Businesses of all sizes will have to be legally compliant with the GDPR and its regulations regarding the secure collection, storage and use of personal information.
In this article, we'll discuss the GDPR's key features, what impact it's likely to have on businesses across the UK, what you can do to prepare for the changes, and review a few misconceptions in time for the regulations coming into effect later in the month.
GDPR implementation is a sizeable subject, so we have broken the key information down into the sections to make it easier to digest:
To find out more, simply click the appropriate quick link above to jump to the relevant section
In simple terms, the GDPR has been introduced as a means to encourage businesses across the EU to consider their personal data and data protection in a more serious manner. It applies to any and all companies processing and holding the personal data of individuals living in the European Union, regardless of the company’s location.
Today, we function as part of an increasingly data-driven world, one completely different from when the Data Protection Directive was established in 1995. The GDPR aims to update the protection of personal data for the climate of the modern world.
As part of its legislation, the GDPR comprises the following two objectives:
The types of privacy data the GDPR will protect includes:
When implemented, the GDPR applies to businesses that fall into two categories: controllers and processors. Controllers dictate how and why personal data is processed, while processors act on behalf of controllers, e.g. an external payroll service provider.
In effect, the GDPR places stringent legal obligations on both. Processors are required to maintain records of personal data and processing activities, while controllers’ contracts with processors need to be in line with the new legislation brought by the GDPR.
Elsewhere, the conditions for consent have been bolstered. As a result, companies will be forbidden from using long, illegible terms and conditions packed with confusing legalese. Requests for consent must be provided in a clear, intelligible manner that uses plain language.
Failure to comply is considered a major breach, with fines of up €20m, or 4% of the total annual global turnover for the previous year (whichever is greater) being placed on businesses that don’t comply.
Since the requirements for businesses to be GDPR-compliant are so stringent, there are a few things you should consider doing before the directive is put in place next year.
Some businesses will be required to hire a data protection officer, including public authorities and those whose activities require regular data monitoring. We’ll further discuss the appointment of data protection officers in our misconception section.
Be selective in what data you need to keep
Superfluous data may cause more of a headache in the long run, so be mindful of any data you’re storing that isn’t being used. GDPR will minimise the collection of data that isn’t used in any meaningful way, resulting in a more focused, disciplined treatment of personal data as a result.
Review your documentation
As mentioned earlier, consent will strengthen under the GDPR, so implied consent may not be acceptable anymore. Individuals must make their consent to the handling of their data explicit – review your privacy statements and disclosures, as well as third-party contracts, making the appropriate adjustments if necessary.
When developing new processes and practices to adhere to the GDPR, the creation of clear audit trails can help protect your business. Demonstrating your intent to meet all guidelines, and showcasing how you are accommodating the changes through a comprehensive audit trail can reduce the chances you’ll fall foul of regulation changes.
Protect your privacy
Put measures such as privacy impact assessments in place, as these help to assess the risks to privacy and how to minimise them by creating more efficient and effective processes for handling personal data.
Prepare yourself for data breaches
Ensure that your business has the correct training and systems in place in order to effectively deal with any data breaches that may occur. Take quick action (within 72 hours) and notify the appropriate authorities in the event this does happen; if you're outsourcing, you need to make sure the service provider has these security measures in place too.
Once the GDPR is in effect, data controllers will have to pay a notification fee to the Information Commissioner’s Office, replacing the current registration process and fee on 25 May. The amount your business will pay depends on the organisation type it is.
You need to be able to show how you’re complying with GDPR requirements. If you fail to define responsibilities in contracts, to record data processing activities such as consent processes and agreements, or to have a breach handling process in place would all show failures of accountability on your part.
If you’re providing written documentation, then the standard and amount you provide are dependent on your size, and a limited exemption is in place for small and medium-sized organisations. If your business is less than 250 employees, processing activities should only be documented if they could result in a risk to the rights and freedoms of individuals, or they require the processing of special categories of data or criminal conviction and offence data.
A few misconceptions have arisen as a result of the GDPR impending appointment. Here, we’ll discuss some of the more common myths surrounding the implementation of the directive.
A Data Protection Officer is absolutely mandatory
There’s an implication from some advisers that all organisations must employ a Data Protection Officer (DPO). This isn’t technically true. Rather than the size of a company being the main determiner, it’s the type of data processing that determines the necessity of a DPO.
DPOs must be appointed if your business is a public authority, is involved with large-scale systematic monitoring or engages in the large-scale processing of sensitive personal data. What is considered large scale is down to your own interpretation. In this case, legal advice should be sought.
Another myth, but one that’s not without basis in fact. Article 30 allows for concessions towards companies of this size if they’re involved in processing activities.
Businesses that have maintained a record of processing activities featuring the name and contact details of the controller, the reason for processing, a description of the personal data, and how long the data will be kept before deleting will be exempt from the regulations.
With Britain preparing to leave the EU, some companies are operating under the impression they may be exempt from the GDPR. However, Britain is set to opt in to the GDPR, and furthermore, the regulation applies to all businesses which deal with the data of European citizens – regardless of the business’ home nation.
The use of the word ‘personal’ has led some to believe that work-based information is exempt from the GDPR. This is not necessarily true - according to the definition in the Data Protection Act, ‘personal data’ refers to information related to an individual which has been stored using data collection equipment or filing systems. This means that work-based information – such as professional contact details – can be considered personal information.
Any existing consents which are valid under the current Directive but do not meet the requirements of the GDPR, will have to be re-obtained. Businesses should not rely on legacy consents, and should be pro-active in meeting the new regulations.
For more of the latest news, articles and features from Gazprom Energy, visit our blog and newsfeed. Alternatively, visit the homepage to find out more about our business energy solutions, or call us on 0845 230 0011.
The views, opinions and positions expressed within this article are those of our third-party content providers alone and do not represent those of Gazprom Energy. The accuracy, completeness and validity of any statements made within this article are not guaranteed. Gazprom Energy accepts no liability for any errors, omissions or representations.
Are flexible working hours practical for small businesses?
Business Basics: Online security, and using tech to future-proof your business
What is the 70/20/10 model and why is it useful for your business?