How will the GDPR affect you and your business?
Amongst all the excitement over Brexit, it's worth remembering that the UK has signed up to new Europe-wide data protection regulations, known as the General Data Protection Regulation (GDPR).
These apply from 25 May next year, and will continue regardless of the deal by which we leave the EU.
And importantly, they will impact us all and will radically alter our approach to data protection.
With this in mind, we’re hosting free events in October and November: one in Croy, near Inverness — now fully booked — and the other in the Village Hotel Aberdeen, to discuss the specific changes, business risks, and the steps organisations can take now to protect themselves.
Meanwhile, by way of a taster, let’s take a moment to remind ourselves what data protection covers.
A few definitions
The regulations cover everything organisations do with personal information.
Specifically, data protection legislation governs how any business — the “data controller” — should process personal data.
Personal data is best seen as any information identifying an individual — from medical records to a CCTV recording. The individual identified is the “data subject”. “Processing” is anything done with these personal details including sharing, storing and even deleting.
Should we be concerned?
Every time we interact with this data we are covered by the regulations. For example, we hold information about staff, customers and clients. We also pass on personal details to “data processors” acting on our behalf, including payroll providers, accountants and lawyers.
What are the dos and don’ts?
We should have clear consent, or a reason that falls into one of the specific categories in the regulations, in order to process personal data.
These categories include the requirement to fulfil contracts with customers, such as mailing addresses; or with staff, such as their bank details for salary payments.
Further, we should make sure the data is secure, accurate, not excessive and that how we process it does not come as an unwelcome surprise to the data subject.
For example, I think we would all agree that finding your details on mailing lists from suppliers you have never heard of can be at best annoying and, more likely, concerning.
So what’s new?
The GDPR —
- Places a greater onus on businesses to demonstrate they have good data protection governance
- Tightens the rules on consent
- Introduces far more detailed rules regarding the use of data processors
The consequences for breach of the regulations are far more punitive than the current regime, including fines of up to €20 million, or 4% of global turnover – whatever is higher.
What should we be doing right now?
Businesses that are data protection compliant are well on the way to meeting the GDPR’s requirements, but there are still immediate steps we all should take, including —
- Auditing data held, including reviewing why it is held, whether all of it is necessary, if it is secure, and whether consent is required
- Checking and recording whether any data processors you use are handling your data appropriately
- Considering whether it is necessary to appoint an appropriate individual to oversee your data protection regime
- Staff training
- Reviewing contracts, including those with data processors and staff, as well as your policies and procedures, to ensure they are sufficiently robust to protect your business and demonstrate compliance with the GDPR
Can’t we just ignore it?
The scope of the GDPR is extremely wide, but we all should do our best to protect ourselves and our businesses by complying with the regulations.
Sometime the rules on data protection may seem so wide that we either assume that this must be an error, or that it is impossible to be compliant so we may as well not try.
Both may be tempting; both are mistakes.
Fortunately, there is lots of help out there, including from the Information Commissioner’s Office, complementing additional support from lawyers and other advisers.
Our Croy event is fully booked, but you can still book to attend our Aberdeen event on Friday, 3 November.
An earlier version of this article appeared in the Press and Journal’s The Leader supplement on Friday, 29 September.