The General Data Protection Regulation (GDPR) is set to revolutionise the collection and storage of personal data in the EU, with major repercussions for many small and medium enterprises.
Coming into effect on 25 May 2018, the regulation’s main aim is to give individuals control of their data once more; giving them the right to know how any company is handling personal data. For the purposes of the legislation, personal data is classified as information held about a living individual, which can identify who they are.
The regulation can be broken up into seven key principles:
• The right to be informed
• The right of access
• The right of rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
These principles apply to three main areas: consent, data privacy, and data protection officers. Failure to comply can result in fines of up to €20 million or up to four per cent of total global revenue of the preceding year, whichever is greater.
The age of pre-ticked consent is over – from May 2018, businesses must ensure that consent is freely given with an affirmative and clear action. Instead of asking consumers to tick the box if they don’t want to hear from a co mpany, SMEs must now ask consumers to tick the box if they do want to receive marketing material.
On the other side of the coin, withdrawal of consent is now required to be as simple as possible. Consumers must be informed that they have the right to withdraw consent at the time of signing up, and businesses must make this process as easy as possible. Furthermore, when withdrawn, an individual’s details must be permanently erased, not just removed from the relevant databases. Essentially, individuals now have the right to be forgotten, so data records must be as up to date as possible, with inaccurate entries corrected without delay.
In collecting and storing data, companies must also provide a clear trail of consent in case of audit, with screen grabs or saved consent forms.
One of the most striking changes found in the GDPR is the requirement of businesses to prove they have a legal basis to store and use any gathered data, and provide details of where their data is stored. Reasons for processing data must be specific, explicit and have a legitimate purpose.
The regulation recognises four lawful bases for processing:
- Explicit consent – individual must proactively supply consent through a positive opt-in
- Compliance with a legal obligation – for example, to process right to work checks
- Entering into a contract with an individual to supply goods and services or fulfil an obligation – for example, an employment contract
- Legitimate interests, unless outweighed by the individual’s rights and interests. Businesses must prove they have genuine reasons to process personal data without consent by satisfying the following criteria:
a. Organisations must need to process information for its own legitimate interests or for those of a third party to whom it may disclose the data.
b. The legitimate interests must be balanced against the individual’s – processing must not prejudice the rights and freedoms, or legitimate interests, of the individual. If in conflict, the individual’s interests will take priority.
c. Any processing must be fair, transparent, accountable and must comply with all the data protection principles.
It’s not just the processing of data that is receiving an overhaul. Companies can now only hold data that is necessary for the purpose of processing, keeping retention periods to a minimum. SMEs must also know exactly where their data is located. In this transition period, it is worth dedicating time and resources to cleaning up any databases, ensuring full compliance when the regulation comes into effect.
Data Protection Officers and Breaches
One of the most effective ways to ensure full compliance to the GDPR is to hire a data protection officer (DPO). In fact, the regulation states that a DPO must be appointed for all public authorities or any businesses whose core activities involve the systematic monitoring of large amounts of personal data.
A DPO is responsible for implementing any data protection strategies and is accountable for maintaining all documentation that proves full compliance with the GDPR. The regulation doesn’t specify any necessary credentials, but suggests that anyone employed as a DPO have expert knowledge of data protection law and practices. They can be employed on a permanent basis or under a service contract, and can be shared by a group of businesses, proving equal accessibility. A DPO should report to the highest management level and be located in the EU.
In the event of a data breach, companies must inform the relevant authorities within 72 hours, providing extensive details of the problem and proposing mitigation strategies.
So what next?
With so much change afoot, it’s hard to know where to start in the journey towards GDPR compliance. With just over six months to go before the changes take effect, it’s worth using this time to prepare your existing systems. Tiger Recruitment can help source temps with a data background to cleanse and tidy databases and delete records, or contracted data protection officers for after the laws have taken effect.
Get in touch today to find out how we can help.