What your business needs to know to be GDPR compliant

15 May 2018

Businesses of all sizes will have to be legally compliant with the GDPR and its regulations regarding the secure collection, storage and use of personal information.

In this article, we'll discuss the GDPR's key features, what impact it's likely to have on businesses across the UK, what you can do to prepare for the changes, and review a few misconceptions in time for the regulations coming into effect later in the month.

GDPR implementation is a sizeable subject, so we have broken the key information down into the sections to make it easier to digest:

To find out more, simply click the appropriate quick link above to jump to the relevant section

Key objectives of the GDPR

In simple terms, the GDPR has been introduced as a means to encourage businesses across the EU to consider their personal data and data protection in a more serious manner. It applies to any and all companies processing and holding the personal data of individuals living in the European Union, regardless of the company’s location.

Today, we function as part of an increasingly data-driven world, one completely different from when the Data Protection Directive was established in 1995. The GDPR aims to update the protection of personal data for the climate of the modern world.

As part of its legislation, the GDPR comprises the following two objectives:

  • Give citizens and residents control of their personal data to protect and empower them.
  • Simplify the regulatory environment for international businesses by unifying the regulation within the EU.

The types of privacy data the GDPR will protect includes: 

  • Basic identity information such as name, address and ID numbers.
  • Web data such as location, IP address, cookie data and RFID tags.
  • Health and genetic data.
  • Biometric data.
  • Racial or ethnic data.
  • Political opinions.
  • Sexual orientation.

young sme coworkers in office

How will GDPR affect UK businesses

When implemented, the GDPR applies to businesses that fall into two categories: controllers and processors. Controllers dictate how and why personal data is processed, while processors act on behalf of controllers, e.g. an external payroll service provider. 

In effect, the GDPR places stringent legal obligations on both. Processors are required to maintain records of personal data and processing activities, while controllers’ contracts with processors need to be in line with the new legislation brought by the GDPR.

Elsewhere, the conditions for consent have been bolstered. As a result, companies will be forbidden from using long, illegible terms and conditions packed with confusing legalese. Requests for consent must be provided in a clear, intelligible manner that uses plain language.

Failure to comply is considered a major breach, with fines of up €20m, or 4% of the total annual global turnover for the previous year (whichever is greater) being placed on businesses that don’t comply.

businessman on laptop outside

How UK businesses can prepare for GDPR

Since the requirements for businesses to be GDPR-compliant are so stringent, there are a few things you should consider doing before the directive is put in place next year.

Appoint a data protection officer

Some businesses will be required to hire a data protection officer, including public authorities and those whose activities require regular data monitoring. We’ll further discuss the appointment of data protection officers in our misconception section.

Be selective in what data you need to keep

Superfluous data may cause more of a headache in the long run, so be mindful of any data you’re storing that isn’t being used. GDPR will minimise the collection of data that isn’t used in any meaningful way, resulting in a more focused, disciplined treatment of personal data as a result.

Review your documentation

As mentioned earlier, consent will strengthen under the GDPR, so implied consent may not be acceptable anymore. Individuals must make their consent to the handling of their data explicit – review your privacy statements and disclosures, as well as third-party contracts, making the appropriate adjustments if necessary.

colleagues having catchup meeting

Create an audit trail

When developing new processes and practices to adhere to the GDPR, the creation of clear audit trails can help protect your business. Demonstrating your intent to meet all guidelines, and showcasing how you are accommodating the changes through a comprehensive audit trail can reduce the chances you’ll fall foul of regulation changes.

Protect your privacy

Put measures such as privacy impact assessments in place, as these help to assess the risks to privacy and how to minimise them by creating more efficient and effective processes for handling personal data.

Prepare yourself for data breaches

Ensure that your business has the correct training and systems in place in order to effectively deal with any data breaches that may occur. Take quick action (within 72 hours) and notify the appropriate authorities in the event this does happen; if you're outsourcing, you need to make sure the service provider has these security measures in place too.

team meeting sme company

Like what you’re reading? There's even more content on our social media – why not follow us to keep up to date with all things Gazprom Energy?

gazprom energy twitter gazprom energy facebook gazprom energy linkedin

Pay the correct notification fee 

Once the GDPR is in effect, data controllers will have to pay a notification fee to the Information Commissioner’s Office, replacing the current registration process and fee on 25 May. The amount your business will pay depends on the organisation type it is.

  • Micro organisations with a maximum turnover of £632,000 or no more than ten members of staff will pay £40.
  • Small-to-medium organisations with a maximum turnover of £36 million or no more than 250 members of staff will pay £60
  • Large organisations that don’t meet the criteria for tiers 1 and 2 will pay £2900.

 Be in a position to prove your accountability

You need to be able to show how you’re complying with GDPR requirements. If you fail to define responsibilities in contracts, to record data processing activities such as consent processes and agreements, or to have a breach handling process in place would all show failures of accountability on your part.

If you’re providing written documentation, then the standard and amount you provide are dependent on your size, and a limited exemption is in place for small and medium-sized organisations. If your business is less than 250 employees, processing activities should only be documented if they could result in a risk to the rights and freedoms of individuals, or they require the processing of special categories of data or criminal conviction and offence data.

business presentation on gdpr

GDPR Misconceptions

A few misconceptions have arisen as a result of the GDPR impending appointment. Here, we’ll discuss some of the more common myths surrounding the implementation of the directive.

A Data Protection Officer is absolutely mandatory

There’s an implication from some advisers that all organisations must employ a Data Protection Officer (DPO). This isn’t technically true. Rather than the size of a company being the main determiner, it’s the type of data processing that determines the necessity of a DPO.

DPOs must be appointed if your business is a public authority, is involved with large-scale systematic monitoring or engages in the large-scale processing of sensitive personal data. What is considered large scale is down to your own interpretation. In this case, legal advice should be sought.

Companies with fewer than 250 employees are exempt

Another myth, but one that’s not without basis in fact. Article 30 allows for concessions towards companies of this size if they’re involved in processing activities. 

Businesses that have maintained a record of processing activities featuring the name and contact details of the controller, the reason for processing, a description of the personal data, and how long the data will be kept before deleting will be exempt from the regulations.

GDPR only applies to companies based in EU nations

With Britain preparing to leave the EU, some companies are operating under the impression they may be exempt from the GDPR. However, Britain is set to opt in to the GDPR, and furthermore, the regulation applies to all businesses which deal with the data of European citizens – regardless of the business’ home nation.

business team reviewing gdpr information

Work contact details are not personal information

The use of the word ‘personal’ has led some to believe that work-based information is exempt from the GDPR. This is not necessarily true - according to the definition in the Data Protection Act, ‘personal data’ refers to information related to an individual which has been stored using data collection equipment or filing systems. This means that work-based information – such as professional contact details – can be considered personal information.

GDPR doesn’t apply to existing data

Any existing consents which are valid under the current Directive but do not meet the requirements of the GDPR, will have to be re-obtained. Businesses should not rely on legacy consents, and should be pro-active in meeting the new regulations.

For more of the latest news, articles and features from Gazprom Energy, visit our blog and newsfeed. Alternatively, visit the homepage to find out more about our business energy solutions, or call us on 0161 837 3395.

The views, opinions and positions expressed within this article are those of our third-party content providers alone and do not represent those of Gazprom Energy. The accuracy, completeness and validity of any statements made within this article are not guaranteed. Gazprom Energy accepts no liability for any errors, omissions or representations.

Share this

You may also like...