What is the General Data Protection Regulation (GDPR)?
It is a new piece of legislation which is due to come into effect on 25th May 2018. It aims to provide consistent data protection legislation across Europe regarding the collection, storage and security of personal data. GDPR applies to data processing carried out by organisations within the EU and organisations outside the EU that offer goods or services to individuals in the EU. The UK has announced that it will pass a new Data Protection Bill to bring the EU’s GDPR legislation into UK law.
Is GDPR relevant for small businesses?
If a company routinely processes personal data, then GDPR is likely to apply. The Information Commissioner’s Office (ICO) has stated that any business which is affected by the Data Protection Act (DPA) will also be affected by the GDPR. Organisations of any size should maintain control over the way they process data and be able to demonstrate that they are keeping that data secure and protected. The ICO has published a useful GDPR checklist: Preparing for the General Data Protection Regulation (GDPR) 12 Steps to Take Now, which gives a good overview of all the key areas it will cover.
What are the differences between GDPR and UK Data Protection law?
The most significant addition to GDPR is the ‘accountability’ principle. The GDPR requires organisations to show how they comply with its principles. For employers, there will be increased obligations to provide information to employees and job applicants about how their personal data is processed. This will require employers to know where personal data is stored, how and why it will be used and how it will be kept safe and secure.
2. Personal Data
The rules on gaining individual consent to collect, process or store personal data will be tightened: consent will need to be freely given, specific, informed, unambiguous, properly documented and easily withdrawn. Blanket consent clauses such as those found on contracts of employment will no longer be sufficient. However, organisations can still rely on other relevant lawful bases, legitimate interests or contractual necessity for dealing with personal data. Individuals will also have a new ‘right to be forgotten’ by the organisation, if they either withdraw their consent to the use of their personal data or if keeping the data is no longer required.
GDPR’s definition of ‘personal data’ (also known as personally identified information or PII) reflects changes in technology eg. personal identifiers such as IP addresses and other electronic tags will now come under the definition. If genetic or biometric data is processed to uniquely identify an individual, it will be classed as ‘sensitive personal data’.
The timeframe for processing a ‘subject access request’ (ie a written request from an individual to an organisation for the personal data that is held on them) will be shortened and must be carried out without delay and within one month (compared to 40 days under DPA). Organisations will no longer be able to apply an administrative charge, unless requests are shown to be unfounded or excessive.
The timeframes for reporting any data security breaches will be shortened. Wherever possible, breaches will need to be reported immediately to data protection authorities such as the ICO. Ideally, breaches should be reported to the ICO within 24 hours, but definitely within 72 hours.
Fines for non-compliance will be increased. The maximum fine will be 4% of global annual turnover or €20 million (£17 million) whichever is greater. However, this will only be for the most serious breaches and the ICO has stated that large fines will not be the norm.
What can small businesses do to prepare for GDPR?
If organisations already comply with DPA, they will fulfil many of their obligations under GDPR. Based on ICO guidance, the most practical approach will be to carry out a thorough data risk assessment. Follow these steps to help you prepare for GDPR:
- Check that your organisation has a defined process for capturing, processing, recording and storing personal data that is safe, secure, robust and appropriate.
- Ensure that a lawful basis for processing personal data has been established and remove blanket consent instructions from any existing documentation. Where possible, aim to anonymise personal information and delete information when it is no longer needed.
- It is only a requirement for larger organisations, employing over 250 people, to appoint a dedicated Data Protection Officer, but make sure that existing data processors and data controllers are clear about their roles and responsibilities under the new GDPR.
- Utilise FREE ICO resources eg their online questionnaire: Getting Ready for the GDPR.
- Provide adequate training and information to employees about data protection legislation and how your organisation is preparing for GDPR.
- If any automated profiling methods are used eg those used in recruitment to filter job applicants, check that individuals are provided with clear information about the use and purpose of profiling and are given an opportunity to request an alternative method.
- Review current information management systems to check security measures comply with GDPR and revise if necessary.
- Prepare a robust security framework that includes emergency plans, worst case scenarios and privacy breach risk assessments.
- When designing new projects ensure privacy impact assessments (also referred to as data protection impact assessments) are an integral part of the initial design process, so that any data processing risks can be identified and addressed at the design stage.
- Ensure that all data security arrangements are regularly reviewed and updated.
According to the ICO, GDPR should not be a significant burden to organisations that take their data responsibilities seriously. If you know what, why and how, you collect, process and store personal data and treat data as an asset to be carefully managed, you are less likely to encounter problems.
Subscribe to my quarterly e-newsletter for updates about GDPR and other changes and developments likely to affect small businesses and their people over the coming months.