In our October newsletter we published an article stating that 66% of 200 small and medium sized UK companies have no knowledge of the GDPR. It got us thinking, how could we explain the new regulation to someone who has no prior knowledge of it, for example, how could I explain GDPR to my Mum.
“So, Mum – Coming fully into force in May 2018, the General Data Protection Regulation is designed to increase data security. As a result of high-profile data breaches, many individuals have called for tighter controls and enhanced data protection. Due to this, companies will have to adhere to a new set of rules regarding data processing. Affecting data collection, handling and disposal, the GDPR will have a widespread impact and companies will be required to comply as soon as the regulations come into force.”
Who will be affected?
The aim of the GDPR is to protect the data of EU citizens. Any businesses which handle the data of EU citizens will, therefore, be affected by the changes. If a company collates customer details or client addresses, for example, this will be considered data and the regulations will apply.
Despite this, research published by DocsCorp suggests that over two thirds of SMEs aren’t aware of the GDPR and have no plans to change in-house process in order to comply with the new requirements. As a result, it appears that numerous businesses could face sanctions when the new regulations are introduced.
With companies able to use the internet to access a global marketplace, many businesses deal with customers and clients from all over Europe. It’s important to remember, however, that UK residents are EU citizens too. A company which operates solely in the UK won’t, therefore, escape the GDPR.
Furthermore, companies which act as ‘controllers’ and collect data will not escape responsibility by using the services of a ‘processer’. If a retailer collects customer data, for example, and then employs another entity to process the data, they can still be held responsible for subsequent breaches.
As many firms use external divisions to handle their data processing, it’s vital that they ensure their partners are operating within the GDPR and are fully aware of the issues of non-compliance.
What changes will be made?
Although the GDPR is far-reaching, many of the changes affect an individual’s rights and the issue of consent. When data is collected, for example, the individual must give consent for it to be taken. In addition to this, the individual must consent for each type of potential use the data may have.
If a retailer takes a customer’s contact details in order to keep them updated regarding their order, for example, they cannot simply add this information to their marketing list as well. The customer must give consent for their data to be used in this way, even if they’ve already provided their information for another purpose.
Similarly, individuals have the ‘right to access’ and are able to request information regarding the whether their data is processed and, if so, where this is taking place and why it is taking place. The ‘right to be forgotten’ also enables the data subject, or individual, to request that their data is erased and processing ceased.
Whilst individuals can expressly request that ‘data erasure’ occurs, controllers should also voluntarily erase data once it is no longer relevant to the original purpose of processing. This prevents data subjects from having their information processed for years on end, particularly when the continued processing has nothing or little to do with their original purpose of their disclosure.
How can businesses respond?
As one of the most significant changes to data protection laws ever made, companies may need to access help and assistance in order to comply with the GDPR. Although companies of all sizes are affected, many SMEs are still unaware of the new regulations and the impact they will have.
Similarly, companies may have overlooked the requirement of ‘privacy by design’ and the effect this will have on future in-house activities. With companies required to address the issue of data protection when designing and introducing new systems, the GDPR will have an effect on all business processes.
What is the important of compliance?
Failure to comply with the General Data Protection Regulation could have catastrophic consequences for businesses. Whilst the IPO are able to issue fines of up to £500,000 under the Data Protection Act, the sanctions for non-compliance with the GDPR are far greater.
With fines of up to €20 million or 4% of the company’s annual global turnover (whichever is highest), businesses face a real threat of bankruptcy and closure if they fail to meet the demands of the GDPR. Due to this, it’s vital that companies take steps to introduce an effective strategy for full GDPR compliance before the Regulation is fully introduced.