Does your organisation use or handle the data of European citizens? If so, the General Data Protection Regulation (GDPR) applies to you, meaning that your organisation has a new and updated set of rules to follow.
The GDPR is big news for business, prompting lots of commentary and more than a little scaremongering. So this guide is designed to help you cut through the noise and understand the new law; to start thinking about the changes you need to make, and to ensure that complying with the GDPR is as painless as possible.
What is the GDPR?
Coming into force right across the EU on 25 May 2018, the GDPR replaces the old legal framework for data protection, including the UK’s 1998 Data Protection Act.
Consisting of 99 articles across 11 chapters, it’s a juggernaut of a regulation. But at its core, the GDPR does two things: it sets out the rights of EU citizens concerning their personal data and explains what’s required of organisations who control and process this data.
What are the big changes?
Some existing rights have been strengthened, while new concepts have been brought centre stage. Here are some of the most important changes.
New and enhanced rights for individuals
GDPR makes it easier for data subjects to access the data you hold about them. You’ll no longer be able to charge admin fees for most access requests, for instance. It sets out the circumstances under which data must be erased (the “right to be forgotten”). It also makes it easier for data subjects to have their data transferred from one service provider to another (“data portability”).
With data subjects, you need to be upfront, transparent and use clear and plain language. This is especially important for obtaining consent: no more vague, catch-all tick-boxes, for instance!
Privacy by default and design
These two principles are an important part of GDPR and following them will guide you to compliance. If it isn’t necessary to harvest, store or process personal data to achieve a particular goal, then don’t do it. Always try to apply the most privacy-friendly settings possible and don’t treat privacy as a ‘bolt-on’ or an afterthought. Instead, for every activity that involves the processing of personal data, make sure that the ability to protect the privacy rights of individuals is prioritised.
Mandatory breach reporting
If personal data is stolen, lost or compromised and this affects the individual concerned, breaches must be reported to the regulator without undue delay and, where feasible, within 72 hours. In the UK, the regulator is the Information Commissioner’s Office (ICO). In most cases, you’ll also need to inform the individuals affected.
How will GDPR affect my organisation?
First off, you’ll need to carry out a data audit or inventory. Establish what “personal data” you process, where it came from, what it’s for, what legal basis you have to process it, how long you keep it, who you share it with and what you do with it when you no longer need it. This should guide you on what changes you need to make right now. For example, you might need to reword your consents and update your data security tools.
Compliance is an ongoing duty rather than a one-off exercise. So from launching a new customer app through to recruitment outsourcing, you’ll need set procedures and the right tools for spotting, evaluating and minimising data privacy risks.
A central hub with a privacy plan for keeping on top of all your data protection activities can be ideal for this. Our solution, The Privacy Compliance Hub does just that, promoting a collaborative effort from all employees.
Why should my organisation care?
Failure to comply can lead to ICO reprimands and financial penalties. And in fact, the upper fine limit for the most serious violations has been increased from £500,000 to €20 million or 4% of turnover.
That said, GDPR isn’t designed to trip you up. Get on top of compliance, give people a reason to put their trust in you and establish your credentials as a safe pair of hands. As customers become increasingly data security savvy, compliance makes perfect business sense.
From your initial data audit and beyond, The Privacy Compliance Hub offers a secure, quick and efficient way of managing your GDPR requirements. Discover more today and take full control of your GDPR compliance strategy.