GDPR is the latest buzzword, but what exactly is it, and who does it affect?
What is GDPR?
GDPR stands for the General Data Protection Regulation, which comes into effect for all EU member states on 25th May 2018 and forms part of the EU’s Digital Single Market strategy. The aim of GDPR is to ensure that EU citizens have control over their own personal data. It also aims to make data protection simpler for businesses to manage. New sizeable fines for failure to comply with GDPR will provide a strong incentive for organisations to avoid infringements.
GDPR offers increased protection for citizens, building on earlier legislation which was not designed to cope with the digital age as we now know it.
Under the new legislation, individuals, or “data subjects”, as they are referred to, have the right to know what personal data you are holding about them. Personal data previously referred to “any information relating to an identified or identifiable natural person”, but now also includes online identifiers and location data, as well as genetic and biometric data. Biometric data covers facial recognition, retinal scans and fingerprints.
You must have unambiguous permission from a customer to store their details on a marketing list. There must also be a clear opt-out mechanism for customers who no longer wish to receive marketing communications from your company.
Individuals also have the right to be forgotten. This means that they can demand that data about them be erased completely, or that they have only current information held, with past data removed.
GDPR encourages the encryption of personal data for added security, but unless it is impossible for the data to be retraced back to an individual, it is not exempt from the new legislation. Only completely anonymous data is exempt.
How will GDPR Affect my Business?
If your organisation stores personal data, you must be able to demonstrate that you have the individual’s permission to hold that data.
Whether your organisation is a data controller or a sub-contracted data processor, you have the same responsibility for the protection of personal data.
Any organisation which processes large amounts of sensitive customer data is required to appoint a data protection officer.
Even if your business is not based in the EU, it could still be impacted by GDPR. If you have customers who are EU citizens, you are required to comply with the same rules on handling their personal data. If your customer base includes both EU and non-EU citizens, you may find it easier to apply the higher data privacy standards for all your customers rather than having to operate a two-tier system.
Are you Fully Compliant with GDPR?
The only way to be certain that you are fully compliant with GDPR is to carry out a data audit of all the personal information which your organisation currently holds. If you subcontract data processing to another organisation, don’t forget to include their operations in your data audit.
If your organisation fails to comply with the requirements of GDPR, there are serious consequences, with hefty fines payable. These can be as much as 4% of annual turnover for a serious breach of the regulation. For larger companies this would represent significantly more than the current maximum fine of £500,000.
If you are in doubt about any aspect of GDPR, seek professional advice. One thing is clear, ignorance is no protection, and the consequences of breaching GDPR requirements are not only a considerable fine, but also some unwelcome bad publicity.