GDPR stands for General Data Protection Regulation, a piece of legislation from the EU which intends to strengthen and unify data protection for all EU citizens. The aim is to give people power over their own personal data, as well as simplify data protection regulation by making it uniform across the whole of the EU.
The regulation, entitled ‘Regulation (EU) 2016/679’, will replace the EU Data Protection Directive once it is enforceable on the 25th of May 2018, after a 2 year transitional period giving businesses time to prepare. The regulation does not require national governments to pass any enabling legislation themselves, as it is directly binding.
The GDPR differs from the DPD in a number of ways:
It covers personal data controlled, processed, or concerning people within the EU. It also applies to companies outside the EU that process the information of people within the EU. The kind of data protected includes names, email addresses, photos, bank details, social media posts, medical information or IP addresses. This doesn’t necessarily apply to information relevant to national security or law enforcement.
The legislation applies to all EU member states, who will establish independent Supervisory Authorities to investigate complaints and sanction offences. For multinationals within the EU, one authority will be the ‘lead authority’, acting as a one-stop-shop to supervise all processing activities of the business throughout the EU.
Businesses have the responsibility to keep records and give notice of the data they are collecting to those involved, including retention times and contact information for the data controller and data protection officer. Consumers have the right to request access to their data free of charge, and the information has to be disclosed within 40 days. Consumers also have a ‘right to be forgotten’, meaning that their data must be completely erased on request, as well as all copies held by businesses linked to yours. All communication options on your website will have to be ‘opt in’ rather than ‘opt out’.
Breaches and Sanctions
If you have a data breach, you must notify the Supervisory Authority within 72 hours, as well as those affected. Not complying with these rules could mean a penalty of up to €20 million or 4% of your annual global turnover, whichever is larger.
Getting Ready for GDPR
The regulation comes into effect in May 2018, while the UK is scheduled to leave the EU on the 29th of March, 2019, meaning the legislation will apply to the UK before then. The regulation also applies to UK businesses that handle the data of EU citizens even after we leave the EU, meaning that all such businesses need to prepare for the implementation of GDPR. While you can read up on the legislation to better understand it, for many the new regulations will require you to make some changes to your website and business model.
There are a number of ways businesses can become compliant. One very simple way is to delete information automatically or on request, and change your business to make this feasible. A less extreme way is to change the way you organise your data to bring it in line with the new regulation. Another way is to add controls or use technology to safeguard your system of data capture and retention. If you are a small company with a select group of clients, you may be able to manually handle “right to be forgotten” or information requests, but there is also technology you can use to make this process manageable.
Wirebox has the expertise and talent to run a comprehensive review of all of your systems to determine how to make them compliant, and how to use technology in a way that compliments your business model. Whether you need to update your website with new functions, use different software or make drastic changes to the process of data handling, we will work with you to determine what solution is best for you, so that the transition to the new regulatory scheme helps rather than hurts your business.