What is GDPR? Everything You Need To Know For Your Business
On May 25th, 2018 the rules for data protection within the UK will be updated, designed to give all citizens more control over the information that is stored about them.
This includes information stored by businesses, organisations and corporations, both offline and online.
But what does that really mean, and how do you get your business compliant in time for the deadline?
What is GDPR?
Since 1998, the the Data Protection Act has been used to implement the 1995 EU Data Protection Directive, which controls and regulates data protection and the permissions people give for their personal information to be used in exchange for ‘free’ services.
This includes email sign ups for newsletters, entering personal information for competitions and special offers, or giving details about your shopping habits to online retailers.
From May 2018, The EU’s General Data Protection Regulation (GDPR) will replace the previous Data Protection Act to give people more control over how organisations use their data. The Regulations will also introduce penalties for organisations that fail to comply, and for those that allow data breaches through outdated security measures and poor process systems.
The GDPR will not only protect UK citizens, but also cover the EU as well, bringing the law up to date across Europe.
Why do we need an update to Data Protection?
There are two main reasons why the new GDPR has been created, and why you need to implement it for yourself.
1) First of all, there were concerns that the discrepancy in regulations between the UK and the EU allowed data to be used in ways many people were not aware of.
Large companies such as Amazon, Google, and eBay are international corporations that operate in many different countries, and so there was a need to bring data protection law in line across the board.
The recent scandal involving Facebook and Cambridge Analytica, where 50 million Facebook profiles were harvested to influence the 2016 US election, has shown what can happen when data protection regulations go unchecked.
2) The second reason is to offer more clarity to businesses on how they can collect and use personal data. By making the law universal across the EU, this will minimise confusion and ensure businesses have adequate data protection processes in place.
I don’t think GDPR affects me, can I ignore the deadline?
GDPR will apply to all EU member states, including the UK from 25 May 2018.
GDPR is a regulation, not a directive, and so the UK does not need to draw up new legislation in order to initiate it, it simply applies automatically after the deadline.
However, despite the deadline drawing closer, many businesses within the UK are still not prepared for the changes; either due to not understanding the implications, or believing it does not apply to them.
At present, only 43% of UK businesses are assessing the impact that GDPR will have on their processes practices.
Reasons for the delay to prepare for GDPR include;
- Being mostly based in the US or other non-EU countries and believing the rules did not apply to offices within the UK
- Believing that the information held by the business is not financial and therefore does not apply
- Believing that customer information gathered previously through email sign ups is already covered
If you believe that any of the above excludes you and your business from GDPR compliance, it does not.
You will still have to make changes to your data protection processes even if you are non-EU based, collect any personal data whatsoever, or have previously collected customer data.
We’re leaving the EU so surely GDPR won’t impact the UK?
Even though the UK is leaving the EU via Brexit, the new GDPR rules will still apply.
GDPR comes into effect before the two-year time frame for Brexit is complete, so the UK must still comply with the new legislation
Even after Brexit is completed, there will be a new Data Protection Bill, submitted by the UK government in August 2017, which is essentially a replication of GDPR for UK law.
This means that even when the UK has left the European Union, we will still have to adhere to the GDPR rules that affect the rest of the EU.
The reason GDPR across both the UK and Europe is so important is that it modernises current data protection regulations by expanding the definition of personal data to include more modern factors, such as IP addresses, internet cookies, and DNA.
For the tech and digital industries in particular, ensuring that the UK and EU work to the same rules regarding data protection is essential and that Brexit could not be allowed to effect the implementation of GDPR, as TechUK CEO Julian David states;
“UK tech companies are clear that this is not a view held by the sector, which sees the UK’s implementation of GDPR as a key pillar to the future success of the digital economy.”
“Disrupting GDPR implementation would not be welcomed by businesses,” he added. “There is no desire for another wholesale revision of data protection rules any time soon.”
At present, the UK government is working on the new Data Protection Bill to replicate GDPR into UK law; a crucial step for the UK’s economic success.
Julian adds: “The tech sector is clear that diverging from EU data protection post-Brexit is neither desirable nor helpful. The GDPR represents a high standard of protection for citizens’ information, which will help build trust in the digital economy.”
There is still some confusion about how the new Data Protection Bill in the UK will work alongside GDPR in the EU, as some laws have to be rewritten to accommodate Brexit, but this will not excuse those organisations within the UK who do not adhere to GDPR once the May deadline passes.
