General Data Protection Regulation

What is it?

This is the long needed update to the 1995 Data Protection Act and this new regulation aims to protect individuals from having their private information used without consent or in a manner that they were not privy to. It also aims to make companies more accountable for sensitive personal data and its protection.

Generally speaking this new legal regulation is good news for us as individuals. Technology has grown very rapidly whilst regulation has been lagging well behind. I find it strange to find myself telling you that this is good news because regulation isn’t traditionally thought of as a positive thing when it comes to innovation and creativity but progress cannot be at the cost of an individual’s privacy and well being.

Penalties

Breaches of the regulation can incur a fine of up to 4% of annual global turnover or €30 million (whichever is greater) so it’s worth taking some time to consider if you should be making any adjustments to your business.

Your first question must be does this affect me?

You need to take action if you store information on individuals e.g. their name, email address, date of birth, computer IP address, bank details, etc. This is normally termed as personal data. This applies to both the entity who determines what this data is used for and the entity that does the processing. When I say processing, this could also include storage. Therefore if you ask for personal data from your customers or you process your client’s data (which happens to include personal data) then you need to take action.

This is nothing new, but how it is applied has changed. It now applies to the processing of personal data by companies in the EU regardless of where that takes place. It also covers the processing or storage of data relating to an individual who resides in the EU.

So if your company is in the EU, you are responsible for any personal data that you use regardless of where the processing takes place. If your company is outside of the EU but you provide services for persons within the EU then this regulation also applies to you.

What do I need to do?

Make sure that all the personal data that you collect is pertinent to your business, i.e. don’t collect data that is not needed. Minimise what information you need to store.

• Ask your customers for their consent in plain English, not in long legalese in small print mixed up with other matters. Make it simple for those who give their consent to withdraw it. Parental consent is needed for children under the age of 16.
• Ensure that your system has privacy built in by design and not as a patch to an existing system. i.e. Use a system that is proven to be secure and make sure that you keep it up to date with all security patches as soon as they are released.
• Your customer’s data needs to be easily transferable from your system. If your customer would like to move their data to another provider then this is their right. If they wish you to delete their data from all areas of your system then you need to be able to do so.

Notably, this regulation applies to cloud service providers as well as those who use these services so make sure that you know that the data you use is compliant wherever it is processed. If you use a provider outside of the EU, you need to make sure that they are aware of these new regulations and be sure that they will adhere to regulations too.

Do I need to employ a Data Protection Officer?

You only need a Data Protection Officer if your core activity is the processing and/or monitoring of personal data on a large scale or of that relating to criminal activities.

What happens if my business gets targeted by hackers and data is stolen?

Well it doesn’t have to be a hacker that can compromise your business. Data theft can also be undertaken by employees too so you need to make sure that your systems and policies take all of this into account.

If this nasty event does occur then you are best owning up as soon as possible. The regulations stipulate that notification of a breach must be done within 72 hours of you first becoming aware. When you think about the length of time Talk Talk or Yahoo took to notify their customers of their data breach, you can understand why.

Brexit

But we’re leaving the EU so is this really relevant to me? Well, we aren’t leaving until 2019 at the earliest and it is very likely that the UK will implement a regulation largely similar to that of the GDPR. So I would say, yes, this is still relevant to your business.