Aside from Brexit, the General Data Protection Regulation (GDPR) is the topic on everybody’s mind.
GDPR affects everyone, businesses and individuals alike, so knowing as much as you can about this new EU regulation now – and preparing for its impact now – will help you be compliant and avoid a huge potential fine in the future.
This guide will attempt to explain what GDPR is and what you need to know about it in simple terms. We’ve placed an emphasis on simplicity because many guides out there are circulating misinformation, further adding to the confusion around GDPR.
Let’s now dispel much of the fog surrounding GDPR and bring about some clarity on this important subject. Without further ado, here are some in-a-nutshell answers to some of the most pertinent questions:
What is GDPR?
Let’s start with the obvious. What exactly is GDPR and why has it been introduced? Firstly, GDPR exists to give people better control over what businesses and organisations can do with their data. It also makes data protection laws identical across all EU countries, making things clearer and simpler for everyone.
- In other words, GDPR seeks to systemise and unify data privacy laws across all EU member countries.
Currently, in the UK, the handling of data is governed by the 1998 Data Protection Act. GDPR will supersede the Data Protection Act, introducing new rules and penalties for those who fail to adhere to them, but more on that later.
When will GDPR take effect?
- 25th May 2018
Right now. GDPR first came into force on 24th May 2016, though at present GDPR is a regulation and not a directive, meaning companies have until 25th May 2018 until the regulation becomes law and will apply to them.
Having said that, it’s essential to start preparing for its arrival now while you still have some wiggle room.
Who does GDPR apply to?
GDPR applies to “controllers” and “processors” of data, which covers just about every organisation out there as most organisations handle people’s personal data at some point, whether it’s the data of customers, suppliers, the public or staff.
- Something that must be mentioned here is that GDPR will still apply to businesses and organisations based outside the EU so long as they’re handling data about EU residents.
What am I supposed to do to comply with GDPR?
This is perhaps the most important question of all. It’s all well and good knowing what GDPR is and why it’s here, but how are we supposed to comply with it?
- We highly recommend following the 12 steps set out by the Information Commissioner’s Office (ICO).
- One key point to make note of in terms of collecting people’s data is that you must always ask for their explicit and informed consent to give it and do so in a very timely, clear and obvious way so that they fully understand what you are collecting, why and what you intend to do with it thereafter.
- You can no longer rely on automatic, assumed or inferred consent e.g. where a box on a website form is already ticked for instance. instead, the person has to tick the box to agree to your Terms and Conditions for instance.
What can I do right now to prepare for GDPR?
The ICO is the UK’s authority on the subject and if you read their advice and follow the 12 steps above – which you can take right now – your organisation will be taking the right steps towards to being compliant in time for 25th May 2018.
- It is the responsibility of management, and everyone handling people’s data in your organisation, to know that GDPR exists and to comply with it.
- Lack of awareness of GDPR cannot be used as a legal defence.
What happens if I don’t comply?
The consequences of not complying are severe. Failure to adhere to the rules could result in a penalty of up to €20 million (around £17.8m) or 4% of your global annual turnover, whichever is greater.
Aren’t we leaving the EU? Why bother?
While the UK is indeed working towards leaving the EU, the GDPR will take effect before the legal and practical consequences of leaving the EU do. For the time being, all UK organisations must comply.
If and when we do leave the EU, we may not necessarily drop this piece of legislation. In fact, we will likely continue to follow GDPR or a legislation similar long after we have left, simply because it will make things a whole lot easier when transacting business with other EU countries.
- Remember: whether the UK remains or leaves the EU, if you handle data originating from an EU country or citizen, you will need to comply with GDPR.
If you’re interested in reading further on the subject of GDPR, we recommend visiting www.ico.org.uk.
We’d love to hear your thoughts and/or questions on GDPR, so leave a comment using the box below.