GDPR is confusing – how do I know where to start?
GDPR rules fall into two main categories; controllers and processors.
Controllers – The controllers define the how, when and why of the processed personal data.
Processors – The processors are the ones who actually handle the data, but do not control the details of how it is shared or collected.
A business can be just a controller, just a processor, or both a controller and a processor at the same time, and there are different rules for each. Additionally, even if the controller or processor is based outside of the EU, the GDPR will still apply if they are handling data from EU citizens.
So, for example, you are an online wholesale retailer selling clothing. You handle customer information as it passes through your payment gateway but you don’t store any of it, so you’re a processor, right? But you also store information on your suppliers around the country and contact them with offers and news based on that information as well? So, you’re also a controller.
It is the responsibility of both controllers and processors to ensure that the data that they handle meets with the new data protection laws.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they’re dealing with data belonging to EU residents.
Once the new GDPR legislation comes into effect, controllers must ensure that the personal data they collect is processed with transparency and only for the purposes they agree to when requesting the information from customers. Processors will have to ensure that all data is handled ‘lawfully’ as per the requirements of GDPR, including protection against data breaches.
So, what counts as ‘lawful’ processing?
When referring to GDPR, ‘Lawfully’ has a range of meanings, including;
- if the person in question has consented to their data being processed
- complying with a contract or legal obligation
- protecting an interest that is “essential for the life of” the subject
- if processing the data is in the public interest; or if doing so is in the controller’s legitimate interest, such as fraud prevention
At least one of these justifications must apply in order to process the data.
Can I still use passive consent to collect data?
Previously, organisations that wanted to collect data on their customers could use passive consent – requiring users to tick a box in order to opt-out of data collection.
For example, your online shop may require people who buy from you to sign up as a customer in order to complete their sale. Typically, this includes giving their email address, name and date of birth.
Traditionally, you could add a bit of text at the end that asks them to ‘untick’ the box shown if they do not want their details to be used for marketing purposes.
Under the new GDPR regulations, this practice will no longer be allowed. Consent must be given affirmatively by the user and it must be crystal clear what they are agreeing to.
This means that the person must be given an opt-in option as well as an opt-out one, it must be straightforward how they opt in or out, and what their data is being collected for.
Controllers are required to record how and when an individual gives consent, so if you’re current system of data collection does not adhere to these practices, you will have to update them by the time GDPR comes into effect.
The new rules also allow users to remove their consent at any time, so you must also provide information on how they can action this.
What is classed as ‘Personal Data’?
For the new GDPR regulations, the definition of Personal Data has been expanded to reflect the modern world and how people can be identified by their data.
Personal Data now includes, but is not limited to;
- IP addresses
- Economic information
- Cultural identifiers
- Mental health information
- Email addresses
- Online shopping history
For eCommerce businesses, this also includes any data on shopping habits, especially if it could be used to identify the person. Think about customers who have bought personalised gifts, or received birthday discount emails, or given their location information – all of these can be used to identify an individual and so fall under the new GDPR regulations.
Pseudonymous personal data, such as online handles, may also be subject to GDPR rules, depending on how easy it is to identify the person the data belongs to.
The new rules also include anything that was counted as personal data under the previous Data Protection Act, which includes information such as geographical information, salaries, political views and sexuality.
Do I have to share this information with anyone?
If people require access to their personal data, they can request if from their controllers under the new GDPR rules, and it must be complied with.
These requests will be set with ‘reasonable intervals’ and controllers will have up to a month to action the request.
Because the new regulations require both data processors and controllers to be completely transparent with how they collect personal information, and what happens to it once it is collected, people will have much better visibility on the information being held on them.
This in turn gives them more freedom to choose when and how that data is used, if at all, and can request amendments at any time to incorrect or incomplete information.
The GDPR legislation also includes new rules requiring businesses and organisations to use plain language to communication their intentions, so loopholes can no longer be hidden in confusing terms and conditions documents.
Exercising the Right to be Forgotten
This phrase has been making the rounds in news articles for a while now, but it really comes into force when the GDPR deadline arrives.
From May 25th, people will have control over the personal data that is stored about them and therefore, have the right to have their data deleted at any time if it is no longer relevant to the purpose it was collected for.
