GDPR Explained – What is GDPR and how will it affect your business?
The letters GDPR have been thrown around by just about every corporate legal team in the UK since earlier this year: but what is GDPR? In this article, we’ll be explaining what exactly GDPR is, and what affect it could have on your business.
What is GDPR?
At first glance, GDPR (or General Data Protection Regulation) may seem like an incredibly intimidating set of laws. Upon further inspection, GDPR is simply the successor to the already existing DPA (1998 Data Protection Act), which is a set of laws designed to help protect people’s personal data from being unlawfully exploited. These laws apply to every organisation, business, and individual in the EU, as well as those who hold and deal with data originating from there.
With the growing influx of cyberattacks in recent years (for example; how WannaCry caused huge disruptions across the NHS), and the increasing risk of customer data being unlawfully accessed, the EU have responded with a new set of laws designed to tighten security, and give people more control over their data.
The GDPR will come into effect from 25th May 2018, and will require businesses and organisations to be able to respond to certain requests from the customers regarding their data, and to be able to produce documentation regarding that data. If certain requirements are not met, then the EU could issue a fine of up to £17 million or 4% of international revenue (whichever is greater).
This is perhaps what’s currently scaring the UK’s Businesses and organisations the most; the threat of such a significant fine is bad enough, however, it is also what it might take for them to comply to these regulations that’s creating fear as well. Veritas (a data insights and analysis company) found that in a recent survey of UK businesses; 47% currently fear that they won’t meet requirements for GDPR in time. For some it’s the immense task of accounting for every piece of data that they hold, for 32% of the businesses Veritas surveyed, it was whether they would even have the right technology to comply.
Why Not to Worry
However, it’s extremely important that business owners do not panic, and take the time out to familiarise themselves with GDPR as much as possible (for example, by reading help guides like this one). Doing this can help to clarify certain popular misconceptions of GDPR; such as the idea that Brexit will stop GDPR from affecting the UK (Brexit isn’t due to conclude until 2019 at the earliest, and it will still affect businesses dealing with data from the EU).
Almost a third of the IT professionals that tech community; SpiceWorks, surveyed, admitted that they did not understand how GDPR would affect their business: so doing the appropriate research and understanding what GDPR is, are essential steps going forward.
GDPR is very similar to the already mentioned DPA (if your business is currently affected by those laws, it will most likely continue to be affected), but it also brings two new clauses into effect: The Accountability Principle, and the Right to be Forgotten.
The Accountability Principle
The Accountability Principle is not so much a law, as it is a set of requirements that the EU will judge businesses and organisations by. It’s an approach that’s designed to encourage businesses to see themselves as guardians of customer data, and take responsibility for how this data is used. There are no ‘firm lines’, rather, assessments will be made and documents collected to determine whether your business is properly adhering to the code of accountability.
The Right to be Forgotten
Whereas the Right to be Forgotten refers to set laws intended to enable customers more control over any data held by a business or organisation. These laws give customers a right to request that their data be deleted, or prevented from being used, or transferred to other companies, and more. This is why businesses need to be prepared to respond to these requests, should they ever occur; otherwise they risk making it a very difficult process, or even facing a fine.
How to comply to both of these clauses will be addressed in the second part of this series; where we’ll outline the steps your business should be taking in the run up to May 2018. Keep an eye out for it very soon!