The EU General Data Protection Regulation (GDPR) will be enforced from 25th May 2018. GDPR regulates the collection, storage, use and sharing of “personal data.”
Personal data is defined as any data that relates to an identified or identifiable natural person for example, online identifiers (IP addresses), employee information, sales/marketing databases, location data, CCTV footage, health and financial information and much more. The regulation even covers any personal data you have in paper files!
The GDPR framework focuses on the following:
- Transparency, fairness and lawfulness in the handling of personal data – you need to be clear about how you are using personal data and the need to have a lawful basis to process that data.
- Limiting the processing of personal data to specified, explicit, and legitimate purposes.
- Minimising the collection and storage of personal data to that which is adequate and relevant for the intended purpose.
How you obtained the data is also an important aspect of the GDPR. Although companies have always needed to have consent to email their database, there will be much more rigorous processes involved following the introduction of GDPR. You can no longer assume consent by pre-ticking boxes – it must be clear consent with a double opt-in. A double opt-in occurs where someone signs up on your website (for example) and then confirms their subscription – usually by approving they have entered the correct email address in a follow-up email. Documentation is also stricter, from now on businesses must record when that consent was given and what it was for.
There is also an emphasis on “the right to be forgotten.” This allows individuals to withdraw their consent, meaning that a company would have to delete any information it held about them. Those concerned that their data is inaccurate can also restrict its processing instead of requesting its deletion – essentially freezing it while they sort things out. If someone asks for a copy of their data, a business must confirm whether they process an individual’s personal data and provide a machine-readable copy of it so that they can send it to another provider if they like. GDPR also asks organisations to provide extensive supporting material as part of this process, along with the reasons for processing it. This must happen within a month of the request being received.
If a data breach occurs, it is mandatory that all businesses no matter what size must notify the regulators if a data breach occurs. This must be done within 72 hours of detecting a breach. You must also notify individuals if there is a significant risk of harm due to the breach.
Whilst there have been a number of high-profile cases of data breaches (you can read about some here on the BBC website) and the fines imposed on the companies, when GDPR comes into effect in May, non-compliance will result in a fine of €20 million or 4% of company revenue whichever is greater. It is not only the big names that can be fined – every single organisation that holds data must comply or risk fine.