Here are 16 things you didn’t know about the General Data Protection Regulation:
1. What is the GDPR?
The GDPR (General Data Protection Regulation) is data protection legislation that will be put in place early next year. The GDPR will replace both the DPA (Data Protection Act) and the DPD (Data Protection Directive).
2. The GDPR is coming soon!
Adopted by the European Parliament in April 2016, the GDPR will become UK legislation on the 25th May 2018. Are you prepared?
3. Brexit won’t affect the GDPR.
Britain will implement and maintain the GDPR even after leaving the European Union. The Information Commissioner of the ICO (Information Commissioner’s Office) has made it clear that the GDPR will be UK law even if we do leave the EU. “…they’ve made it clear that EU law will remain UK law, until the government sees fit to repeal it” – Elizabeth Denham
4. The GDPR will cover a lot of people…
The GDPR will cover all personal data of any living person within the European Union… and the United Kingdom. It is paramount that you keep personal data secure.
5. There are two sorts of data that the GDPR covers.
The GDPR will cover two types of data that will be affected. The first is personal data, being any information that can identify a person. This includes the following:
- IP Address
- Location Identifier
- Email Address Photographs Bank Details
The other type of data is sensitive personal data, this includes:
- Race/Ethnic origin
- Health Biometric data
- Sexual Orientation
As mentioned before, it’s important that you secure this data.
6. The GDPR changes how we capture data.
The GDPR will require companies, like you, to show they have obtained consent from individuals to capture their personal data. It should be non-ambiguous to the individual and will need to have the following information: ‘How long the data will be held for‘, ‘What the data will be used for‘ and ‘Who else will have access to the data‘. Additionally, individuals should have a choice on whether to give consent. It should also be as easy to withdraw consent as it is to give it.
7. You will deal with more SARs (Subject Access Requests).
A subject can request information regarding their personal data held by a company. Companies have one month to handle the request and report back. If the request is complex, an extra month can be given. The GDPR also removes any fees for SARs. Information that can be requested can include:
- What the information/data is needed for
- Which other bodies and who else has access to it
- Where the data was collected
- If it was obtained from another source and other, reasonable requests.
8. ‘Right to be forgotten’ will be law.
The right to be forgotten will be enforced under the GDPR. This means that individuals can request to have all their personal data erased that you and or any third-party hold. An important note: you are allowed to keep data such as billing information if you still need to charge the subject for services and or products.
9. Consent for under 16s is going to change.
When capturing personal data from an individual under the age of 16, you must have clear parental consent. Some countries elsewhere, however, may choose to have the minimum age set to 13 for parental consent.
10. You cannot keep data forever.
The GDPR does not specifically mention how long a company should retain personal data for. However, GDPR does state that personal data should not be retained longer than necessary.
11. Data Breach handling is going to be more stressful.
Once a breach occurs, you will have 72 hours from when the breach was identified to report to the ICO (Information Commissioners Office). If personal data has been leaked, the likelihood is you will be given the highest fine available.
12. There are massive fines.
Depending on the articles violated, you can face one of two fines. The first fine is 2% of annual turnover or a €10 million fine. The second and highest fine can be 4% annual turnover or a €20 million fine. Shocking, we know – but don’t get too scared, the ICO said that the higher tier of fines isn’t going to be the norm – but that doesn’t mean they aren’t going to happen; lower tier fines will most likely be handed out to companies who have put measures in place and know what went wrong, whereas higher tier fines will be for those who didn’t do anything. Which tier will you fall into?
13. There are two new groups when handling data.
Controller: (an individual) determines the purpose of the personal data that will be processed and should demonstrate compliance with the regulation.
Processor: (a second individual) works on behalf of the Controller. If any breach occurs, the Processor must notify the Controller without delay.
Quite simple stuff right? It is if both your controller and processor are fully GDPR trained – if they aren’t, contact us and arrange a training session.
14. Companies outside of the EU will be involved.
It’s not good news… all companies outside the EU still need to abide by the GDPR when handling personal data from the EU – this means everything in this blog post applies to you too. Companies that are not based within the EU and offer services or products within the EU will need a representative within the EU.
If you’re based outside the EU and need some help with the GDPR, just send in an email, call us or use our live chat system.
15. You may need a DPO (Data Protection Officer).
A Data Protection Officer is a person who oversees the protection of personal data and will ensure the company is compliant with the GDPR requirements. A Data Protection Officer will need to be appointed if the company is storing or processing large amounts of personal data and information. The advice from us is that you’re always better off safe than sorry. If you need a member of staff trained to become a DPO then you can contact us on 0345 450 9393.
16. You need other certifications to become compliant.
Certifications that can help with compliance of GDPR are:
- Cyber Essentials
- PCI DSS
- ISO 27001
Further compliance will still be required, however, without these, non-compliance is guaranteed and you will fail. We’ve done it all and it is near impossible to be GDPR compliant without these standards under your belt.