On May 25 2018, the new EU General Data Protection Regulations (GDPR) come into force.
The General Data Protection Regulations (GDPR) will replace the Data Protection Act 1998 and could result in big changes for firms that gather and use personal data.
Although the UK is set to leave the EU the government has confirmed this will not affect the commencement of the GDPR, so all UK businesses need to prepare for the new law and understand what it will mean for them.
Why is GDPR happening?
GDPR represents a major change to the law on data protection. In the 20 years since the Data Protection Act came into force, we’ve started using the internet, mobiles, social media and e-commerce in completely new ways. The ways in which firms use the data they collect on customers and web users have changed too.
GDPR is intended to bring the law into line with the way people and firms use technology today. It also aims to give people more control over their data, and to standardise some of the ways to communicate with people about how their data is being used.
Will it affect me?
GDPR affects any business that collects data, particularly online.
The jurisdiction of GDPR is based on the location of the customer, not the business. So if you are based outside the EU (for example, in the UK following Brexit) but serving customers within it, GDPR will still apply. This also means that GDPR applies to some UK firms who weren’t previously affected by the Data Protection Act.
What’s new in GDPR?
Essentially, the rules on how companies can use data are being made much more detailed. What’s more, GDPR requires firms to be far more transparent in terms of how they store, keep and process data.
Firms will require explicit and affirmative consent before they gather data on people. In other words, it won’t be enough for people to have the facility to opt out if they want – they must actively opt in. Moreover, they will have the right to change their minds at any time, update or transfer their data if they want to and even delete it completely – the ‘right to be forgotten’.
Businesses who collect and analyse data for other businesses will probably notice the biggest change. If they collect data from children, they must explain how they will use the data in a way that the children themselves can understand. Some may need parents’ permission to gather data from their children, which could pose a significant challenge.
What are the penalties?
GDPR will bring in stiff penalties for non-compliance with the new regulations. Local Data Protection Agencies will be able to impose fines for violations of up to €20m, or 4% of a firm’s global turnover.
GDPR also supports collective action initiatives by groups of people who feel they are victims of firms breaking the regulations. So if a company leaks information about a group of its customers, for example, they will be able to join forces and take action against it.
What will I have to do?
Legal documents such as privacy policies and data processing agreements will need to be updated to include more clearly defined guarantees and protections.
On a technical level, you will need a way to ask data subjects for their explicit consent and allow them to access, modify and delete their own data whenever they want.
Internally, people will need to appreciate the implications of the new rules and understand how to apply them. You might need a new code of conduct to ensure that GDPR is fully taken on board.
Secure disposal of paper and digital records
A large part of GDPR is concerned with getting rid of records when they are no longer needed, or when data subjects decide that they don’t want their information to be held any more.
If records need to be disposed of, you need to consider how to achieve this in a secure, confidential way. Physical shredding is the safest and most reliable way to destroy both paper records and digital media and ensure that their contents cannot be recovered.
At Shred Station, we offer secure services for the disposal of both paper and digital confidential waste, either at your offices or at our own secure site. All our staff are security vetted, and buildings and vehicles are protected by security cameras. Once we’ve shredded your materials, we provide a certificate of destruction that gives you full reassurance that your records are definitely gone for ever.
The ICO have compiled a data protection reform website to help organisations understand and adapt to the General Data Protection Regulation (GDPR). Visit the data protection reform website here.
A checklist is also provided with 12 steps to take now in preparation for the GDPR. Download “Preparing for the General Data Protection Regulation (GDPR)” here.