New privacy regulations are coming in next year and many companies are unprepared.
The GDPR (General Data Protection Regulation) will come into force on May 25th 2018. Although it might seem a long way off, the new regulations are much more involved than current UK Data Protection Act rules, so there’s lots for businesses to do in preparation.
Although it’s unlikely, those who don’t comply could be hit with huge fines – up to 20 million euros or 4% of turnover, whichever is higher.
Who is affected?
All businesses worldwide who hold personal data of people who live in the EU, and before you breathe a sigh of relief, Brexit won’t make a difference.
What are the key changes?
- The definition of “personal data” is now much broader, and includes any information that may identify an individual, including IP addresses.
- Consent will need to be explicitly provided for businesses to store data. The current methods of consent used by many websites (such as notices and implied consent) won’t be enough.
- Privacy policies will need to detail, in plain English, exactly what data will be used for.
- People must be able to view their data and opt out, if they want to.
- Organisations must notify their local Data Protection Authority of a data breach within 72 hours of discovering it.
- In some cases, businesses will have to complete a DPIA (Data Protection Impact Assessment), before collecting data.
- Organisations need to appoint someone to be responsible for data protection.
What do businesses need to do?
Start preparing
As the new legislation is much more complex and demanding than the current regulations, action will need to be taken now to be ready in May 2018. The ICO recommend starting by completing an audit of your current data collection practices.
Appoint a Data Protection Officer
Each organisation must have someone responsible for data protection, and certain organisations will also need to formally appoint a Data Protection Officer.
Review software
Much software currently in use, including CRMs and email marketing software, doesn’t meet the requirements for allowing people to view and erase their data. Businesses will need to review the software they are using to check it meets the new regulations.
Where to find more information
Here’s the key links for UK businesses:
- The ICO have provided an overview of the regulations for UK businesses as well as a “12 steps to take now” document.
- The ICO’s privacy notices code of practice explains the information privacy policies need to include.
- You can also read the GDPR regulations in full.