The GDPR and How It Will Affect You
What Exactly Is the GDPR?
Coming into effect on May 25th, 2018, the GDPR stands for General Data Protection Regulation. The purpose of this law is to provide tighter regulations in regards to protecting the personal data of EU citizens. Any business which offers their goods or services to EU residents will be affected, no matter where or how big their organisation is. The rights of EU citizens will be strengthened alongside their personal data.
The European Commission states that ‘personal data’ is any information which relates to an identified or identifiable natural person. With the GDPR coming into action, the definition will expand to the following:
“an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
Identifiers such as mental, cultural, economic, social identity and genetic have been introduced. Personal data refers to anything which identifies an individual; from an email address to a fingerprint, a photo to a postcode.Therefore, it is essential that your company understands these new additions so you can protect an individual’s personal data.
How Will the GDPR Affect Your Business?
If your business follows the Data Protection Act and is compliant with its current laws, the GDPR will only bring a small number of new, but significant changes. It is merely an improvement on the Data Protection Act.
Not complying with the GDPR can bring extreme ramifications. Companies could be penalised by up to 4% of global turnover (for the previous year) or receive a fine of up to €20 million. Further to this, a brand’s reputation and customer trust would be damaged severely. To avoid this, you must pay attention to the new changes and ensure your organisation is following the necessary steps. Listed below are the new regulations of the GDPR:
- It will be mandatory for companies to appoint a data protection officer (DPO) to maintain an organised system, especially firms who process a high volume of personal data.
- After becoming aware of a data breach, controllers must report it within a 72-hour time frame. The only exception to this is when the breach poses a low risk to the individual’s rights.
- A privacy risk impact assessment (PRIA) will be required for a project where privacy risks are at a high level.
- All privacy notices that your business issues will need to be reviewed and changed to fit with the GDPR.
- Parental consent must be obtained for the processing of personal data of children under the age of 16.
- When an organisation needs to obtain consent for processing data this must be done in a clear, intelligible way.
- If asked, companies must grant users a copy of personal data in a portable format.
- All companies need to ensure that the rights of the users are upheld. These rights are shown below.
What Rights Will the GDPR Give Individuals?
As well as the rights set out in the current Data Protection Act, individuals will be granted the following rights:
- Right to give consent – it will be a legal requirement for organisations to obtain an individual’s consent before data is processed.
- Right to object – when data is being processed for blatant direct marketing reasons, the individual can object without having to provide any specific reasons.
- Right to transparency – individuals will be told clearly what data is collected and how it is going to be processed.
- Right of access – providers will be required to provide individuals with additional information. This will be given free of charge.
- Right to erase, correct and block data – in certain cases, individuals will have the right to correct inaccurate data, block or erase specific data.
- Right to be forgotten – users have the option to withdraw their personal information from a business.
- Right to amend data – individuals will have the right to correct inaccurate personal data.
- Right to restrict data processing – individuals will have the right not to be constrained to a decision based solely on automated processing.
- Right to be provided with processing information – data controllers are obliged to provide users with detailed information such as the source of the data, in a clear, intelligible form.
- Right to move data – individuals will be given the right to move data from one service provider to another.
Will Brexit Have an Impact?
You are probably thinking, “with Brexit anticipated for early 2019, will this impact British Business?” The answer is yes.
Regardless of Brexit, UK organisations handling personal data of EU individuals are still obliged to comply. After Brexit, the UK would like to ensure a close relationship with its EU neighbours, this includes maintaining data protection regulations.
Hopefully, after reading this you have a better understanding of what the GDPR is and where your business falls into it. Knowing the regulations first-hand gets your business up-to-speed with the GDPR and saves you the consequences of not complying. Not only this, but you can show customers that your business is trustworthy and responsible.
To find out more information on the GDPR, visit our Knowledge Hub here.