For twenty years now, the capture, storage, and safe destruction of physical and digital data has been governed by the Data Protection Act (1998). These regulations ensure that data is processed safely and that the security of personal and confidential information is protected against possible theft and fraud.
From the 25th May 2018, the new EU General Data Protection Regulation (GDPR) will become enforceable across the UK, affecting large organisations to small and medium sized local businesses. Before we go on, don’t panic: the GDPR is merely an extension of existing laws, and whilst it will change the way we work, it won’t mean a massive overhaul of established practices (provided your business is compliant to begin with).
What is it??
Basically, the GDPR acts just like the existing Data Protection Act (1998) we have now – it protects the security of personal data. However, the GDPR will require businesses to step up their responsibilities and accountability when it comes to processing information in a compliant manner. Businesses will have to provide an auditable trail for regulators and demonstrate the measures and processes undertaken to securely store and destroy the data they handle.
The GDPR addresses the increasing role that the Internet and technology plays in data handling. With so many organisations now trading and sharing across both physical and digital borders, having consistent safeguards in place is crucial to keeping personal information responsibly. Under the GDPR, any online identifier, e.g. an IP address, now counts as personal data. It also extends regulatory powers beyond EU borders, taking into account new possibilities – and dangers – of sharing data across the globe.
How does it affect me?
From the individual’s point of view, the GDPR will work to safeguard our rights as ‘data subjects’. Individual consent must be given to process personal data (which means no more cold calls or bizarre marketing messages). Businesses will have to document that consent has been given and offer explicit opportunities for customers to opt-out of – and opt-in to - receiving marketing.
Three new rights have also been created to police how data is collected and used online. These include: The Right to Be Forgotten (referring to the deletion of personal data on request); The Right to Data Portability (the ability to transfer your personal data) and the Right to Object (to being profiled). Ensuring these new rights are honoured will be smooth sailing provided the correct measures and processes are in place.
What are the penalties for non-compliance?
The GDPR will also strengthen penalties for non-compliance. The maximum fine dealt to organisations breaching the DPA currently stands at £500,000 – under the GDPR, the potential fine is as high as €20 million or £17.2 million. These penalties certainly raise the stakes of data collection, storage, and protection, and will give many businesses the encouragement they need to be vigilant and accountable for the data in their possession. Faced with these dramatically increased fines, it’s crucial to review your practices and get prepared now.
What do I need to do?
The new regulations mean that you will need to have an effective and auditable process in place for the secure storage and destruction of confidential information. Carry out risk assessments and internal audits, implement a management plan for potential breaches, and destroy physical and digital data in a timely fashion.
You might also want to get your staff trained on the mechanics of the new regulations. This will iron out any kinks in your data management strategy and ensure everyone is on the same page when it comes to responsible data handling.
How should I prepare?
Take a look at our 5-point plan to get you and your business prepared in time for the 25th May deadline.
- Audit your current practices to determine areas of risk and potential breaches
- Update your processes and materials ready for regulatory inspection (if it occurs!)
- Make sure you have plans and tools in place to safely destroy data you don't need
- Review your marketing to include opt-in and opt-outs
- Invest in staff training to cover all aspects of the new regulations