From a legal standpoint, data protection is one of the most important obligations that any business owner has to undertake.
Data is any information which can be used to identify someone, including (but not limited to) their name, address, telephone number, email address, and so on.
From customer addresses to staff contact information, businesses are a treasure trove of data. While this is good for marketing, sales and internal communication purposes, it is also particularly valuable for cybercriminals, who target businesses to obtain data for fraudulent activity.
In May 2018, data protection laws changed thanks to the introduction of a new directive from the European Union. This new ruling is called the General Data Protection Regulation (GDPR).
Previously, legislation around Data Protection in the UK was limited to the Data Protection Act, which was introduced in 1998 and had outlived its usefulness. Huge changes in the business and technology landscapes mean that new rules and regulations were long overdue; enter the GDPR.
The new directive streamlined data protection by bringing standard practices into place for all businesses operating in the European Union (and it looks like the UK could still be a European Union member beyond March 2019.
What is my role in data protection?
Data protection is already a complex field, but it’s made even more confusing with language which can be difficult to decipher.
The first step is in understanding which term applies to you and which one applies to your role in data collection and protection:
– Data controllers are organisations/individuals who collect personal data and decide how and why it is used
– Data subjects are individuals whose data is collected
– Data users are people who process information
– Data processors process information on behalf of data controllers
In real terms, this means that you and your business are data controllers, your customers (and to an extent, your employees) are data subjects and certain employees will be data users.
Finally, data processors are external companies who use data that you control. The scope is fairly wide; it could be solicitors, accountants, IT services or even postal services if you’re sending products or marketing material to your customers.
What has changed with the GDPR?
The right to privacy of EU citizens was at the forefront of the regulatory change.
The GDPR brought into place new requirements for people and businesses collecting data, aiming for more robust practices. There are three stages to data collection:
At each of these stages, the onus is on the person collecting data to ensure that the entire process is compliant.
When collecting data, data controllers have an obligation to use plain language and to communicate clearly why the data is needed, how long it will be stored for and who it is passed to.
Consent must be clearly given, and data subjects need to understand what it is that they’re consenting to.
Data controllers and users need to use extra safeguards to protect sensitive data.
Sensitive data (race or ethnic identity, political and religious ideology and health information) is private in nature, and privacy is a key consideration of the GDPR, so it is subject to extra protection.
Data subjects must also be informed of breaches which present a risk to them.
Additionally, data being transferred outside of the European Union will need legal arrangements in place to guarantee its secure handling.
Businesses must respect the ‘the right to be forgotten’. This is a recent concept which allows people to request that inaccurate, inadequate, irrelevant or excessive information about them be removed.
If a data subject asks that their data be removed, you must comply with the request, unless you have a right to refuse to comply, such as needing the data for a legal obligation.
How to ensure your business stays compliant
GDPR has meant extensive change for data protection law, and for all businesses bound by it. Your business should already be compliant, but it pays to be vigilant, and there are some steps you can take to assess the extent to which you’re compliant.
First of all, establish whether you need to hire a data protection officer. This will depend on the amount of data you collect and what you use it for.
Consent to data processing no longer means a tick-box agreeing to terms and conditions; it will have to be a more transparent process, with easy-to-understand T&Cs and consent forms – this might mean you have to change settings on, for example, any email or newsletter sign-ups you conduct.
Think about detailing your data processes, and reviewing your practices – including the reasons for data processing, where data is stored, how long you store it – to assess whether they are adequate.
Penalties for non-compliant businesses
Depending on the severity of any non-compliance with GDPR, or of any data breach, penalties range from a warning to the suspension of data processing, or a fine of up to €20m (or 4% of global annual turnover, though this will apply to larger businesses).
- The official EU GDPR website is a one-stop shop where you can see the key changes, the timeline of the project, and some of the more difficult topics which have been navigated.
- The UK government also has a simple online guide which you can consult.
- Additionally, this report from BT offers essential advice on how to adjust to the upcoming changes to data protection law.