GDPR: What Does It Mean for Businesses? - Fleximize

GDPR: What Does It Mean for Businesses?

An essential guide to the EU's General Data Protection Regulation

By Andrew Beverley

There have been several headlines recently about the EU's General Data Protection Regulation – otherwise known as GDPR. From next year, businesses in the UK will need to comply with this new piece of EU regulation, which outlines their legal responsibilities when it comes to the protection of personal information. Here's everything you need to know about GDPR and what it means for your business.

What is GDPR, and why is it being implemented?

The United Kingdom was first subject to specific legislation for the protection of personal information back in 1984, and the current version of the UK Data Protection Act has been with us since 1998. That’s nearly 20 years ago, and we can all appreciate that a significant amount has changed in that time.

The exponential rise in our dependency on the internet, and the range of activities that we now regularly undertake virtually instead of physically, means that our existing framework for the protection of personal data is starting to become somewhat outdated.

The European Union decided to address the deficiencies of outdated legislation and the alignment of different requirements and enforcement through GDPR. The new regulation comes into effect on 25 May 2018, replacing the existing UK Data Protection Act from the same date, and will apply to all 28 Member States of the EU.

The UK government has recently published its draft Data Protection Bill, which is very closely aligned with GDPR and, following Brexit, will ensure that equivalent data protection legislation will remain in force in the UK.

What does it mean for businesses in the UK?

GDPR presents a more robust framework of requirements that need to be complied with, and which apply to any organisation that collects, processes or stores any quantity of personal data.

For those businesses whose prior involvement only stretched as far as sending a cheque for £35 to the Information Commissioner’s Office (ICO) each year for registration under the UK Data Protection Act, now is the time to appreciate that these new requirements will be coming into force next year.

Brexit planning
Brexit planning:

Despite the UK's impending departure from the EU, the British government has passed a bill to introduce data protection law that's equivalent to GDPR

What are the key features of GDPR?

One of the key features of GDPR is the requirement for ‘privacy by design’, which entails proper planning for how personal data is to be safely and securely managed and processed.

Whether it’s personnel data for HR purposes, payment card data for online transactions or medical records used by a doctor’s surgery, Article 35 of GDPR requires that these processes are scrutinized to an extent that data subjects (employees, customers or suppliers) have clarity about the effective protection of their personal information.

A good data protection impact assessment (DPIA) will help businesses to prepare clear, well-structured reports, which can be shared with data subjects, but which can also assist in highlighting any GDPR-related deficiencies that can then be targeted for prompt remedial action.

Privacy by design helps to identify the legal basis under which a data-processing activity is being conducted. GDPR specifies a number of these: for example, it might be for the exercising of a contract agreed with a data subject, being authorized under Member State legislation, or perhaps necessary to protect the vital interests of the citizen (for example in a disaster or medical emergency).

GDPR presents a more robust framework of requirements that need to be complied with, and which apply to any organisation that collects, processes or stores any quantity of personal data.

One specific point of action includes obtaining the explicit consent from the data subject to have their personal data processed, i.e. used by a business, and this is an area which is causing confusion about the how consent should be gained. Do you need to ask every customer on every occasion, and if you don’t will it prevent your business taking the correct actions to be GDPR compliant?

For a data subject to be able to provide their informed consent, they should be able to understand the processing activity properly and clearly. Accurate Privacy Notices and Data Protection Impact Assessments will help businesses meet this requirement.

Consent also needs to be provided voluntarily, be clear and unambiguous, and specific to the identified processing activity. If consent is being used as the legal basis for data processing, businesses will need to obtain and retain appropriate consent records to evidence the consent of each data subject. Just as importantly, data subject consent must be able to be withdrawn, and the method for requesting this should be no more complex than the process by which consent was originally obtained.

You’ll have detected a theme by now that ‘data subjects’ have significantly more involvement than they did previously. That is evidenced by an increased number of rights delivered within the pages of GDPR. Each of these is a capability that businesses will need to understand and implement to ensure compliance with the regulation, while demonstrating trust and credibility with data subjects.

Close protection
Close protection:

Businesses could face serious consequences if they don't take appropriate measures to protect people's data

Once GDPR comes into force, citizens will be able to raise ‘subject access requests’ to find out what personal data is being held about them. This will become a free service – it currently costs £10 under the Data Protection Act – and requests will need to be responded to within 30 days.

Businesses may also soon start to receive ‘data correction’ requests for out-of-date personal data, or perhaps a data subject may exercise their new right to ‘data portability’ – requiring the existing data controller to extract and move an individual’s personal data to a new organisation. Another new obligation is to undertake ‘data erasure’ when it can be shown that the data-processing activity has been completed, and there is no further need to retain the personal data involved.

What are the consequences of not complying with GDPR?

GDPR has primarily made headlines for the penalties that will be enforced for data breaches and non-compliance with the requirements of the regulation. Data-processing organisations will be required to implement appropriate physical, technical, personnel and procedural controls to properly protect personal data, and this includes a capacity to promptly identify and report any loss, theft or compromise of personal information promptly.

The regulation mandates a maximum period of 72 hours for a breach to be reported to the ICO, with hefty penalties expected for those who cannot meet this reporting window, or whose data loss is discovered by the ICO before the incident is even reported.

Data-processing organisations will be required to implement appropriate physical, technical, personnel and procedural controls to properly protect personal data, and this includes a capacity to promptly identify and report any loss, theft or compromise of personal information promptly.

Many news stories have focused on the €20 million penalties that will be levied for the most serious incidents of non-compliance with GDPR (even the less significant breach categories have a maximum fine of up to €10 million). Quite simply, most organisations would not be able to survive such a financial hit, especially when combined with the costs attached to damaged brand reputation or customer confidence that will arise from the promised public reporting of breaches.

And let’s not overlook the rights of data subjects to instigate proceedings themselves which, if proven, will inevitably require compensation to be paid to the individual. GDPR provides for them to seek compensation if appropriate.

What steps do businesses need to take to prepare for GDPR?

It’s clear that UK businesses will need to develop a more comprehensive cultural approach to data protection if they’re to successfully comply with GDPR.

Businesses will need to ensure that all of their personnel are involved – after all, it just takes one lapse of concentration for a significant data breach to occur, for example by emailing a file of personal data to the wrong recipient. Employees will naturally want to ensure the security of their jobs, and it is reasonable to expect them to act in a diligent, thorough and honest manner when it comes to data protection. That’s not going to happen by chance, however, so businesses will need a clear, memorable and progressive programme of data protection education to ensure compliance.

The penalties alone should be sufficient to encourage business owners and company directors to take GDPR seriously. However, the focus shouldn’t be solely on the penalties for non-compliance. Demonstrating your company’s security and privacy capabilities will help you build trust with employees and customers, and in turn contribute to your resilience, growth and success.

About the author

Andrew Beverley is chief technology officer (CTO) at InfoSaaS, which provides cloud-based information security solutions to businesses of all sizes. It also offers a range of tools designed to help companies understand and comply with GDPR when it comes into force in May 2018.