessions for organisations with fewer than 250 employees is in Article 30 – Records of processing activities. Most organisations will have to maintain a record of processing activities that contains the name and contact details of the controller, the reason for the processing, a description of the type of personal data or category being processed, how long the data will be kept before it will be deleted, and some other requirements. Point 5 of Article 30 states that the requirements will not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories. Therefore, a company that processes data on a regular basis or processes special category content such as racial, political or genetic (and others listed in Article 9) material, even if quite small, will not be excluded from this requirement.
- Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours.
- Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.
- Failure to comply with the GDPR will lead to heavier punishments than ever before. Under current rules, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for malpractice but the GDPR will be able to fine up to €20 million or 4 per cent of annual turnover (whichever is higher).
If you’re unsure of whether or not GDPR applies to you, consider how regularly you deal with personal data – and that includes present and past employees and suppliers, not just customer data. If it’s a routine occurrence, then you should abide by the GDPR. The UK regulator has also stated that any businesses affected by the Data Protection Act (DPA) will also fall under the GDPR. But the key difference between the DPA and the GPDR is that the latter will be much more strict in what is defined as personal data.
What data does it apply to?
GDPR focuses on the personal data organisations hold on individuals - which for GDPR means "any information relating to a living, identified or identifiable natural person".
This could be a persons' name, the owner of a business, any information used to identify an idividual (such as an ID number), address, phone number etc.
GDPR has also defined a sub-category of this data which is "sensitive data" and requires extra care. This includes racial or ethnic origin, political opinions, religious beliefs, physical or mental health and details of criminal offences.
You will need to know what data you hold in the business and how you process it. With the GDPR you will need to demonstrate that you are processing data legally, and knowing what data you hold and access across the business will be essential to help you comply with the new law.
What do I need to do or look at now?
To prepare for GDPR, organisations must conduct a systematic audit of their current and future processing of personal data and begin implementing solutions to protect it, in 2017. With Data Protection Impact Assessments (DPIA) mandated by GDPR for high-risk processing, organizations that qualify must begin those processes in 2017 to meet the deadline in 2018.
The following are areas small businesses should look at to ensure they meet the requirements:
Right to be forgotten
A big area for investment (of time and possibly money) is understanding what data you have and where it is. The GDPR gives a EU resident the right to see, have amended or delete all personal data held. This includes backups and archives, and the whole process from request to completion has to be audited/proved, and completed within 30 days. Failure to do so is classed as a major breach and will incur the fine of up to €20 million.
You need to be able to protect from an ‘insider threat’ (your employees), which is where the vast majority of data breaches occur. Again, this incurs a major breach fine for failing to protect the data. This includes policies to protect against accidental breaches, such as having clearly communicated policies and ensuring data is where it should be, and malicious breaches, such as an employee leaving the company and corporate or national espionage. Steps are also required to prevent attacks such as phishing or contamination through ‘bring your own device’.
Have you any contracts with partners or other third parties where they process or control any personal data? Liability with GDPR is now jointly with the Data Processor and Data Controller, but contracts will need to be updated.
Do I need a Data Protection Officer (DPO)?
It depends.. The designation of a DPO is not mandated according to company size, but rather the type of data processing. If a company is a public authority then a DPO is mandatory.
Most other organisations will need to designate a DPO, in particular if the core activities consist of processing operations which require regular and systemic monitoring of data subjects on a large scale, or processing special category data.
What is considered large scale is down to interpretation and legal advice should be sought. As a general rule, if the only personal data being processed is the payroll/HR data then a DPO would not be required. If, however, you are regularly processing personal data from sales CRM, mailshots and other activities then a judgement will need to be made.