GDPR: Resistance is futile

Even if you are a micro or very small business with customers or clients: You need to address GDPR in time for 25th May.

Whilst GDPR is enough to put you into a coma, if you haven't heard about it by now, perhaps you've been in a coma for the last 18 months + ?

You can’t failed to have heard about GDPR. The new European Union General Data Protection Regulations that will come into force in May this year have been the subject of much debate and deliberation. Some have heralded them as a timebomb that will see all companies who aren’t compliant hit with massive fines that could put them out of business. Others compare it to Y2k, in which there was much doom mongering in the months prior but as the clock struck midnight bringing in the 21st century, nothing in effect happened. The reality is somewhat different from both of these scenarios. We’ve put together a brief guide to GDPR, how it may affect you and what you need to do to prepare.

What is GDPR?

GDPR are the General Data Protection Regulations that will be brought in across Europe to bring its data protection legislation into line with new, previously unforeseen ways that data is now used. It will replace the UK’s Data Protection Act 1998. There will be tougher fines for those organizations who don’t comply but it will also give people much more say over what companies can do with their data. It will come into force on May 25, 2018.

What is personal data according to GDPR?

The definition of personal data under GDPR expands what we currently class as personal data under the Data Protection Act. So as well as anything that counts under current legislation, IP addresses now count as personal data, as do economic, cultural or mental health information, as they are potentially personally identifiable information.

Who does the GDPR apply to?

GDPR applies to both controllers of data and processors. Controllers are those organisations who state how and why personal data is processed. Processors are the parties that do the actual processing of the data. These definitions cover all organisations, both public and private sector, large and small.

What many people do not realise is that even if data controllers and data processors are based outside of the EU, if they are processing data that belongs to EU residents, GDPR will apply. Once GDPR comes into effect, data must be processed ‘lawfully’.

What is ‘lawfully’?

Lots of people think that to process data under GDPR, an organisation must have the consent of individuals concerned. However, under GDPR, consent is just one of a range of justifications that can be used. Lawfully can mean to comply with a contract or legal obligation, it can protect an interest that is “essential for the life of” the subject, it can be in the interests of the data subject (such as preventing fraud) and it can also be processing in the public interest. At least one of these must apply in order to process data.

Under GDPR, people can ask for access at “reasonable intervals”, and controllers must generally respond within one month. They can ask that this data, if incorrect or incomplete be rectified whenever they want. Individuals under GDPR also have the right to be forgotten when the data collected is no longer necessary to the purpose for which it was collected.

What are the fines involved?

There’s lots of talks about the fines that can be levied on businesses who suffer a data breach under GDPR. If your organisation suffers a data breach, you need to inform the Information Commissioner’s Office of any data breach that risks people’s rights and freedoms within 72 hours of your organisation becoming aware of it. Failure to do so could face a penalty of up to 2% of their annual worldwide revenue, or €10 million, whichever is higher.

For not following the basic principles of GDPR in terms of processing data correctly, the fines can be even worse, with penalties potentially being as much as €20 million or 4% of your global annual turnover, whichever is greater. Thankfully, the ICO are taking a pragmatic approach. Here’s what the UK’s Information Commissioner Elizabeth Denham said in a recent blog:

“It’s true we’ll have the power to impose fines much bigger than the ￡500,000 limit the DPA allows us. It’s also true that companies are fearful of the maximum ￡17 million or 4% of turnover allowed under the new law.

“But it’s scaremongering to suggest that we’ll be making early examples of organisations for minor infringements or that maximum fines will become the norm.

“The ICO’s commitment to guiding, advising and educating organisations about how to comply with the law will not change under the GDPR. We have always preferred the carrot to the stick.”

GDPR is coming. But it doesn’t have to be scary if you’re willing to engage with it. That’s what we’re doing here at King Recruit, because we take our responsibilities seriously. For more information on GDPR, take a look at the ICO website here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/.