GDPR: All the facts so far

OPINION / 27th July 2017

The European Union's General Data Protection Regulation (GDPR) comes into force in May 2018, which will radically change the way organisations and businesses have to look after personal data. Failure to comply to the new rules could lead to huge fines, yet many businesses are far from ready.

Here we give you the low-down on everything we know, so far, about GDPR and what it will mean for your business.

The GDPR explained

GDPR is the new EU regulation governing how organisations and businesses can handle personal data of EU citizens, and what they need to do to protect it.

Organisations will need to keep records of all their customer’s personal data, and be able to prove that they obtained consent to use it. Businesses will need to be able to show their customers where their data is going, what it is being used for, and how they are protecting the data.

Personal data has been defined as anything that can identify a person online – from a computer IP address to social media comments, or as detailed as genetic make-up.

How the GDPR will affect your business

Many large organisations have already been working hard behind the scenes getting ready for the new laws to come into force. They have created new data-related jobs within their structures, to ensure they are compliant with the new regulations.

Those that are not ready once it comes into effect will face huge fines – as much as 4% of their global turnover or up to 20 million euro, whichever is greater.

In 2015 the UK telecoms company, TalkTalk was fined £400,000 for failing to prevent the 2015 customer data breach, but under the new regime fines could be many multiples of this.

GDPR & consumer consent

The new regulation will build on the UK’s existing data protection law, the Data Protection Act, but will strengthen the rules around customer consent. Under the new laws, consumers will have the right to withdraw their consent for businesses using their personal data, at any time.

Currently, UK consumers have the right to see what personal data organisations hold on them - and can make what's called a "subject access request" for free. They can demand that such data be rectified or deleted under the "right to be forgotten".

New data sharing rules

Under the new legislation if you want to share your customer’s data with a third party you will need their consent to do this. Businesses will be required to sign contracts with subcontractors outlining how the third party will keep the data they are privy to safe, secure and protected.

Controller and processor businesses

Whether your business is deemed a ‘controller’ - an organisation that processes personal data, such as a bank, or it is a ‘processor’ - a company that stores, digitises, and catalogues all the information produced by the controller, both are accountable and must handle the personal data of their customers responsibly.

This means the controller will have to demonstrate compliance with the principles relating to processing of personal data such as: lawfulness, fairness and transparency, data minimisation, accuracy, storage limitation and integrity, and confidentiality of personal data.

Processors are required to process personal data in accordance with the controller's instructions. They must guarantee to implement appropriate technical and organisational measures that will meet the requirements of the GDPR. Processors wanting to sub-contract work will have to obtain written consent from the controller before doing so.

GDPR & Brexit

The GDPR will replace the UK's Data Protection Act 1998 from 25 May 2018 and the government has confirmed that the UK's decision to leave the EU will not change this.

For more information and advice on the GDPR visit the UK's Information Commissioner's Office website and The European Union's GDPR website.

ORM’s view

The imminent introduction of GDPR means there’s work to be done for many of our clients. If your business transacts online, then your users will need to have an area where they can view their data, the details you have on them and what is stored. We will work with our clients to help them to deliver even more transparency to the end customer. We will help them to audit their log of interactions and acceptance of communications across preferred channels, and we will help them detail the data they store and record.

For clients who don’t transact online, but still have client preference centres, we will need to do the same. We will help our clients to comply with the Privacy by Design, Privacy by Default principles that are incorporated into any registration forms and data collection points.

We will work with our clients’ and their Data Protection Officers to create new processes and data management flows that will allow their customers to easily request to remove their data - a process that currently is cumbersome and clunky, especially as the customer data might reside over a number of different platforms.

Come and talk to us about how we can help you to become GDPR compliant.

This blog is not an exhaustive list of how to achieve GDPR compliance. For more information and advice on the GDPR visit the UK's Information Commissioner's Office website or consult a specialist GDPR legal team.

Peter Gough Peter Gough Managing Partner & Founder Peter Gough