OK. So by now you’ve probably heard about GDPR and if you’re a business owner in the UK – are experiencing low level
freak out anxiety. Seeing as I have one business that actively utilises consenting clients’ data as part of it’s content marketing driven business model (The Goddess Formula) and another business that advises clients on how to correctly utilise and process data in their their systems (SYSTEMYZED) I thought I had better get my head around it. As ever I find the best way to do this is to read, digest, make notes and then re-organise them in some vaguely coherent form – for future reference. I’m sharing my notes as in doing this for myself, I realise it will be useful for my clients and others who are ‘suffering’ too. Here we go…
What is GDPR?
It is a new EU-wide directive that replaces a the current 1995 data protection regulation, a piece of legislation that came into effect before the commercial World Wide Web, email, Google, and pretty much any kind of digital management of personal data as we know it today. In the UK specifically, the existing Data Protection Act 1998 sets out how your personal information can be used by companies, government and other organisations. GDPR replaces both the 1988 Act and the 1995 regulation and changes how personal data can be used.
Who will enforce it in the UK?
The Information Commissioner’s Office
What are the main things I should know about it?
There are new rights for people to access the information companies hold about them, obligations for better data management for businesses, and a new regime of fines if businesses deliberately don’t comply (big ones!) and a clear responsibility for organisations to obtain the consent of people they collect information about.
When does it kick in?
It takes effect from 25th of May 2018 and is the most extensive revision of European privacy and data protection legislation ever. The GDPR isn’t limited to the EU either. In fact, the legal reach isn’t defined by geography at all, it simply looks at how personal data of European residents is used.
If I run a business will it effect me?
It applies to any business or organisation, regardless of size, located anywhere in the world, that “Offers goods or services to EU residents or Tracks and monitors the behaviour of consumers in the EU” So any business that falls into either category will have to review every process that touches personal data, redesign it to ensure it complies with the new protection laws, or scrap it. There’s no half measure. So, yes it will definitely effect me and you run a business in the UK it is highly likely it will effect you too. However it is important that we don’t panic – Elizabeth Denham, the UK’s information commissioner, who is in charge of data protection enforcement, says she is frustrated by the amount of “scaremongering” around the potential impact for businesses. “The GDPR is a step change for data protection,” she says. “It’s still an evolution, not a revolution”. She adds that for businesses and organisations already complying with existing data protection laws the new regulation is only a “step change”.
How will it impact my one-man-band/start-up/mahoosive business/charity etc etc..?
Individuals, organisations, and companies that are either ‘controllers’ or ‘processors’ of personal data will be obliged to comply with GDPR. “If you are currently subject to the DPA, it is likely that you will also be subject to the GDPR,” the ICO says on its website. Both personal data and sensitive personal data are covered by GDPR. Personal data, a complex category of information, broadly means a piece of information that can be used to identify a person. This can be a name, address, IP address… you name it. Sensitive personal data encompasses genetic data, information about religious and political views, sexual orientation, and more. So if you use systems that track this kind of information eg. reverse-IP look up software such as Lead Forensics and Communigator then do some due diligence on whether you will be complying.
What should I do to prepare then?
When implemented, GDPR will have a varying impact on businesses and organisations: for instance, not every company will require a data protection officer. To help prepare for the start of GDPR, the ICO has created a 12-step guide. The guide includes steps such as making senior business leaders and directors aware of the regulation, determining which info about clients and customers is actually held, updating procedures around data access requests and advising what should happen in the event of a data breach. In Ireland, the regulator has also setup a separate website explaining what should change within companies.
Will Brexit effect the UK’s compliance with GDPR?
Assume not. The GDPR will be introduced as scheduled on 25th May 2018 and the UK government remains largely supportive of the new level of protection it will create around personal data. The UK is implementing a new Data Protection Bill which basically includes all the provisions of the GDPR. There are some small changes but our own law will be largely the same
I am only scraping the surface but in between all the hype there are some incredibly useful resources that have been published on the regulation. Here’s where to go if you’re looking for more in-depth reading:
- GDPR The full regulation. It’s 88 pages long and has 99 articles.
- The ICO’s guide to GDPR is essential for both consumers and those working within businesses.
- EU GDPR is the Union’s official website for the regulation. It details all you need to know and has a handy countdown clock for when GDPR will come into force.
- The EU’s Article 29 data protection group is publishing guidelines on data breach notifications, transparency, and subject access requests