On 25th May 2018, the General Data Protection Regulation – otherwise known as ‘GDPR’ – will be enforced, bringing the biggest change to data protection legislation in 20 years.
This blog is part of a series providing a complete guide to GDPR. Click here for part two, “GDPR Checklist: Are you ready to opt in?”; or click here to skip forward to part three,”Six Benefits of GDPR Compliance”.
What is GDPR?
In a nutshell, the GDPR will update current data protection law to give individuals greater control over their personal information and improve how organisations process personal data. Improving privacy, increasing trust, and addressing the balance of control over personal data is a key feature of this new legislation.
Given the perceived complexity of GDPR, it may be tempting to take the ostrich approach and bury your head in the sand. However, in just a few weeks, GDPR will be fully effective across the UK and European Union (EU) and you cannot afford to ignore it.
The consequence of non-compliance has the potential to be significant, with organisations found in breach of GDPR facing possible fines of up to 4% of annual global turnover or €20 Million – whichever is greater. Within the UK, this will be governed and enforced by the UK Information Commissioner’s Office (ICO), who are committed to assisting organisations to prepare and abide by GDPR from 25th May onwards.
To help organisations navigate these key changes, the ICO has created a comprehensive summary of the GDPR on its website. Loaded with some easy-to-digest guides and checklists, this is a good place to start if you are behind in your GDPR planning or you simply want to find out more about a specific area of GDPR.
So why is GDPR happening now?
Over the last decade, the digital landscape has rapidly evolved, with digital growth being driven by more affordable smartphones and mobile data plans. In addition, the growth of Over The Top services (“OTT”) has increased significantly, with services such as Skype, Gmail, Facebook Messenger and WhatsApp becoming a normal part of our everyday life.
With multiple digital touch points to engage with individuals, personal information is constantly being requested, stored and exchanged as part of these OTT services. Whilst data protection legislation is already in place to ensure that data collection and processing is managed responsibly, the world has moved on, and much of this legislation has become somewhat irrelevant.
Data hacks and breaches have also hit the headlines in recent years, heightening concerns, not only about the security of stored data, but also about the level of personal information being requested by organisations in return for access to services, products, and digital information.
This changed digital landscape has undoubtedly driven the need for GDPR, which replaces the Data Protection Directive 1995. Whilst there will be similarities with the current UK Data Protection Act 1998 (DPA), the GDPR will be more extensive in scope and application.
What GDPR means for your business
The GDPR applies to all organisations that process personal data within the EU. It also applies to organisations outside of the EU that process personal data of individuals in the EU. The UK government has already confirmed that the GDPR will, for now at least, be applicable to the UK despite the decision to leave the EU.
When it comes to an individual’s personal data, the GDPR requires that this data is fairly and lawfully processed. Personal information must also be stored securely and be accurate and up to date. The rights of the individual to access any personal data stored on them means their data must also be made available upon request.
If you are already fully compliant with the current Data Protection Act (DPA), the impact of these changes is likely to be less significant for your organisation than those that have been somewhat relaxed with processing personal data.
The increased penalties for non-compliance under GDPR are also a key change, which is prompting many organisations to take GDPR seriously and do all that is needed to comply.
However, fines aside, the negative impact on brand value and consumer trust could be the greatest cost of all. How you respond to a personal data breach and demonstrate to the ICO and your customers that you have taken the necessary steps to manage personal data responsibly is equally as important as the changes you need to make in the lead up to 25th of May.
At this stage, it is vital to engage your internal communication teams and involve your external PR agency in your GDPR preparations to develop a suitable crisis response plan and prepare for potential breaches. This might include media training for key spokespeople, developing a customer care plan to support individuals that might be affected, and preparing holding statements in advance to manage media enquires while you focus on dealing with the requirements of the ICO.
If you really don’t know where to start, and all this talk of GDPR is overwhelming, take a look at the ICO’s guide, ‘Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now’.
Get ready for GDPR
In part 2 of this GDPR blog series, we look at some of these key steps in practice and highlight some of the key considerations to help you to prepare and remain GDPR complaint going forward. Click here to read on.
However, for those that have not even started this journey, the most important thing to do right now is to raise awareness of GDPR across your business, involve all your external suppliers in your GDPR plans and preparations, and take the necessary steps to understand what you need to do for your business to stay on the right side of your customers and the ICO.