At last…. an (almost) non-boring guide to GDPR.
“A spoonful of sugar,” warbled Mary Poppins in the musical of the same name, “helps the medicine go down”.
All very well, but Poppins was operating in a happier and more innocent age – one in which the EU’s General Data Protection Regulation (GDPR) didn’t exist. Because if she had had to read to about this legislation, no amount of sugar, molasses, golden syrup or honey would make it any more palatable.
Luckily, I’ve read all about it so you don’t have to.
Well not in such excruciating detail anyway.
So, if you have a UK-based business, draw up a chair and we’ll get through this in as few words as possible.
- What is GDPR?
It is the EU’s new data protection rules, which become enforceable from 25 May 2018. The idea is to harmonise EU data regulations, give people more say about what companies can do with their data and introduce tougher enforcement measures – if you breach GDPR you can be fined up to 4% of global turnover or £20 million (whichever is the greater).
- Does GDPR apply to me?
If you control or process personal data belonging to EU citizens, assume the regulations apply to you.
- What are the main changes GDPR introduces?
The EU lists key changes on a dedicated GDPR website. As well as applying to all EU countries and ramping up non-compliance penalties, differences include:
- Consent. It must be simple for people to both give and withdraw consent to use their data. Long and confusing lists or terms and conditions will no longer be acceptable.
- Choice. People have more choice what you do with their data. If someone wants to see the data you hold on them, you must provide it within a month – for free. People also have a ‘right to be forgotten’ and ask you erase data you hold on them.
- Breach notification. If any breach is likely to ‘result in a risk for the rights and freedoms of individuals’ you must notify the relevant authorities within 72 hours and your customers ‘without undue delay’.
- How do I prepare for GDPR?
If you haven’t started preparing, now is the time to do so. The Information Commissioner’s Office publishes a 12-step guide to getting ready for GDPR (pdf file).
In a nutshell, you should:
- Be aware. Make sure key people know the law is changing
- Audit the information you hold, where it came from and who you share it with
- Review privacy information, including privacy notices
- Check your procedures will work under GPPR – can you easily delete personal data and provide it to customers?
- Get ready to handle requests for personal data within the right legal timescales
- Communicate the lawful basis for processing data and add it to your privacy notice
- Consent –make sure people can give it in a way that complies with GDPR
- Children – do you need to verify children’s ages or obtain parental consent?
- Data breaches – make sure reporting procedures are in place
- Data Protection by Design – read the ICOs code of practice on Privacy Impact Assessments and work out how to implement them
- Data Protections Officers – who will be responsible for data protection compliance?
- International implications – if you operate in more than one EU member state, you need to determine your lead data protection authority.
Hang on… what about Brexit?
Brexit will make no difference. GDPR comes into force before Britain leaves the EU and government has stated we will opt into the regulations for at least the foreseeable future. Standards will remain high in order to make it easier for British companies to trade with the EU.
So what next?
If you haven’t started work on making sure your company is GDPR compliant, you need to get cracking or you’ll risk being fined from the end of May next year.
We’ve been having great fun (if that’s not quite the word) making sure THP is fully compliant, so we’d be very happy to share our experiences with clients. If you’re interested, get in touch with your account manager today.