The General Data Protection Regulation (GDPR) will become law in the UK next year.
If you’re not sure what the GDPR is or how it will affect your business, then now’s the time to start paying attention. It’s a new piece of EU legislation which will become law in 2018 across Europe. Even with us leaving the European Union the law will still apply to the UK, and because it’s a Regulation rather than a Directive it comes into force across the whole of Europe rather than when an EU state implements it within their laws.
Karen Bradley MP, Secretary of State, stated in Parliament back in October, that “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”
Whilst there is a nod there that in the future the UK data protection and privacy laws maybe reviewed post-Brexit (as I’m sure other EU-based laws will be eventually reviewed) the chances of the regime being too dissimilar to the GDPR are probably minimal, plus there’s no clear timescale for any such review of UK law, post-Brexit. The mere fact that we already have a Data Protection Act and guidance from the ICO’s should be an indication that the GDPR won’t be ‘going away’ anytime soon.
Who does the GDPR affect?
As with existing data protection legislation if you process personal data, defined in the current Data Protection Act as:
“Personal data means data which relate to a living individual who can be identified –
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.“
then the GDPR will apply to you. So, if you’re a business who collects data from customers who are considered consumers (i.e. individuals rather than businesses) then the GDPR applies to you, as does the current Data Protection Act!
What if I collect data about businesses?
There is one exception (sole traders who are considered living individuals rather than businesses) but generally business data isn’t covered by the GDPR (or the existing Data Protection Act). However, you might as an organisation decide to process business data with the same due care and attention you would personal data, maybe because you can’t differentiate between business customers and consumers or because you believe the same principles should apply (to stand out from your competitors and build trust with your business contacts and customers).
But what does data protection mean in practice?
The European framework for data protection that gives us the Data Protection Act and the GDPR sets out the law regarding the way businesses can process personal data. So if you collect personal data for the purposes of delivering a service or for marketing purposes there are certain rules about how you can process that data, how you store the data (particularly from a security perspective) and the rights of the data subjects (the person the data relates to) about the retention of that data.
The GDPR generally strengthens the laws in these specific areas mainly in the interests of the data subjects, so it’s important that you understand just what is expected of your business, particularly regarding marketing to consumers and storing data.
Am I compliant with GDPR?
Generally speaking, many of the GDPR’s concepts and principles are similar to the current data protection regime in the UK, so if you’re currently compliant then you’re already on the road to being compliant under the GDPR. As the ICO puts it, your current compliance “can be the starting point to build from“, but, there are new concepts (or enhancements) and controls within GDPR which will mean that some data processing concepts are new and it’s these you need to be sure you’ll be compliant with.
Whatever you do, don’t panic. You’ve still got plenty of time to sort out compliance. There are lots of online resources available particularly via the ICO’s Data Protection Reform website. The ICO’s ’12 Steps’ document is a great starting point. Plus, support information and documents will be coming thick and fast from the ICO and the EU Article 29 Working Party over the coming year.
However, if you do process personal data then you should consider carrying out a GDPR preparation audit. Get a professional in to assess your current processes and procedures and advise on what changes you need to make. Flavourfy Digital offers such a service so get in touch to find out more.
As the ICO put in their recent newsletter “January brings a new start and the chance to do things differently… Now could be a good time to assess where your organisation’s data protection is up to and where it needs to be.” So let’s get the ball rolling, let’s audit your business and let’s get a plan of action in place so, come 2018, your fully compliant – we’ve got just over a year to get you there!