Businesses have less than one year to prepare for the General Data Protection Regulation (GDPR), and yet there is still much confusion surrounding the subject.
Recent research revealed that just 5% of UK IT professionals believe their organisation is ready for GDPR. While 40% of British businesses have started to prepare, around 15% of UK and EU IT professionals say their organisation have no plans to make any changes at all!
If your business doesn’t comply to the new regulation by 25th May 2018, the potential fines are huge. Here’s what you need to know about GDPR.
What is GDPR?
GDPR is a European Union (EU) regulation, designed to update current data protection laws. In the UK, it will replace the 1998 Data Protection Act, as due to the growth of the internet, cloud computing and other technologies, the way organisations collect and use data has changed significantly.
The new regulation also seeks to improve consumer rights, as individuals will have more control over what happens to their personal data. To ensure individuals’ identities are better protected, the definition of personal data will be expanded to include information such as IP addresses and other ‘online identifiers’.
Businesses will benefit too, as the same data protection laws will apply across the single market, making things easier for organisations who share data between the UK and other European countries. The EU estimates GDPR will save businesses around €2.3 billion a year.
Who does it apply to?
Come 25th May 2018, all EU member states must comply to the new regulation. However, even organisations outside of the EU will need to meet GDPR standards, if they control or process data belonging to EU residents.
What about Brexit?
Some organisations aren’t preparing for GDPR, because they believe the law won’t apply to them once the UK leaves the EU. Even if that were true, the process for leaving the EU takes two years, with some speculating it may not happen at all if a deal cannot be reached.
If the UK does leave, EU laws will no longer apply, meaning the UK must establish its own regulations. The government is preparing for this, and recently published plans to update the UK’s data protection laws so they better align with GDPR. This is to ensure businesses and organisations who must transfer data between the UK and EU remain compliant following Brexit.
How do businesses ensure they’re compliant?
When reviewing your business processes, there’s a lot to consider, but one of the most important aspects to check is that you’re collecting and processing data lawfully. This means at least one of the following justifications must apply:
• The individual has consented
• The data is being processed to comply with a contract or legal obligation
• The data is being processed to protect an interest ‘essential for the life of’ the subject
• Processing the data is in the public interest
• Processing the data is in the controller’s legitimate interest (e.g. to prevent fraud)
For many businesses, gaining consent will be key, and you can no longer do so by creating forms with pre-ticked agreement boxes or other types of auto-opt-ins. You’ll also need to keep a record of how and when individuals consented. Consumers have the right to withdraw their consent at any time and request their data be deleted.
Data breaches are taken more seriously under GDPR, too. If your business suffers a breach that could risk people’s rights and freedoms, you must contact anyone who may be affected and your data protection authority within 72 hours. Gone will be the days of companies hiding breaches for months or even years. Failing to stick to this deadline could result in fines of up to €10 million or 2% of the businesses’ annual global income, whichever is higher.
If your business processes data, you may need to hire a data protection officer, if you don’t have one already. There’s less than a year to prepare for the changes GDPR will bring, so it’s important to begin as soon as possible. The Direct Marketing Association (DMA) has put together a fantastic resource to help ensure your business meets GDPR standards.
What happens if your business is not compliant?
Businesses who do not follow the basic principles of GDPR could be fined as much as €20 million or 4% of their annual global income, whichever is higher. That’s a serious penalty which has the potential to cripple any business.
To put this into perspective, the maximum fine currently available for serious breaches of the Data Protection Act is £500,000. Even once the UK has left the EU, the government’s new data protection regulations will enforce fines equal to those given under GDPR (£17 million or 4% of annual global turnover, whichever is higher).
How Feefo can help
GDPR compliance is an issue that concerns many of our clients, which is why we’ll be keeping you up to date with any news or developments related to the new regulation.
We’re pleased that consumers will have more power and control over their personal data thanks to GDPR, and that the change will make it easier for businesses across Europe (while hopefully saving them money!). Some organisations may have to alter their processes, but overall, GDPR is a good, and necessary, change.
Have any questions about GDPR? Get in touch with us today.