It’s happening – the UK’s 20-year strong data protection laws are undergoing a renovation to bring them up to speed with a rapidly evolving digital landscape.
With this massive overhaul comes a sense of nervousness amongst many brands and professionals. And the important date to mark with a massive red circle in your diary is May 25th, 2018 which will be when the new General Data Protection Regulation is rolled out across Europe.
The impetus behind the changes is the fact that digital infrastructure has transformed so much since the 1990s when current data protection laws were written – in theory; the GDPR creates regulations that are fit for modern-use.
With GDRP looming over all industries, there will be a series of new obligations that put the onus on you and your company to enforce.
While a lot of data protection principles will remain largely the same – we’ll look at what’s changing, take you through what to look out for, how to educate yourself and make your business GDPR-ready.
As well as our guide, we recommend reading through the full text of GDPR to familiarise yourself with the 99 articles, setting out the responsibilities of companies and new consumer protections.
It’s a pretty long read but this will give you full detail and comprehensive info – we’ll take you through some of the bigger changes below:
What on earth is GDPR?
GDPR is basically a massive exercise in compliance and adherence. Elizabeth Denham, the UK’s Information Commissioner calls the new law an ‘evolution’ instead of a revolution – running with the idea that this is an extension and update of data protection regulation, created in 1995 by the EU and adopted by member states.
Each EU country also has its own national laws – in the UK this is the Data Protection Act, rolled out in 1998.
The way that companies and marketers collect data, store data and use data has changed immeasurably, so the new EU-wide directive is looking to give individuals and users more rights when it comes to their data privacy and create a more transparent framework.
Pretty much every type of industry and company that handles personal information (schools, charities, brands) will be affected by GDPR, which is why there’s been such a large-scale reaction and sense of anxiety around the changes.
You can take a look at what qualifies as ‘personal data’ here, under GDPR it’s info that can readily be used to identify someone.
Any company that controls or processes data will be affected by GDPR.
And GDPR has been a long time coming, after almost 4 years of negotiations between EU bodies, GDPR was announced in May 2016, which has given a 2 year preparation period for companies to update their processes in time for the rollout in May 2018.
In the UK, GDPR will be regulated and enforced by The Information Commissioner’s Office, who will have a new fining system at their disposal that they can use to ensure companies are adhering to rules and individuals’ rights are protected.
Brexit has obviously changed things a *little* bit, so GDPR will come under a new act created by the British government, called the Data Protection Bill.
It’s largely the same as the EU’s GDPR model, but with small differences. The bill needs to pass through the House of Commons and the House of Lords though before it’s enshrined in law.
Takeaway: You can take a look at what qualifies as ‘personal data’ here, under GDPR it’s info that can readily be used to identify someone.
What’s different about GDPR compared to current data protection laws?
As we mentioned earlier, Elizabeth Denham, the UK’s Information Commissioner insists that GDPR isn’t in place to trip companies up, but it’s an extension of current laws and regulations.
GDPR aims to catch up regulations with rapid digital change.
Let’s take a quick look at some of the key new aspects included in GDPR that you need to look out for:
Key new aspects
- Consumers will have better access to the data that companies hold about them, leading to more transparency for individuals. Users will be able to request data info free-of-charge.
- Right now, current data protection laws largely have the same definitions for personal data and sensitive personal data that GDPR will. Personal data is basically info that can identify a person like a name or address. Sensitive data is political views, sexuality etc.
- BUT pseudonymization is a massive theme in GDPR and the regulations basically encourage companies to transform data in a pseudonymized way that makes it difficult to attribute pieces of data to a user without further identifying info i.e a unique ref ID.
- There are far more repercussions under GDPR for when companies breach laws – there will be a robust fining system that will punish companies that do not provide correct data when called upon/are not storing data in the right way/and are generally uncooperative.
- GDPR urges much more clarity from companies about what they’re using data before and their process for seeking permissions and consent from customers.
- The responsibility is firmly in the court of companies to report data breaches and contact their country’s data protection regulator. Companies must report breaches within 72 hours and inform customers it affects.
- Customers in some specific circumstances and a case by case nature may be able to request that their data is discarded by a company if the company cannot prove what purposes they are using it for and if it is no longer in use or applicable to keep it. *This could have massive implications for companies, so this will be an interesting development to keep an eye on.*
What your Company can do
GDPR raises the game for companies when it comes to accountability and transparency.
When you look at the amount and frequency of large-scale data breaches in the last few years, it’s pretty alarming and clear there needs to be changes.
Especially if companies are concealing breaches – for example, in 2016 Uber was hacked and millions of customer and employee details were compromised.
However, they hid this from customers and employees and it was only revealed a year later.
Under GDPR, there are much clearer guidelines for companies when their data is breached and more stringent repercussions if they fail to comply.
GDPR arguably brings back more power to the people. Whereas at the moment people and public bodies can submit a Subject Access Request, which charges £10 to access their data, under GDPR this fee is scrapped.
Even if your company isn’t huge, get clued up on your data processing and how your company does this.
Make sure you have the correct documentation that can be shown to authorities if you need to.
This includes:
Correct Documentation
- Why people’s data is being kept – intent
- Descriptions of info being held
- How long data is held for
- Descriptions of security measures to protect data
If you’re not really sure where to start then commission impact assessments or enlist the help of an experience data protection contractor.
We recommend assigning a Data Protection Officer. This doesn’t have to be from outside your company, you can give someone on your team this role.
Make sure that they have the skills and correct training to carry this out though.
They must be familiar with data processes and what happens if there’s a breach – your data protection officer will be responsible for reporting breaches and handling requests from customers.
They must have the correct documentation at all times, create a system that tracks and records your data usage and collection so they won’t come unstuck.
Start putting data protection policies in place. If you don’t already take data protection seriously enough – start using best practices.
This is your chance to professionalise your approach to data protection.
Change your business mindset in terms of data – be more transparent and open to giving users more knowledge and control over their data. So, you can create positive opt-ins and clearly ask for user’s consent before using data.
Be prepared for customers that may request the information your business has collected about them.
Your business will need to provide information within a month. Ensure you have processes in place to protect individual rights, so create documents giving detail about how you’d go about deleting data or providing data to users i.e the format.