What does GDPR mean for your business? The UK is getting ready for stricter regulations and stronger fines across all industries. The European General Data Protection Regulation (GDPR) date is set for 25th May 2018. GDPR regulation is on everyone’s minds but are you prepared for the changes? Here are key things you’ll need to watch out for and act upon. What is GDPR? The European General Data Protection Regulation (GDPR for short) is built around two key principles: Giving people more control of their personal data. Simplifying regulations for international businesses with a consolidating regulation that stands across the European Union (EU). GDPR will apply to any business that possesses personal data of EU citizens. This also applies to companies based outside of the EU. The government confirmed that Brexit will not affect the GDPR start date or its immediate running. It’s also confirmed that post-Brexit, the UK’s own law will directly mirror the GDPR. How GDPR will affect your business As stated above, GDPR applies to any business that processes the personal data of EU citizens. This includes customer, supplier, and partner and employee personal data. You need to check how often your business deals with personal data. This includes your customer data as well as: Supplier data Past and present employees Anything else you’ve collected, that doesn’t fall into these two groups. If you’re collecting any of this data routinely, you’ll need to comply with the GDPR, whether it is on a spreadsheet, on your computer network, your mobile phone, or in the cloud. Businesses must employ a Data Protection Officer (DPO) if you have ‘regular or systematic’ process of checking extensive personal information or involve in handling large volumes of ‘special category data’. Their role will be to ensure the company complies with the requirements under the GDPR. They’ll also be the contact for any data protection queries. The GDPR doesn’t yet fully define what constitutes ‘large-scale’, but some examples include the processing of patient data by hospitals, travel data and transport services, and customer data by an insurance company or bank. Customers and clients will have more rights on how businesses use their data. In some cases, the ‘right to be forgotten’ if they no longer want you to process their personal data. If the individual is no longer a customer and the contract is void, this does not give you a right to keep the data. Failure to comply will result in harsher penalties. The GDPR will apply to any business that processes the personal data of EU citizens, including those with fewer than 250 employees. Serious breaches must be reported immediately to the regulator. In the UK it would be Information Commissioner’s Office (ICO), within 24 hours where possible, but at least within 72 hours Employ fewer than 250 people? Being a small business doesn’t mean you fall out of the GDPR range, even if you don’t need to employ a DPO. It’s recognised that small businesses have fewer resources and pose less of a risk to data protection, so there could be more leniency by the ICO in relation to any non-compliance. Your business must still comply if it’s involved in regular processing (which includes collecting, storing and using) of personal data. It’s easier to follow the GDPR and get compliant than to spend time figuring out how you can avoid it. If you’re contracting with a larger company that conducts large-scale processing you may also be subject to the stricter end of the GDPR’s regulation. GDPR regulation list you need to check for your business: With this list, you need to take into account past and present employees and suppliers, as well as customers as well as anyone else’s data you have or, will have. Get to know your data if you don’t already You’ll need to demonstrate an understanding of the type of data you hold, where they’re coming from, where they’re going and how you’re using that data such as: Personal data – Name, address, email, bank details, photos, IP addresses. Sensitive (or special category) data – Health details or religious views. Consent to process personal data If you’re relying on consent for data this may become more difficult under the GDPR. The consent needs to be clear, specific and explicit. You should really avoid relying on consent unless absolutely necessary. Customer or individual ‘consent’ has been redefined and become much tighter. Requests for consent can no longer be hidden in small print but must be presented clearly, and separately to other policies on your website or communications – so no more pre-ticked boxes. Scrutinise your security measures and policies You’ll need to update these to be GDPR-compliant. If you don’t currently have any, you need to get them in place. Broad use of encryption could be a good way to reduce the likelihood of a big penalty in the event of a breach. Access requests Subject Access Rights are changing. Under the GDPR, customers and clients have the right to: Access all of their personal data, Rectify anything that’s inaccurate, Object to processing in certain circumstances, Completely erase all of their personal data that you may hold. Each request has a timeframe and deadline of one month from the original date of the request. This can only be extended in mitigating circumstances. Train your employees for breaches This is the most common cause of a data breach. Every employee should understand what is included in a personal data breach and how to pick up any dangers. It is important that everyone in your business is aware to report any mistakes to the DPO or the person or team responsible for data protection compliance. Check your supply chain contracts All suppliers and contractors should be GDPR-compliant, this would avoid any impact by any breaches and penalties. Check you have the right contract terms in place with suppliers. This should put the crucial duties on them, like notifying you if they have a data breach. For processors, the GDPR carries a specific set of legal obligations some of which will require you to: Keep up-to-date personal data records. This includes details of your: – Processing activities and categories – ‘Data subject categories’ i.e. customers, employees, suppliers, etc – Categories of processing carried out i.e. transferring, hosting, altering, receiving, disclosing, etc Keep details of any transfers to countries outside the European Economic Area (EEA) Implement appropriate security measures, may include pseudonymization and encryption, and prove you’re regularly testing these measures. Be ready with a general description of the technical and organisational security measures you keep in place What are the GDPR penalties? The GDPR toughens up penalties already existing under the DPA. These existing penalties include: Maximum fines of £500,000 Prosecutions, including prison sentences for deliberate breaches Obligatory undertakings, where your company has to commit to specific action to improve compliance Penalties will be getting heavier in May. Businesses in breach will see a dramatic increase in fines with penalties reaching an upper limit of €20 million or 4% of annual global turnover, whichever is higher. Bankruptcy will be a real risk for non-compliant businesses as a result of these fines. There is the possibility that individuals can also sue you if they suffer as a result of your data management. This could be for material damage or non-material suffering, such as distress.