Unless you’ve been living under a rock, you’ll be aware that GDPR came into force on May 25th 2018. Along with this, came lots of talks and confusion about how the changes affect different businesses. Everyone you talk to seems to know bits and pieces but in general people are pretty confused by the whole thing, so we have written this article to help supplement your own research.
What is the GDPR?
GDPR stands for General Data Protection Regulation and it is the Europeans policing and protection for the processing of personal information of individuals. The GDPR applies to all companies that process EU citizen’s personal data whether or not that company is in fact in the EU itself.
What are the key changes I should make note of?
If you’re confused by all of the grey areas in the regulation, then you’re not alone! If you log onto the ICO’s website there are quite literally pages and pages of information to read through and you would be forgiven for being overwhelmed. To help get you on the right path, here is a list of all the changes we feel are the most prominent to be taking note of:
OK, so this is a big one. If you are in breach of the GDPR then penalties can be up to 4% of annual global turnover OR €20 million. Whatever is the greater amount. Pretty scary, right? However, this is the maximum fine you can get for violating the regulations and will be imposed for only the most serious of offences. It is important to remember that the GDPR fines work on a tiered approach and the lower cost is 2% of annual global turnover OR €10 million. Still a punch.
The leash has been tightened, with consent now having to be clear, distinguishable and explicit. I’m sorry to say that it is time to wave goodbye to pre-ticked opt-in boxes or any other form of default consent. It is also necessary that you keep your opt-in boxes separate from all other terms and conditions. You must be granular in what the consumer is opting- in for and name all third parties in which their data may be handed to. The GDPR is making things easy for consumers, which means you have to give a very simple way for them to opt-out if they wish to and remember, keep all records stored and locked away for evidence! (Caveat: If someone requests to be forgotten, their data must be deleted!) Opt-in boxes are the easiest way to make sure you are in regulation with the GDPR, however other forms of consent are still legal such as legitimate and vital interest. These are some grey areas.
Breach of Personal Data
If there is a data breach of personal information then it is now mandatory for all organisations to tell the relevant supervisory authorities. This must be done within 72 hours from the time you become aware of the data breach itself. If there is a high risk of the breach affecting individual rights then you must also inform that individual straight away. So what is considered a data breach? Well according to the GDPR a data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.” To put it simply; if there is any kind of leak/loss or destruction of personal data, whether it be purposely or accidentally done, you have to inform the relevant people.
Right of Access
This one is fairly easy to understand. All individuals have the right to access and obtain their personal data. This must be free and needs to be provided within a month of the request.
Right to Data Portability
Each individual has the right to not only access their data but also to transfer and reuse this data across multiple services. According to article 20 of the GDPR this must be done in a “structured, commonly used and machine-readable format”.
Right to be Forgotten