We’ve mentioned the countdown to GDPR on our social media channels recently, and following on from our recent post on why we decided to become ISO 27001 accredited, we thought outlining just what GDPR means and what small businesses need to do to ensure they are compliant would make for a useful blog post.
While ‘countdown to GDPR’ may sound like we are about to embark on an epic space adventure, the reality is a little more mundane. GDPR stands for General Data Protection Regulation, EU legislation which is due to come into force in just under a year, on 25 May 2018 to be precise. Tempting as it may be to think that Brexit could absolve businesses of the need for compliancy, the UK has already pledged to adopt this legislation, regardless of the outcome of any Brexit negotiations.
So just what is the General Data Protection Regulation? Work on this regulation began four years ago, with the aim of bringing data protection laws into line with the new, and often unanticipated, ways in which data is used today. Large internet companies (think Facebook and Google) often offer up people’s data in return for using their services; one way in which users have been found to be in ‘agreement’ with sharing their data is simply by clicking on the cookie consent form. While it may sound unlikely, collecting data in this way is in line with the current data protection laws in place, the 1998 Data Protection Act. Anyone who used computers and internet back in the late 90’s will well remember how different 1998 was to the present day. The new GDPR legislation looks to strengthen data protection by taking current usage of people’s data into account and levy heavy fines on businesses found to be non compliant. This new legislation has significantly expanded the definition of ‘personal data’, with IP addresses, economic and cultural identifiers now counting as personal data.
With a snap survey estimating that just under half of businesses are preparing for the implementation of GDPR, what can businesses to do to ensure compliance in less than a year’s time? First of all identify the ‘controller’ and ‘processor’ of any personal data that you collect. The controller will look at how and why data is collected, while the processor is the person (or company) that does the actual data processing. The processor could be an external company, but must maintain records of their work and regardless of where they are based, if they process the data of EU residents GDPR still applies. The controller, usually based within the company, must ensure that their chosen processor is adhering to the new legislation along with showing that any data they collect is processed transparently, according to the new legislation and for a clearly defined reason. In terms of getting an individual’s consent, simply having an opt out option, a pre ticked box or the cookie option we mentioned above, is no longer compliant. Instead, an individual now needs to make an active and positive choice to let you collect their data. Controllers also need to keep a record of how and when an individual gave their consent, and that an individual can withdraw their consent at any time. Once data is no longer necessary, it needs to be securely deleted within the identified time period.
GDPR will definitely change the working practices of those businesses that collect and store data, but with just under a year still to prepare, there should be plenty of time to address any issues and avoid any fines. We found this website useful when it came to finding out more, and hope that you’ve also found our blog post a helpful read!