The Biggest Change to Data Protection Laws in 20 Years is Coming: Is Your Business Ready?
On Friday, May 25th, the European General Data Protection Regulation (GDPR) takes effect across the UK and Europe, imposing tougher data protection rules and harsher penalties for businesses who break those rules.
What does this mean for your business?
For one thing, it means the data protection measures you previously have had in place may no longer be adequate when it comes to ensuring complete compliance with the law.
For years, UK businesses have been regulated by the Data Protection Act (DPA) of 1998.
Yet the way that data is collected and used today is a far cry from that of 20 years ago, rendering the DPA simply no longer fit for purpose.
That's where GDPR comes in, replacing old, outdated regulations with a new set of rules compatible with a data-driven economy.
With just weeks to go, we outline everything your business needs to know to ensure full GDPR compliance by May 25th.
Why is GDPR Happening Now?
Though May 25th is the date most people associate with GDPR, the regulation actually came into play way back in 2016, giving European businesses a two-year deadline to adjust their practices and policies to be fully compliant.
That deadline is May 25th, which is why you’ve been hearing much more about GDPR as of late.
As for why we need GDPR in the first place, that comes back to the point we discussed a moment ago:
In most European countries, data protection laws weren’t compatible with today’s digital age.
When the Data Protection Act was first drawn up, Internet giants like Amazon and Google were still in their infancy and we simply didn’t use the web in the same way that we do today.
Over the years, our web use evolved whilst data protection laws stayed the same.
As you can imagine, that caused a whole wealth of problems that GDPR aims to address by setting out achieve three key things:
● Harmonise data protection laws across the European Union
● Give individuals more rights about how their data is used
● Ensure businesses do more to protect and fairly process data.
How Will Brexit Affect GDPR?
A common question posed to everyone from IT support companies to law firms, Brexit’s impact on GDPR is a reasonable concern.
The answer to such question is straightforward:
Brexit won’t impact GDPR at all.
The UK government have announced that, post-Brexit, the country’s own data protection laws will be a direct mirror of GDPR.
Why Does Any of This Matter?
At a basic level, ensuring your customers enjoy greater control over how you use their data is a smart business move, promoting a sense of transparency and trustworthiness that customers look for in a modern company.
If that wasn't enough to encourage you to get ready for May 25th, the kind of eye-watering fines for non-compliance certainly will be.
Under the new rules, businesses who fail to adequately protect user data or who breach GDPR in some other way are liable to pay fines of up to €20 million, or 4% of global annual turnover, whichever is more.
Experts suggest that non-compliance could force some businesses into insolvency, meaning GDPR is something no serious business owner can afford to ignore.
What Do I Have to Do To Get Ready?
First things first, talk to your IT support company or in-house IT team about what steps, if any, they've already taken to ensure your business is GDPR compliant.
If they haven't already done so, they should be ready to work with you on carrying out the following tasks.
Create a Data Audit
The Information Commissioner's Office (ICO) highly recommends that businesses first take a full and thorough audit of their current data.
To do this, you should be going through everything from your marketing lists to employee information and asking several critical questions:
● Why do we collect and store this data?
● Are we sure that we only keep this data for as long as is absolutely necessary?
● Is this data sufficiently protected using an appropriate level of security?
● Are we 100% certain that this is only used for its intended purpose?
● Are we 100% certain that it is only accessed by those who need to access it?
● If we share it with third parties, why? Should we still be doing this?
Knowing exactly what data you collect, how you use it, and why, will ensure you're better prepared to take the necessary steps towards full GDPR compliance.
Work Out Whether to Hire a Data Protection Officer
One of the biggest misconceptions about GDPR is that it requires all businesses to appoint a dedicated Data Protection Officer (DPO), an individual responsible for ensuring that the business is fully compliant and for responding to data requests from individuals.
The truth is that only certain organisations are legally required to hire a DPO. The ICO reports that these are:
● Public authorities
● Organisations whose activities require large-scale and regular systematic monitoring of individuals (such as online behaviour tracking)
● Organisations whose "core activities consist of large-scale processing of special data (including race, religion, criminal convictions, and other forms of sensitive data).
Having said that, the Article 29 Data Protection Working Party does recommend that all businesses appoint a DPO as a means of good practice, thereby reducing the risk of being fined for non-compliance.
Update Your Consent Policies
Express consent is one of the major aspects of GDPR.
This means that in order to use a person's data in any given way, that person has to give you specific, express consent for you to use it in that way.
That includes data you have already collected prior to May 25th.
In other words, you can't simply add someone to your mailing list after they use their email to purchase something from your website unless they have given you explicit permission to use it in that way.
Now is the perfect time to address how your company uses consent and ensure that all related policies are GDPR compliant.
Update Your IT Security
Even without the General Data Protection Regulation coming into play, IT security should always be of paramount importance for any modern business.
As we've said before, GDPR is much stricter than DPA ever was, so you're going to need to look at whether you have adequate protection in place, such as encryption and a secure, offsite backup system.
Educate Your Staff
Anyone within your business who collects or processes data serves as your first-line of defence against data protection breaches, so it's crucial that they're fully informed on how GDPR impacts their work and how what they might need to do differently going forward.
Get Expert Support With Ensuring You’re Fully Compliant
No two businesses are the same. Each one has its own individual processes, policies and practices relating to how they collect and use data.
Your business is certainly no different, which is why it's so important you fully understand how GDPR impacts your own unique way of working, and what you may need to change in order to keep your business growing, even after May 25th has been and gone.
Mohammad Ali Khan is a Technology Consultant and IT Infrastructure Architect specialising in IT strategy, integration, and Microsoft Server Platform technologies. For the past 18 years, he has served as director of Pacific Infotech, a full-service IT support company empowering businesses to improve the efficiency of their IT infrastructures & DR Strategies.