Data protection is one of those frightening topics that often put people “on edge” and new legislation is likely to instil fear to those that are unprepared.
However, there is no reason to panic as we explain the changes to data protection legislation and the introduction of the new legislation - GDPR.
For those using HubSpot we recommend reading their comprehensive guide to GDPR.
Please note: For ease this article is written with British organisations in mind, however GDPR and its requirements will apply to ALL businesses that market to or do business with European Union member states, regardless of where YOUR business is based...
Why is data protection legislation changing?
It is the result of four exhaustive years of work by the EU to ensure that data protection legislation can be updated to suit the changing ways in which companies and individuals use and share data. It will supersede all previous data protection legislature - namely the Data Protection Act 1998 and 1995 EU Data Protection Directive.
The EU anticipates that the new legislation will allow people to have more control over how their personal data is used, shared and managed. Current legislation as it stands now was created long before the likes of Facebook and Google became data powerhouses. By producing this new legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the digital economy.
It also hopes that businesses will have a simpler, clearer legal environment to operate - by ensuring that data protection law is identical throughout the single market.
When will GDPR affect me and my business?
The rules will become immediately binding on May 25, 2018 (less than six months away) and require no actions on behalf of EU member governments to act - it will simply become law for all.
For British companies, Brexit has no impact and we will all have to adhere to the exact same rules and regulations as companies located anywhere in the world. Similarly, if you’re based elsewhere and doing business with or marketing to a British company, Brexit will have no impact on GDPR - so you must act accordingly.
If your business has less than 250 employees, experts are estimating it will have less of an impact unless you handle sensitive data. If you have more than 250 employees you’re required to employ a Data Protection Officer (DPO), responsible for ensuring continual compliance with the GDPR legislation. We strongly recommend you further research your responsibilities and how to prepare for these changes.
What is the GDPR?
The General Data Protection Regulation - GDPR - is a suite of new legislative rules being introduced by the European Union to ensure that residents of all EU countries can protect their personal data online.
Surprisingly, many are still unaware of the upcoming changes in spite of the fact the legislation was approved in April 2016.
Once it comes into effect it will mean that controllers must ensure personal data is processed lawfully, transparently and for a specific purpose. Once that purpose is fulfilled and the data is no longer required, it should be deleted.
Personal data: The newly-created EU definition of ‘personal data’ which falls in line with the GPDR includes:
- Online identifiers such as IP addresses, email addresses, social media posts and images
- Economical, cultural, medical and mental health information
- Pseudonymised personal data (depending on how easy or no is it to identify)
- Anything that was classed as personal data under the Data Protection Act 1998 still qualifies as personal data under the new legislation
Lawfully: It has a variety of meanings, although not all may apply, including:
- The subject has consented to their data being processed
- It complies with a contract or legal obligation
- Protect an interest that is “essential for the life of” the subject
- Processing the data is in the public interest
- If it is in the controller’s legitimate interest (to prevent fraud, for instance)
Who is responsible for abiding by the GDPR legislation?
As defined in the new legislation, it will be the duty of both the controllers and processors of data to ensure GDPR is abided by.
- Controller: Any organisation, from a profit-seeking company to a charity or government organisation, which states how and why personal data is processed.
- Processor: A processor is the party doing the actual ‘processing of data’ - an IT firm in charge of data processing.
It is the controller’s responsibility to ensure their processor abides by the new legislation, but it is also important for processors must abide by the rules themselves. If processors are involved in a data breach they’re significantly more liable under GDPR than they were under the Data Protection Act.
You will remain responsible for your compliance, regardless of what software you use - so you cannot blame any cloud-based storage system, such as Google Cloud or Microsoft, for compliance failures or data breaches.
What do I do next?
You need to start researching more about GDPR and how the legislation will affect you. Please be aware that there are much more significant penalties as a result of data breaches under GDPR and new rules in relation to the ‘Right to be Forgotten’.
Look into the requirements for your business (based on who you do business with, the data you control and/or process and the size of your organisation) and make next steps based on your findings
Ensure you are prepared to operate lawfully once the legislation comes into action immediately on May 25, 2018.
We strongly recommending reading official guidance from the ICO (Information Commissioner’s Office), which includes a 12 step action plan on preparing for GDPR and separate advice on GDPR preparation for both data controllers and data processors.
Find out more about GDPR with these helpful guides:
- General Data Protection Regulation - HubSpot (Source: HubSpot)
- Guide to the General Data Protection Regulation (GDPR) (Source: ICO)
- What is GDPR? Everything you need to know before the 2018 deadline (Source: IT Pro)
- How to get ready for GDPR: 2018 data protection changes (Source: IT Pro)
Please be aware this blog post was produced on January 3rd, 2018 and is to be used as an awareness piece about the importance of learning more about GDPR. You should do your own independent research and seek advice where necessary about the introduction of GDPR.