For information that was collected under the previous ‘tick to opt-out’ system, a person can request for that information to be removed immediately under GDPR rules.
It will also be down to the controllers handling the data to ensure that the information is not only removed from their systems, but also from any additional places the information may have been processed through, i.e. third party software, Google links, etc…
People can also request for their data to be moved elsewhere, so you must ensure it is available in a common format that is easily transferable.
How serious are Data Breaches under GDPR?
In order to be compliant with GDPR, you must notify your data protection authority of any data breaches that potentially puts people’s rights and freedoms at risk.
This must be done within 72 hours of you becoming aware of the breach, even if you do not have all of the information available at that time. Regardless, you will need to make contact and give all the relevant data you have – nature of the data that’s affected, approximate number of people impacted, what the consequences could be, what measures you’ve taken or plan to action – within the given time frame.
You are also required to notify the persons affected by the data breach as soon as you become aware of it. Anyone who fails to meet the 72-hour deadline can face a fine of up to 2% of their annual worldwide revenue, or €10 million, whichever is higher.
There are also penalties for those companies and organisations that mishandle the data in their care, including but not limited to;
- Not having a legal basis for handling personal information
- Ignoring a person’s right to control over their data
- Transferring data to another country without consent
The penalties for these breaches can be up to €20 million or 4% of your global annual turnover, whichever is greater.
In 2015, TalkTalk was handed a substantial fine due to a data breach that allowed over 157,000 people’s personal information to be hacked.
The fine totaled £400,000 – a record for the time – but under GDPR, that fine would have actually been £59 million, so you can clearly see the potential cost that ignoring GDPR regulations can have on your business.
If you handle customer data and your systems are breached, not only are you going to have to let your customers know that their information is at risk, but potentially, you will lose them for good as a customer.
As most eCommerce businesses rely on return customers for the majority of their revenue, the possibility of losing your longtime customers is potentially devastating, especially for a small or start up business.
The Information Commissioner’s Office, which is the UK authority for data breaches, has requested more funds to be secured ready for when GDPR comes into effect, so that they will be able to adequately handle the increase in communications and be more responsive to the impact of data breaches.
Are we required to hire a Data Protection Officer?
Once GDPR arrives it will be required for any large-scale organisation, business or public body handling data processing to have a designated data protection officer. (However, unlike the others, public bodies have an advantage in that they can share one Data Protection Officer across their internal organisations.) For smaller businesses, the role is voluntary, but it does put you in better standing with the ICO to already have one in place should you have a data breach.
The role of the Data Protection Officer will be to ensure that the business or company is adhering to GDPR rules regarding data processing and data control.
They will also act as the liaison between the individual’s whose data is being processed and the controllers and processors handling the information, as well as communicating with the Information Commissioner’s Office regarding data breaches.
You’ve convinced me! How to I start getting ready for GDPR?
There is no such thing as preparing too early when it comes to GDPR. The deadline is already looming on the horizon and if you haven’t started your preparations yet, now is the time.
Start off with getting your Data Protection Officer in place, as they can start work spear-heading your efforts and become a source of information on GDPR for the rest of your business.
Next, you need to start reviewing your current data protection policies and seeing where potential gaps may be found.
You will also need to review any third-party suppliers who would count as processors, check what their data protection policies are and whether they comply.
Your technology and software will also need to be checked to ensure it is GDPR compliant, and that any possible avenues for data breaches are shored up and sealed before the deadline.
As Elizabeth Denham, the UK’s Information Commissioner from the Information Commissioner’s Office stated in a recent talk at the Institute of Chartered Accountants in England and Wales;
“We’re all going to have to change how we think about data protection.”
“When it comes to data protection, small businesses tend to be less well prepared. They have less to invest in getting it right. They don’t have compliance teams or data protection officers. But small organisations often process a lot of personal data, and the reputation and liability risks are just as real.”
“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”
“If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation.”
Despite all the jargon and documentation involved, at its core GDPR is all about giving more control and transparency to people regarding their personal data.
It is our responsibility as businesses to assist in that, showing our customers and clients that they can trust us to handle their information with care and professionalism under the scope of the law.
Whether you are a larger, nationwide business with offices across the world, or a local family-run company with less than 5 employees, if you handle the personal data of your customers, you need to ensure you are complaint with GDPR regulations by the May 25th deadline. Simply put, it is not worth the risk if you don’t.