Five things you need to know about GDPR
Over 60% of people in the UK have never heard of GDPR, which is problematic for businesses and individuals alike. Current UK data protection legislation dates back to 1998 and, almost 20 years later, the way our data is stored is no longer relevant to 1998’s laws.
With the advent of the internet there are now a multitude of ways our data can be exploited online and GDPR is an attempt to quash that.
1. What is GDPR?
Drafted by the EU, the General Data Protection Regulation (GDPR) is legislation intended to strengthen and unify data protection across the EU.
The need for GDPR is twofold. Firstly to give people more power over how their personal data is used. Through strengthening the security of people’s online data it is hoped that this should ultimately improve the relationship between users and digital service providers.
Secondly, GDPR gives businesses a clear legal framework from which to deal under. By making the law identical across the EU single market this leaves less grey area and margin for error for all businesses.
2. Who does it apply to?
The control and collection of data has been split into two branches:
- Data controllers: a controller is an individual or company that is dictating how and why someone’s personal data is being captured.
- Data processor: the party that is actually capturing the data – 'a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller'.
It is the data controller’s responsibility to ensure that their chosen processor is following GDPR law, while data processors must maintain records of their work to show they are abiding by GDPR rule.
Crucially, even if both the controllers and processors are based outside of the UK, if their data comes from persons inside the EU, they will have to abide by GDPR.
3. How does one obtain consent for personal information?
Where current models might assume consent, from 24 May 2018 companies must obtain consent with an active opt-in. This means no pre-ticked boxes or users having to actively opt-out. Furthermore, if your model doesn’t meet these criteria, then you might be liable for penalty.
Data identified as personal under GDPR includes a host of information that is unsurprising, such as name, address, cultural or medical information; but also IP addresses, and pseudonyms such as Twitter handles or online usernames.
4. What does it mean for the industry?
If controllers don’t start complying with GDPR then they could be hit with some fairly hefty fines: €20m or 4% of annual profits, whichever is larger.
These are to be given to companies who have chosen to ignore the privacy rights of the public. With such penalties available, GDPR isn’t to be taken lightly – and ignorance certainly isn’t going to hold up as a defence.
For the first time it isn’t just data controllers that are liable under GDPR. Known as 'Joint and Several Liability', data processors may also be disciplined and prosecuted by the Information Commissioner’s Office (ICO).
5. What do I need to do to ensure my business is protected?
The first line of defence is to ensure your customers' data is protected. Then ensure that your data capture protocols are in order, look into how people will be signing up for information from your business and review it, making sure that people are opting in.
Also make sure your business has a protocol for any breach that might occur. In the event of a breach whereby your customers’ data is at risk you must notify a data protection authority within 72 hours of finding out about it.