GDPR: What are the changes and how to keep your business up to date?
Friday 25th May 2018 is a date that you should have in your diaries. It’s United Kingdom (UK) release date of the new Star Wars film, 41 years to the day after the first one was released – what could be more exciting!
More importantly, it’s when the new General Data Protection Regulation (GDPR) comes into ‘force’ so we all need to be ready.
Why and how is the law changing?
This new legislation replaces the Data Protection Act 1998. At 20 years old, the old laws are well past their best. Technology has evolved at such a fast pace that these new regulations are necessary to align the tech with the law.
The new regulations are not a complete change, rather they are an evolution of the existing laws. Their main concern is how personal data is collected, processed, stored and shared. Personal data can be anything from name, address, contact info, religious beliefs, IP address and even information on economic status, cultural background and mental health history.
But what does it mean and how can you ensure that your business is compliant?
According to the Information Commissioner’s Office (ICO), there are 12 steps that businesses need to take to prepare for the implementation of the GDPR into UK law:
- Awareness: Ensure that decision makers and key people in your organisation are aware that the law is changing to the GDPR;
- Information you hold: Document what personal data you hold, where it came from and who you share with it;
- Communicating privacy information: Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation;
- Individuals’ rights: Check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format;
- Subject access requests: Update your procedures and plan how you will handle requests within the new timescales and provide any additional information;
- Lawful basis for processing personal data: Identify the lawful basis for processing activity in the GDPR, document it and update your privacy notice to explain it;
- Consent: Review how you seek, record and manage consent and whether you need to make any changes;
- Children: Assess whether you need to put systems in place to verify individuals’ ages and obtain parental or guardian consent for any data processing activity;
- Data breaches: Ensure you have the right procedures in place to detect, report and investigate a personal dat abreach;
- Data Protection by Design and Data Protection Impact Assessments: Familiarise yourself with the ICO’s code of practice on Privacy Impact Assessments and the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation;
- Data Protection Officers: Designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements;
- International: If your organisation operates in more than one EU member state, determine your lead data protection supervisory authority.
For more resources for preparing your organisation for the upcoming changes to the data protection law, check out the ICO’s Guide to the GDPR.
Data Subjects have rights too!
Subjects have to give their consent for you to collect their personal data. Consent must be clear and given in an intelligible and easily accessible form. The main thing is not to make the terms and conditions for obtaining this consent too complicated. Terms and conditions need to be prominent, clear and separate from standard terms. It’s important that the language used is plain (no legalese!) and the subject must be aware that they can withdraw their consent at any time. It has to be the subject’s genuine choice, not a condition. They are opting in but can easily withdraw if they wish.
What happens if you don’t comply with the changes?
Non-compliance comes with a hefty fine which could be up to 4% of a company’s annual global turnover. You will also be breaking the law which isn’t the best idea for the reputation of your company. Customer loyalty will certainly be adversely affected if you are not compliant and the cat is out of the bag.
Hang on, we have voted to leave the EU so what does it matter?
Ah, good question! Well, despite Brexit, for now we are still very much part of the European Union (EU) and will be for at least the next year or so. As such, non-compliance is therefore not an option. Also, if you hold or process and personal data of any citizen of the EU then you are compelled to comply with GDPR, even if your business is based outside of the EU. In addition, the UK government has given strong indication that they will follow suit with the same regulations even after the UK leaves, so there is no point ignoring it!
Are you ready?
So are you ready for the biggest change in data privacy regulation in 20 years? You need to act now! Ensure your terms and conditions and privacy policies are up to date and adequate for the forthcoming enforcement. Zegal can help you get everything in place, so sign up for your free trial.
Good luck and may the GDPR force be with you!