What is GDPR?
Here's a simple guide to GDPR and what it means for your business.
What is GDPR?
GDPR (The General Data Protection Regulation) is the new legislation to protect the personal data of EU citizens from data breaches. It comes into force on 25th May 2018 and it will be enforced in the UK by the ICO. It is designed to create unified rules for businesses and to give individuals better control over their personal data.
It means that individuals will have new rights to access the information that companies hold about them, companies will have new rules to abide by when it comes to data management, and there are new fines for anyone who does not comply.
Who Does GDPR Apply To?
The GDPR applies to ‘controllers’ and ‘processors’. A data controller determines how and why the data is processed, and the processor is responsible for processing personal data on behalf of a controller. As an example, the controller could be any organisation, and the processor could be an IT firm.
What Information Does GDPR Apply To?
GDPR applies to both personal data and sensitive personal data. Personal data, means any information that can be used to identify a person such as a name, address, identification number or even an IP address. Sensitive personal data covers genetic data, biometrics, information about religious and political views, sexual orientation, and more.
Personal data relating to criminal convictions and offences is not included, but similar extra safeguards apply to its processing.
What are the penalties for non-compliance?
Businesses can be fined up to 4% of their annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g.not having sufficient customer consent to process data.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order or not reporting a breach. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ will not be exempt from GDPR enforcement.
What About Brexit?
GDPR has been created to protect EU citizens, but Non-EU countries who hold and process the data of EU citizens will have to comply to GDPR, regardless of the company’s location.
Also, the UK will be implementing a new Data Protection Bill after Brexit and it is thought that the legislation will most likely be the same as GDPR. Therefore, Brexit does not mean that UK businesses can ignore the new rules!
What Do I Need to Do?
I simplified terms, you need to ensure you have the correct policies and procedures in place to protect data:
- Ensure your staff are aware of the new regulations
- Make sure you know what data you have and why you have it
- Make sure you secure and manage all data you hold
- Appoint a Data Protection Officer
- Encrypt all personal data