Data deadline – are you ready?
Strict new laws about how companies collect, store and use data are coming into force on May 25th 2018 and like many other businesses we’ve been reading up on the new legislation and its likely impact.
If your business isn’t ready for the EU’s new General Data Protection Regulation (GDPR) legislation, now is the time to act. In just seven months’ time, violations of the new data laws could result in heavy fines and unwanted court cases.
In the spirit of sharing, here’s a run-down of the key things we’ve learned about GDPR and the most important steps to take before the legislation becomes law.
What is GDPR?
Designed to make companies think hard about the data they handle, GDPR will replace the 1988 Data Protection Act (DPA).
GDPR provides stricter rules on how companies can use data about individuals, and it strengthens the rights of those individuals to decide how their data is processed.
The data that is affected by the legislation is defined as: anything that can identify a living individual. As such, a name alone does not fall under the definition, but a name coupled with location details does.
Data protected by the regulations includes:
- Name, age, address
- Photo ID
- Email address
- Bank details
- Social media logins and updates
- Location details
- IP address
- Medical information
- National insurance number
- Passport details
While this new legislation comes from the EU, it cannot be dismissed on the grounds that the UK voted to leave. After Brexit, the UK will introduce its own legislation to mirror GDPR, so don’t ignore the warnings just because we’re waving goodbye to the EU.
What will change?
There are a number of key elements of the GDPR that make it more demanding on business than the DPA was. These include:
If you hold someone’s data, they are entitled to access to all the information you hold, as well as details on how and where it is processed and the purpose it serves. Under GDPR, this access must be provided for free.
Businesses will no longer be able to assume that an individual consents to their data being collected, stored or used. For example, if you add someone to your mailing list without their permission on the basis that they can always opt out, you will be in breach of the law.
The right to be forgotten:
If an individual asks for all the data you hold pertaining to them to be deleted, you must comply under GDPR. This is to prevent companies from holding on to data about individuals who no longer require their services.
Under GDPR, individuals must be notified of any breach of their data rights within 72 hours. So if you lose some data, or if your system gets hacked, you’ll need to act fast and let anyone affected know about it.
Privacy by design:
GDPR requires companies to build data protection processes in when carrying out any new data collection projects. As such, it won’t be enough to apply protective measures retrospectively – they must be in place from the get-go.
The new legislation deems certain types of data to be sensitive, and this information can only be requested if: it safeguards a user’s vital interests, it is necessary for compliance with a legal obligation, it is necessary for the performance of a contract, or if it has been given with consent from the individual.
Under GDPR, sensitive data includes:
- Religious affiliations
- Race/ethnic origin
- Sexual life
- Health records
- Political opinions
- Trade union membership
Data Protection Officers:
If your company employs more than 250 people, you will need to appoint a Data Protection Officer (DPO) in order to comply with GDPR. The DPO will need to check that the company is in compliance with GDPR at all times, raise awareness of data protection processes among staff members, coordinate new internal processes and act as a point of contact for regulatory authorities.
Who will it affect?
You need to make sure your business complies with GDPR if:
- Your business has more than 250 employees.
- You offer goods or services to customers in Europe and store personal data.
- Your data processing might result in a risk to the rights and freedoms of the data subjects.
- Your company routinely processes data about customers, past and present employees, and suppliers.
We work with a number of leading firms involved in construction, which is a prime example of an industry heavily reliant on collaboration and the frequent exchange of data.
Construction projects invariably involve multiple partners from all over the industry, and it is vital that they can share data about individuals safely and without fear of negative repercussions in the future. As such, compliance with GDPR in construction is a pressing issue.
But businesses in all industries use services like Dropbox and WeTransfer, and just as the GDPR is forcing these services to revise their approaches to data housing, so must all companies review their data protection processes.
How can I prepare?
GDPR requires a company-wide approach to make sure your data processes comply with the six principles of GDPR.
Steps you’ll need to take along the way include:
- Identifying and locating every piece of personal information held by your business – this includes data in cloud storage and on mobile devices.
- Assessing the value of your data, and discarding and erasing data you don’t need to keep.
- Implementing proper data discovery and storage compliance processes.
- Putting security measures in place, including procedures for notifying individuals and authorities in the event of a breach.
- Getting ready for Subject Access Requests (SARs).
- Being prepared to locate and erase all of an individual’s data under the ‘right to be forgotten’.
You can also add value to your clients by discussing their data storage protocol guidelines and working together on future-proof solutions.
What are the benefits?
While all companies are facing up to the time-consuming requirements of preparing for GDPR, these new regulations should help to build trust and strengthen your relationship with your customers.
Increased awareness around the importance of safeguarding consumer data is leading to a clear gap between companies that care about their customers’ concerns and those who simply want to hoard data for profit.
Keep this in mind and make transparency your goal – the bottom line will benefit in the long run.