The clock is ticking for businesses of all sizes to get ready for a new regulation that gives consumers and employees greater control over their personal data and failure to comply will lead to some very hefty fines.
In 2012, the European Commission announced the proposal of “a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and boost Europe’s digital economy”. This, in turn, became known as the General Data Protection Regulation (GDPR)
But what do you know about the GDPR? The IoD has partnered with Hiscox to put together seven essential facts to help businesses of all sizes to prepare for this major and far-reaching piece of regulation...
1. 25 May 2018 is the deadline for companies to be compliant
GDPR is the result of four years of preparation by EU member states to address new and emerging data threats. Compared to the Data Protection Act, it introduces harsher fines for companies which aren’t compliant. These regulatory changes will help bring consistency throughout the EU and worldwide for organisations seeking to do business with EU Citizens.
The UK Government’s Cyber Security Breaches Survey 2018 was published in January and revealed that only 38 per cent of businesses and 44 per cent of charities said they had heard of GDPR. But there will be no excuse for failing to comply and no period of grace afforded to any organisation, after the deadline on 25 May 2018.
Therefore, it is imperative that every business must educate its staff to make them fully aware of what the GDPR is, not least because most data breaches occur as the result of an employee error.
2. GDPR gives consumers greater control over the ways their personal data is used
Speaking at the IoD's Digital Summit in 2017, the UK’s Information Commissioner, Elizabeth Denham gave what proved to be a prescient warning given recent events involving Facebook. Denham said, “It is clear that data analytic tools can have a significant impact on peoples’ privacy and autonomy and it is important that there is greater and genuine transparency about the use of such techniques.”
Denham added, “GDPR brings new obligations for organisations around data breaches and transferring data across borders. But the real change for organisations is understanding the new rights its brings for consumers and citizens.”
GDPR is designed to give the public more control over what happens to their data and it is imperative that you understand and conduct an audit of what ‘personal data’ you hold as a business, how it was captured, how it is held, how you use it, and where it is going. GDPR definition of ‘personal data’ is broader than under the current Data Protection Act and includes IP addresses, device IDs, location data, and genetic and biometric data.
3. The new data rights for consumers and employees
Individuals will have a number of rights when it comes to how you look after their personal data. Make sure there are appropriate processes and templates in place so that the data subject rights can be met.
These rights include:
- Access all data held on the individual
- Rectify inaccurate data
- Restrict or object to the processing (in certain circumstances, e.g. marketing) of data
- Export the data in a format that can be used in another IT environment
- Completely erase all data on an individual (in certain circumstances).
4. Failure to comply can be an expensive business
The maximum fine for a data breach is 4% of a company’s global turnover or €20 million (whichever is the higher). This potentially represents a huge increase on the maximum fine of £500,000 that can currently be imposed by the ICO. To give one example, TalkTalk was fined £400,000 in October 2016 following the theft of personal data involving 168,000 of its customers.
Failure to comply could result in a regulatory investigation and fines could be extended to include admin errors such as failing to do data protection impact assessments.
Although it is highly unlikely that a small business could receive a fine anywhere near those figures, the Information Commissioners Office (ICO) is willing to impose fines whilst also considering an SME’s ability to continue trading following a monetary penalty.
5. How the GDPR defines a data breach
GDPR defines it as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’. This means that a ‘personal data breach’ is more than just being hacked or losing personal data.
It is also important to note this applies to data held by you in any form – not just electronic.
6. You will have 72 hours to report a data breach
Breaches will have to be reported to the ICO within three days of a business becoming aware of the situation unless they are ‘unlikely to result in a risk to the rights and freedoms of individuals’.
The examples of notifiable breaches provided by the ICO are where breaches may ‘result in discrimination, damage to reputation, monetary loss, loss of confidentiality, or any other significant economic or social disadvantage’. It is also worth noting that breaches will only have to be reported to the individuals concerned where there is a ‘high risk’ of the above.
If you need to report a breach to the ICO, then you must include the following information:
- The nature of the personal data breach including, where possible, the categories and approximate number of both the individuals and personal data records concerned
- The name and contact details of the data protection officer (a role which is probably more applicable to large organisations) or another relevant point of contact where more information can be obtained.
- A description of the likely consequences of the ‘personal data breach’
- A description of the measures – proposed or taken – to deal with the ‘personal data breach’ and where appropriate, of the measures taken to mitigate any possible adverse effects
7. Brexit will not lead to changes regarding GDPR
The UK’s departure from the EU has no effect on the need for UK businesses to be compliant with the GDPR. In fact, the UK played a key role in shaping this new regulation. Furthermore, the UK Government published the draft Data Protection Bill in September 2017 which brings the GDPR into full effect within UK law and alters some key parts such as the age of minors.
There are no material changes or exclusions from the full EU version, so companies can begin to prepare and implement structures, ensuring they are GDPR compliant by May 2018.
It may seem like there's a lot to do in what is rapidly shortening amount of time, but there's still time to begin your GDPR preparations ahead of the May deadline. Bear in mind the aforementioned advice, and get planning your steps to compliance.
Hiscox offers a cyber and data risks insurance policy designed to provide rapid expert response in the event of a data breach, which can (among other things) help a firm to comply with the stringent notification requirements of the GDPR.
IoD members benefit from a 5% discount on Hiscox Business Insurance including Cyber and Data Risks Insurance. For more information:
0800 2800 354
Find out more
The IoD has a comprehensive hub of resources, template policies and guidance to help businesses get underway with GDPR preparations. See our resources here.