What is GDPR for businesses?
The General Data Protection Regulation (GDPR) is a law brought in by the European Union (EU) in May 2018, replacing the Data Protection Directive 1995, also known as the Data Protection Act 1998 in the UK. The aim of GDPR is to modernise the laws that protect the personal information of individuals.
GDPR applies to any business collecting citizen data from the EU and enforce the following changes to the way data is stored and handled within a business environment. Aiming to simplify the regulatory environment for business so both citizens and businesses in the European Union can fully benefit from the digital economy. Business owners are now solely responsible for the security of clients’ data and the regulation applies to organisations of all sizes who store EU citizen data, regardless of where they are based. However, with GDPR, if not adhered to carries a much larger financial punishment than the previous Data Protection Act 1998.
Some recent examples of GDPR data breaches that have incurred large fines are now associated with Marriott Hotels and British Airways
Below is a summary of GDPR for businesses.
Download our useful GDPR for businesses checklist
Interested to know what your business needs to do before May 2018 in order to be GDPR compliant? One of our certified GDPR Consultants has put together 34 questions that you need to consider in order to be compliant.
What does GDPR consider as personal data?
• Personal Home Addresses
• Contact Names
• Personal Contact Numbers
• Personal IP Addresses
• Personal Email Addresses
• Racial or Ethnic Origin
• Political Opinions
• Religious Beliefs
• Sexual Life
• Physical or Mental Health information
• Whether the customer is a member of a trade union
• Any criminal offences
What does GDPR mean for UK businesses?
GDPR has also introduced strict penalties for companies that suffer data breaches. In the event of a data breach, businesses could be fined up to 4% of global turnover or €20 million (£16.9m) – whichever is larger.
Protecting your client’s data is now more important than ever; but did you know there’s a little more to data protection than ensuring your business server is kept in a locked room over night? Have you thought about how protected your Cloud based systems are? What about all your business emails, your finance software as well as historical and current paperwork?
What to does it mean if your company has a data breach
The Information Commissioner’s Office (ICO) used to be able to inflict a maximum penalty of £500,000 on companies that fail to adequately protect their customers’ information.
If your business has a data breach, whether this is from a cyber-attack or human error, you have the responsibility of reporting it to The ICO within 72 hours of the occurrence. If you fail to notify the ICO within the stated timeframe of 72 hours upon discovery of data breach the 2% of annual turnover penalty may apply.
How secure is your business data and why should you worry?
Businesses are now required to self-report all data privacy breaches no matter how small they are
- Businesses need to appoint an independent Data Protection Officer to oversee the business setup
- All data stored within a business environment must be kept up to date and stored for the minimum amount of time after which it must be destroyed.
- Business must demonstrate compliance with the new GDPR law
- Businesses must get permission to hold clients data within their business setup.
What can you do now GDPR is now in play?
- Put in place an IT Security strategy and implement the relevant technology
- Carry out a risk assessment of the data your business holds so that you understand the risks and can take the appropriate action to improve security.
- Look to appoint a Data Protection Officer, which can be an IT Consultant
- Understand the requirements of the EU Regulation and the new laws.
We are also going to explore another regulation under the GDPR that we have frequently been asked about. Article 37 states that many businesses throughout the UK are required to have a designated Data Protection Officer (DPO) and we will explain what a DPO is, what their role is and what businesses need to do in preparation.
What is a Data Protection Officer?
A Data Protection Officer (DPO) plays a vital role within the business, ensuring all staff and management adhere to the businesses data protection obligations in regards to the control and processing methods of business/customer data. More importantly, they oversee the data protection strategy for the entire business to ensure the business is compliant with the GDPR and other related regulations such as ISO 27001.
What are the common duties of a Data Protection Officer?
- To inform and advise the business and its employees about data protection
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments and training staff.
- Conduct internal audits relating to data protection processes.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
- To maintain records of how the data is stored and processed, why this data is obtained and what the business uses it for.
- Ensuring all business data is stored in a secure environment but also accessible at any time upon request from a customer.
Can you allocate a Data Protection Officer role to an existing employee?
Yes, you’re able to allocate this role to an existing employee within the business and assign this role as an additional responsibility, similar to a Health and Safety Officer. Only large businesses will need a fully dedicated person as a Data Protection Officer.
Who is best suited to a Data Protection Officer?
If your business is ISO 27001 compliant it would make sense to assign the Data Protection Officer responsibility to the Information Security Officer who will be familiar with the current data laws and regulations. The IT Manager within your business (or similar) would likely be best suited as they should be familiar with national and European data protection laws.