If you are doing business in the UK/Europe markets, you must have heard about GDPR by now. In less than 8 weeks from now, the GDPR will take effect and every business will have to comply with it.
The internet has transformed the way we communicate and handle tasks every day. We communicate; we pay bills, share documents and make purchases of goods online by submitting our personal details. More and more data is being collected every day by the businesses and The Economist has called it a “most valuable resource”.
However, it is also vulnerable to theft and misuse; consumers end up getting spammed with emails and promotional offers every day that they haven’t necessarily signed up for. The recent alleged hacking of personal data from Facebook and Cambridge Analytica has increased public anxiety and pressure on governments and businesses to do more to protect the data held by business.
GDPR (General Data Protection Regulation) is the response from EU to address these problems and ensure the data of their citizens is safely secured and not misused.
What is GDPR?
GDPR is a new digital privacy regulation being introduced on the 25th May, 2018. It is a lengthy legislation which has 11 chapters and 99 articles.
The GDPR aims to give back to citizens and residents control of their personal data and to simplify and complement the regulation for international business by unifying the regulation within the EU.
The current legislation such as Data Protection Act 1998 is outdated and is not up to the task with safeguarding data of citizen’s protection. With GDPR legislation, the scope of personal data is much wider than DPA. It states anything related to a subject is “data”, such as name, photo, telephone number, email address and social media accounts etc. To make it easier any PII (personal identifiable information) is protected under GDPR.
Furthermore the personal data is not defined by role and there is no distinction between data of private and public life. The customer’s data held by B2B companies is classified as personal data because the point of contact is always a person. GDPR puts consumers in control and gives them authority to decide and have power over their data.
The 8 fundamental data rights, listed in the GDPR, gives its individuals:
Right to have information corrected – Individuals can have their data updated if it is inaccurate, incomplete or outdated.
Right to access – You must provide confirmation to the individuals for their data being processed. Individuals have the right to request access to their personal data. If requested, you must provide with electronic format of the personal data, free of cost.
Right to be forgotten – If individuals are no longer customers or are not using your services and have decided to withdraw their consent from a company to use their personal data, then they have the right to have their data permanently deleted.
The right to data portability – Allows individuals right to copy or transfer their data from one service provider to another in an easy way without any interruption.
Right to be informed – GDPR dictates that any data collected by individuals and companies must notify consumers before the data is gathered. Consumers have to opt and give their consent freely.
Right to restrict processing – Consumers/Individuals can request that data record to remain in place, but not be processed.
Right to be notified – If there is breach or hacking of servers which compromises data breach of individual personal data, GDPR gives individual right to be informed within 72 hours of first having become aware of the breach.
Right to object – Includes the right of individuals to object and stop the processing of their data used by companies for direct marketing. The processing must stop as soon as the request made by individual is received.
The impact of GDPR on Businesses
Businesses must be ready to comply by GDPR by 25 May 2018. The ICO (Information Commissioner’s Office) will have more power to come into premises to check to see how the data is being held and whether the business is operating in compliance with GDPR.
Failure to comply with GDPR could lead to fine of up to €20 million or 4% of businesses total turnover, whichever is greater.
The worrying factor is a lot of businesses are still not aware of the GDPR and have a misunderstanding that it only applies to ICT related businesses. This is not the case. A research conducted by Dell found 97% of businesses do not have full understanding of GDPR and how it will affect their business.
If you would like a formal/informal discussion regarding GDPR compliance and how it needs to be addressed for your organisation, you can get in touch with us.