A Guide to GDPR
What is GDPR?
The General Data Protection Regulation, or GDPR, is a binding legislative act devised by the European Union to protect personal data. This regulation is a method of dealing with the inconsistent or outdated data protection laws that are currently active across the EU and facilitating the protected free-flow of personal data. The reason that this regulation is becoming more and more discussed is that all businesses have been preparing for the introduction of GDPR on the 25th May 2018.
Why is GDPR being implemented?
Due to huge leaps in technological advancement in recent years, there has been a growing need in Europe to create a standardised data protection system. The current framework is outdated or incompatible with the vast improvements and growths of our technology. Issues such as outdated legislation, inconsistencies in the data protection regulations, limited control and rights for data subjects, and a lack of security and privacy have all been raised to prove that a new more modern data protection framework is needed.
When a group of 180 senior data security professionals were surveyed, only 29% believed that there was adequate protection for data privacy. It was also found that over 15% of local councils in the UK do not have data protection training for their employees to teach them how to process personal data. Despite this, a survey of 7600 bank customers found that 83% trust their banks with their data, and only 3% believe their banks have been victim to cyber-attacks. This shows that there is a huge amount of misinformation about data protection due to so many regular people not understanding the risks, especially since up to 74% of UK SME’s have had a security breach in 2016. The lack of training, public information and security protocols means that the GDPR is a necessity to continue to trust our personal information with businesses and companies online.
What does GDPR require companies to do?
The goal of GDPR is to create and maintain a secure data landscape, allowing the free-flow of data without the risk of breaches and data theft, and it is the responsibility of every data controller and processor to ensure this is put into place. As such, GDPR requires all organisations to clarify exactly what data they collect, how it is stored, and what they use it for. To start with, it is vital under GDPR that customers give their permission before you use their data, and that they are able to find out what exactly that data is used for. The increased need for data consent also requires companies to offer alternative methods of offering consent such as contracts that require signing, and forms that require explicit consent, so they can’t be pre-ticked by default. Failure to gain consent before using customer data is a breach of the two-tier fining system that will be explained later in the blog.
Users must be able to consent to having cookies implemented on their browser as part of the new regulations, and the coverage is being extended to apply to new software such as messaging apps, email providers and social media tools. There will be new rules to follow regarding data handling, requiring companies to report on what was said, who said it, where it was said and when it was said.
What are the effects of Brexit on GDPR?
Despite Britain preparing to leave the EU, the dangers of poor data protection regulations remain. The UK government has agreed that it is important to push a similar legislation through despite it being an EU law, as the GDPR will apply to all businesses that work with EU data. While it may take Britain longer than the rest of the EU to reach suitable data protection levels, it is still a necessity for companies to prepare themselves for this, and failure to do so may result in huge fines and irreparable reputation damage.
What happens if my company is not prepared?
The GDPR introduces a two-tier fining system that is far more severe than any financial deterrents under the Data Protection Act (DPA) that is currently in use. As of the 2018 deadline, failure to comply with the regulations and suffering a data breach will result in a fine of up to £8.6 million, or 2% of the previous years global annual turnover, depending on which figure is greater. However, if authorities deem the data breach that occurs to be highly important or valuable data, then the second tier is introduced meaning a fine of up to £17.25 million 4% of the previous years global annual turnover, again depending on which is greater.
However, there is more than the risk of fines for companies to concern themselves about. Companies that suffer large data breaches often make national news, and the blow to the businesses reputation can be more damaging than any fine. Companies like Talk-Talk and Yahoo both suffered huge data breaches, and their stocks plummeted in response, losing huge amounts of money and more importantly huge numbers of active customers.