The General Data Protection Regulation (GDPR), which comes into effect on 25 May 2018, requires major change to the way organisations handle personal data. This blog considers how it will affect businesses – what an organisation will need to know to be compliant and to be able to plan and prepare for GDPR to be ready for 2018’s deadline.
What is GDPR?
The EU’s GDPR replaces the 1995 Data Protection Directive, updating data protection policies and regulations governing how companies store, secure and manage personal data.
Existing legislation dates to before the creation of the internet and technology – such as cloud technology – which has given companies extended ways to exploit data. With GDPR the EU is handing back control to the owner of the data, and seeking to improve citizens’ trust in the emerging digital economy.
As an example, GDPR creates the ‘right to be forgotten’, which will mean any citizen or organisation with a reasonable case can ask to be deleted from a database and have every record relating to them removed without trace. The onus will be on the database owner to have in place processes to be able to comply with such requests.
GDPR gives EU citizens a set of ‘data subject’ rights, which include the right to:
- Access their personal data
- Receive a copy of personal data
- Have access to readily-available information in plain language detailing how personal data is used
- Have incorrect personal data deleted, corrected, and erased in certain circumstances (the ‘right to be forgotten’ – see above)
- Request restrictions to the processing of personal data
- Object to the processing of data per se, or for specific uses, such as for marketing or profiling
The regulation is also intended to provide businesses with a clearer legal environment, harmonising how data is handled across the EU, with the subsequent removal of red tape estimated to bring collective cost savings to business of around €2.3 billion a year.
What type of data is covered?
Data can be username, location data, bank details, medical records, online identifiers – for example, IP address or cookies – or passwords. GDPR also extends the definition of sensitive personal data to include genetic and biometric identity.
Who will GDPR affect?
GDPR will cover citizens in the EU Zone, which currently incorporates 28 member countries with half a billion citizens. However, businesses in countries outside the EU will need to be GDPR compliant to use data from customers within the EU.
How will GDPR personally affect my business?
One of the main changes businesses will need to be aware of is that fines for non-compliance are going to increase significantly. For example, for a data breach, organisations will be facing fines of up to four percent of annual global turnover or €20 million, whichever is greater.
After 25 May 2018, businesses will have 72 hours to disclose a serious data breach to the nominated authority, and which in the UK will be the Information Commissioner’s Office (ICO), and to the victim of the breach. Businesses failing to do so will be liable to fines of up to €10 million or two percent of revenue.
Data loss could, therefore, be potentially financially devastating.
Other changes include, for example, that businesses will no longer be able to charge a fee for providing access to personal data, and will have a limit of 40 days to disclose information.
How should IT providers help businesses prepare for GDPR?
The countdown to 25 May 2018 is well underway, but reports are giving more than half of businesses liable to fail to be compliant by the end of 2018.
It’s important for any business that hasn’t yet started preparing for GDPR to do so now – and we’re here to help partners support their customers with doing so.
We’ll be creating a GDPR content hub, where we’ll be posting links to the most relevant and useful articles and pieces of information generally, as well as creating our own items – for example, our eBook, GDPR: A Guide for Vuzion Partners.
If you were unable to join our webinar on 22 June, 10 questions your customers should answer about GDPR, hosted by independent GDPR Implementation Consultant Pierre Westphal – or joined and would like to listen again – you can do so via the recording link.