With only 7 weeks to go, you’ve probably already heard about the General Data Protection Regulation (GDPR) which comes in this May. The new rules will make significant changes to data protection in Europe and the wider world – but what will they mean for you and your business?
What is the GDPR?
The GDPR is an EU law, which standardises data protection across Europe. In the UK, it replaces the Data Protection Act 1998.
It builds on previous legislation, but places greater obligations on organisations that handle personal data.
When does it come into effect?
The GDPR will come into force from Friday 25 May 2018.
Some of the key changes include:
The rules apply more widely
Unlike older legislation, the GDPR now applies to all organisations that process the personal data of individuals in the EU.
This includes organisations outside of the EU, as well as within it.
Stricter penalties for non-compliance
Fines can be as high as €20 million or 4% of your company’s annual turnover – whichever is larger.
This maximum may apply for the most serious violations, but penalties will be tiered according to the type of offence, and will be at the discretion of the Information Commissioner’s Office (ICO).
The ICO has emphasised that fines will be necessary, proportionate, and only issued as a last resort.
Higher standard for consent
The regulation clarifies what constitutes a user’s consent to organisations using their data.
This means using clear and plain language when asking users for their data, and no more pre-ticked opt-in boxes.
It should be just as easy for users to withdraw consent at any time.
More rights for people giving their data
The GDPR will introduce several new rights for people whose data is being processed.
This includes the right to:
- receive information about their own data and the way it’s being used
- withdraw their data
- be notified about data breaches that might concern them.
Some organisations will need to appoint data protection officers, but this depends on the scale or sensitivity of the data they use.
How will it affect businesses?
It’s true that businesses will be held more accountable under the new rules, but they’ll also benefit from implementing better data protection.
With a stronger focus on how they handle data, businesses should be able to keep this information more secure against threats of cybercrime.
Narrowing down their mailing lists also means businesses will be able to send useful information to the people who have shown their interest in it, providing a more valuable and targeted service.
If you have any questions about preparing your small business for the GDPR, you can call the ICO advice line at 0303 123 1113.
While we do not provide specific advice on the GDPR, we’re happy to help with a range of other issues relating to your business.