What’s the saying, ‘if you want something doing, do it yourself’?
I’ve been searching for a basic overview of GDPR for a while but have yet to come across one. There is plenty of detailed information and fantastic articles from professionals and industry experts but nothing that gives a simple view of what GDPR is and what it means. So, I have taken it upon myself to have a go…
What is it?
General Data Protection Regulation or GDPR = replacement for the Data Protection Act
When is this happening?
Goes live in May 2018
Who does is apply to?
Any businesses within the European Union AND outside the EU if they offer products, services to and hold personal data on EU nationals
What about Brexit?
This is tricky. If your business deals with countries within the EU and keeps data about EU residents then YES you must prepare and comply to the GDPR.
If, however, your business trades in the UK only then it’s not too clear what will happen. The government have advised it will implement a similar regulation but either way it is better to be safe than sorry…
Can I be fined for non-compliance?
Yes. Very hefty fines of up to 4% of annual global turnover or a maximum of €20m
What is personal data?
Any information held about an individual that identifies them
What is a data controller?
Someone who keeps and processes data and information about an individual
Why do we need it?
We’re living in a digital data-driven world and need protection from data breaches, especially as lots of companies hold all kinds of personal data
So, what’s changed since the previous regulation?
Well, that was 1998. A lot has changed since then but here are the key points:
- The World is getting smaller and companies all over the globe may hold some sort of data on EU nationals. Official line: ‘It applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not’
- Penalties are steeper with maximum fines of up to 4% of annual global turnover or €20 Million – whichever is greater!
- Consent has been made stronger. Opt-ins need to be clearer and opt-out need to be easier.
Data Subject Rights
- You have 72 hours. You must notify individuals and controllers as soon as you are aware of a data breach that poses a risk to the freedom and rights of an individual. This is mandatory.
- Individuals can contact a data controller for confirmation on if their personal data is being held and how it is being used. This needs to be provided to the individual electronically and FREE of charge!
- Please delete me! Also known as the right to be forgotten. Individuals can request to have a data controller erase their personal data, stop sharing their data and potentially have third parties stop processing data.
- Individuals can move their data. Known as portable data, it gives an individual the right to receive their personal data which they have previously provided and move it to another controller.
- You’re ready for the GDPR but you realise that the form on your website doesn’t have the right legal notice or opt-in section. Make sure controllers set up appropriate technical and organizational measures straight away, not as an afterthought… It could damage all that arduous work you put in!
- You don’t need my life story. Controllers must only hold and process data necessary for the completion of its duties. Individuals are not going to want to give you their home address and shoe size just to download your latest blog!
Who is responsible then?
A Data Protection Officer or DPO will need to be appointed for controllers and processors whose activities mostly revolve around data processing and monitoring, with internal record keeping becoming mandatory.
Your DPO can be an internal or external employee but importantly they must be:
- An expert on data protection law and practices
- Given appropriate resources and training to do their job properly
- Reporting directly to top level management
More information:
Tons of useful information is out there if you need more detail and the ICO have created a handy brochure on preparing for the GDPR and 12 steps to take now:
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Information Commissioner’s Office:
https://ico.org.uk/for-organisations/data-protection-reform/
https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/accountability-and-governance/
EU GDPR Portal with key changes and FAQ’s:
http://www.eugdpr.org/
http://www.eugdpr.org/the-regulation.html
Rachel is passionate about retail and the ever-changing retail technology environment, with a keen eye for upcoming retail trends that are set to shake up the sector.