In the whirlwind that is today’s politics, trying to keep your business up to date with changes to legislation and data protection can feel like searching for a needle in a haystack – and an incredibly dull way to spend valuable working hours! However, while the UK currently has one-leg-in and one-leg-out of the EU, it remains subject to EU legislation – and legislation regarding data protection is about to face a major overhaul.
Almost all businesses gather personal details – of staff, customers and account holders – and store, move and access these online and on database systems. The way businesses collect and manage this data will soon no longer be regulated by the Data Protection Act 1998 (DPA) but by a stricter, broader and more technologically-minded regulation that will affect all UK businesses: the EU-born General Data Protection Regulation (GDPR), coming into force in the UK on May 25th 2018.
Naturally, if and when the UK withdraws from the EU, the jurisdiction of this Regulation over UK residents’ data could be affected. However the Regulation will still apply to the data of EU customers and may also be adopted into UK law – so UK businesses large and small (ourselves included!) will have to make some changes to the way we handle Data and Privacy. Being prepared for this change is an invaluable way to ensure that your business stays legal over the next 9 months and beyond, as non-compliance comes with high penalties.
We’ve been doing some digging, and have condensed some of the most up-to-date information available online into the below key focus points to help your business to start prepping for the GDPR. We’ve also thrown in handy hyperlinks to some great resources for further information.
- The more you know… Ensure that everyone in your business who may need to know about the GDPR is in the loop. This’ll give key decision-makers enough time to start working towards compliance, and to set aside the necessary resources.
- Check your tech! Many companies have expressed concern that their current technology is inadequate for GDPR-compliant data management. Your data cloud provider will also need to be on board with compliance.
- Consider conducting an information audit. This will help you start to create an action plan to make sure all ground is covered. What personal data does your business hold? Where does your data come from? Who do you share it with?
- What is ‘personal’, anyway?! You can be relatively certain that any data previously covered under the DPA will also be legislated for by the GDPR. However, the GDPR’s definition of ‘data’ is far broader than that of the DPA, and covers both direct and indirect online identifiers such as IP addresses and some pseudonymous Know what data you collect, and how this might be affected by the new Regulation.
- Become a data minimalist. What data does your business need to collect in order to achieve its goals? Check that you’re not asking customers or staff for any information that’s excessive to your business requirements, or hanging onto old data that should have been deleted. Privacy ‘by design and default’ is the main thrust of the GDPR.
Procedures, Core Processes and Consent
- Power to the individual: individual rights and the ‘fair and lawful’ aspect of data protection for individuals are huge focuses of the GDPR. For example, if your business conducts customer profiling or data processing, double-check that this is appropriate for the situation and justified by law, and/or you’re receiving consent. Document your justification and include it in your privacy notices. This also gives customers greater control over their data, so expect an increase in data access and deletion requests.
- It’s all about consent: the GDPR puts major emphasis on active, informed consent. Are there areas where your business is reliant on passive data consent? Boxes (both literal and metaphorical!) should be ticked by the customer, not pre-ticked by robots.
- Fickle is fine. The individual must be able to withdraw data consent at any time, without detriment – so keeping records of proof of consent, and changes to consent status is vital. Again, privacy notices will also likely need updating to keep up to speed with GDPR consent requirements.
- Know your strategy. New measures will require that your business is able to detect and report any personal data breaches within 72 hours, and require you to be able to demonstrate security and privacy procedures at the drop of a hat. Your business should already have a framework to deal with such issues under the DPA; now make sure this framework complies with the GDPR.
- New roles? While appointing a member of staff to manage data protection is always a good idea, the GDPR states that companies who process above a certain amount of data annually, or fulfil certain roles, will be required by law appoint a Data Protection Officer. The Officer will be responsible for keeping personal data secure.
- Beyond borders: if your business transfers customers’ data internationally, you must gain explicit consent from customers before transferring their personal information to countries outside the EU. Consent for this transfer can also be withdrawn at any time. Will your data sharing technology allow you to grant and refuse access as required?
- Multinationals: if your business operates in more than one EU state, check the ICO website for guidance as you’ll need to determine your leading data protection supervisory authority.
It may seem like a headache now, but by using our above planning tips, and by consulting further resources, your business can get on the right track to preparing for the arrival of the GDPR on May 25th 2018.
We recommend visiting the Information Commissioner’s Office website for further information on https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/, and checking out these pieces of further guidance. The full Regulation is available here.
By Kay Robinson
The information contained in this piece is for general guidance on matters of interest only. The application and impact of laws can vary widely based on the specific facts involved. Given the changing nature of laws, rules and regulations, and the inherent hazards of electronic communication, there may be delays, omissions or inaccuracies in information contained. Accordingly, the information is provided with the understanding that the authors and publishers are not herein engaged in rendering legal, or other professional advice and services. As such, it should not be used as a substitute for consultation with professional advisers.
While we have made every attempt to ensure that the information contained in this site has been obtained from reliable sources, Golden Frog is not responsible for any errors or omissions, or for the results obtained from the use of this information. All information is provided “as is”, with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability and fitness for a particular purpose. In no event will Golden Frog, its related partnerships or corporations, or the partners, agents or employees thereof be liable to you or anyone else for any decision made or action taken in reliance on the information in this communication or for any consequential, special or similar damages, even if advised of the possibility of such damages.
Certain links connect to other websites maintained by third parties over whom Golden Frog has no control. We make no representations as to the accuracy or any other aspect of information contained in other websites.