- The European Union’s General Data Protection Regulation (GDPR) comes into force on 28th May 2018
- Under the GDPR, the data protection of individuals is greatly enhanced
- Any business operating in the EU must comply or face €20 million fines
The deadline for the European Union’s General Data Protection Regulation (GDPR) is 28th May 2018. Yet, research reveals only one-third of global businesses are prepared for the impending regulation.
Simply put, to comply with the GDPR, you need to follow a series of principles when you collect, process and store the personal data of EU citizens within EU member states. The GDPR also regulates the export of personal data outside of the EU.
In other words, the GDPR is so widely applicable that any business within the EU, or those trading with the EU, should be prepared to comply.
If you fail to comply, your organisation could be fined up to €20 million, or four percent of your global annual turnover, whichever figure is greatest.
As a result, the GDPR may seem like quite a terrifying prospect.
The GDPR is an extensive piece of legislation, but here is an overview of the key points you need to be aware of ahead of the May deadline:
1. The right to be forgotten
The GDPR considerably increases the rights of your data subjects (in other words, those individuals whose personal data you hold).
A key article in the legislation is the “right to be forgotten”, where a person can ask you to erase any personal data concerning him or her “without undue delay” when one of several grounds detailed in the GDPR apply.
For example, if you are holding personal data that is no longer necessary in relation to the purposes for which it was originally collected or processed, or that personal data has been unlawfully processed, the data subject can ask for it to be erased.
This means that you need to ensure that you are clear about what data you are collecting and what you will be using it for.
You must also be able to “take reasonable steps” to erase personal data that might be public, such as in news articles or databases.
2. Gaining consent
Under the GDPR, you should ensure that you have secured clear and unambiguous consent from a data subject before processing their personal data.
For example, you cannot use “silence, pre-ticked boxes or inactivity” to gain consent and must only use personal data for the processing activity the data subject originally consented to, according to the GDPR.
Simply put, data subjects must now actively “opt in” instead of the onerous “opt out” tick boxes so often used by online forms.
3. The right to see your data
Data subjects and supervising authorities can also request a copy of any personal data held.
What’s more, you need to retain a record of all your data processing activities – including where, how, and why someone’s data has been processed.
4. Data protection by design
The GDPR makes the longstanding concept of ‘privacy by design’ mandatory. In other words, you need to consider the privacy or data protection of data subjects in the initial design phase of any new application or process.
If you use technologies and processes that could put the personal data of subjects at “high risk” you may also be required to carry out a “data protection impact assessment” under the GDPR.
And, if you decide to contract your data processing activities to a third party, you need to be able to provide “sufficient guarantees to implement appropriate technical and organisational measures” to ensure the rights of the data subject are protected.
5. The introduction of a Data Protection Officer
You may need to appoint a Data Protection Officer (DPO) to ensure you comply with the GDPR. A DPO will also offer advice, monitor your data protection impact assessments and act as the point of contact with any supervisory authority.
You can hire a dedicated DPO, upskill an existing member of staff, or contract in a third party contractor as and when you need to.
6. Data breach reporting
If you are affected by a data breach, the GDPR mandates that you inform the relevant supervisory authority and the data subjects.
You need to have the right processes in place to achieve this, as the GDPR further stipulates that you need to report a data breach within 72 hours of becoming aware of that breach.
As a result, the GDPR presents the perfect opportunity for businesses to review and overhaul their existing security policies and protocols.
What next?
The depth and breadth of the GDPR can make it seem like an overwhelming prospect. However, a sensible first step would be to complete a thorough data audit of your business to identify what personal data you currently hold, where it has been shared and what needs to be done to comply with the GDPR.
The steps outlined in this article are provided to highlight the key requirements of the GDPR. To find out more, click here to read the GDPR legislation in full.