GDPR (General Data Protection Regulation) is due to come into effect in the UK on the 25th May 2018
It will effectively be replacing existing Data Protection regulation and is being implemented through EU law. However, it is worth pointing out that, once Britain does leave the EU, the UK government intends on maintaining these changes and, if anything, broadening the regulation.
Why is GDPR being implemented?
As businesses become more and more dependant on technology to store ever-increasing amounts of customer data, more and more people are at risk of cyber attacks.
Governments have realised this growing risk and how individuals seem to be losing control of their personal data and who is using it for what purpose.
The idea behind GDPR is to give the power back to consumers so they understand exactly who has their data and why.
The new measures are also intended to shore up security issues and make businesses more aware of their obligation to keep information safe.
How does it affect UK businesses?
When GDPR comes into effect, UK businesses need to be prepared for the changes and alter the way they store and collect data.
Here is a run-down of the major changes to how businesses currently operate:-
1. They will need to demonstrate greater clarity
As mentioned, a major concern across European countries is that consumers are not fully aware of who has their data and why. Businesses are required to give greater clarity when they are collecting customer data and to explain what it will be used for.
For example, a major change will be that you can no longer auto-opt-in individuals to have their data stored for marketing purposes. Such boxes need to be removed from any sign-up forms.
2. They will need to give control back to customers
Not only do businesses need to make consumers aware of when they have their data, they need to give them clear control over it. This means giving them the right to move it to another provider, to edit it, and to have it deleted upon request.
This “right to be forgotten” gives individuals the opportunity to remove all traces of their past data that has been collected. Even social media sites are required to delete any traces of old images containing the individuals. It is worth noting that what constitutes “data” is also being expanded to include IP addresses, internet cookies and DNA.
3. They will need to shore up their security measures
It’s hard to miss news headlines of security breaches such as the major hack on NHS data towards the start of 2017. Well, such risks are only increasing and the responsibility is being put on businesses to make sure they are prepared against all attacks.
If they choose to hold data, then they must take reasonable measures to ensure its safety at all times. To assess the safety, they will have to undergo impact assessments by the ICO (Information Commissioner's Office).
If a breach does occur, businesses, no matter if they are large or small, have just 72 hours to notify the ICO and, if it is a severe attack, all individuals at risk must be notified as well.
4. They will be subject to stricter ruling
The ICO are having their powers extended to help protect UK consumers from having their data stolen. The number of punishable offences is being increased, and so are the limits on fines they can impose. As of May 28th, the limit will be £17 million, or 4% of global turnover, which is drastically more than the current limit of £500,000.
SMEs can expect the same penalty structure as larger companies if they are found acting unsafely.
GDPR - what do businesses need to do?
UK businesses need to make themselves fully aware of the intricacies of the upcoming changes, and how their relationship with their customers is evolving.
There maybe penalties placed on firms that fail to bring themselves up to speed in time for the changes, so it's best to act soon and prepare all staff as well.
SMEs in particular, who may have little in the way of existing security measures, need to invest in new protocol and find ways of shoring up any sensitive information.