With GDPR doctors, Real Business hopes to take the pain out of the discussion, solving symptoms and clearing up confusion about the big arrival of the EU General Data Protection Regulation (GDPR). This week, GDPR doctor Neil Larkins, COO, Egress Software Technologies, takes a look at the basics of GDPR.
I’ve heard a lot about the EU GDPR, but am unsure on what it really means for my business. Could you explain the basics of GDPR?
In little more than six months, the EU General Data Protection Regulation – or the EU GDPR as its most commonly known – comes into force and, despite the tight deadline, there’s still a lot of uncertainty about what it means and what needs to be done. That isn’t a huge surprise given the fact the regulations are more than 200-pages long and completely revamp the previous Data Protection Directive that had been in place since 1995.
In order to determine what needs to be done – and how – it’s important to understand the basics of GDPR first and the key changes that are forthcoming. So, in this GDPR Doctors surgery, I’m going to cover the core points and from there we can get into the nitty gritty.
What is the EU GDPR and when does it become law?
Considering the basics of GDPR, in a nutshell, it’s a set of regulations that replace previous directives from the EU on data protection. The way that data is handled today – and the amount of it – is almost unrecognisable to 20 years ago when the last directive was made.
This latest version not only aims to take into account the massive technological advancements that have taken place, but also align regulations across member states. Previously the way the directive was implemented by individual counties was inconsistent, so in today’s environment of data knowing no borders, this is being rectified.
It’s been in the works for a long time, but in 2016 the draft regulation was finally agreed and made final, and will be made law from 25 May 2018.
But doesn’t Brexit mean we don’t have to worry?
In short, no. In May next year, the UK will still be part of the EU and, as such, the government has confirmed that all businesses will need to adhere to the regulations.
Even if we were going to be out by then, the GDPR applies to any organisation that trades with the EU or with EU citizens, or handles EU citizen data and so it’s likely many would need to be compliant anyway.
Do the new laws apply to every business or do you have to be in a specialised industry?
Any business (no matter how big or small) that processes and holds the personal data of individuals living in the EU will have to comply. Personal data has been a slightly ambiguous term over the years, but for the purposes of GDPR, this means any information that can be used to directly or indirectly identify an individual. That includes names, photos, an email addresses, credit card details, IP addresses and so on, as well as one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
It’s unlikely there are many businesses out there that don’t hold any of this information in some capacity – just your email address book will count you in – so the laws are likely to apply to every organisation across Europe, no matter what their industry is.
What are the key changes surrounding the basics of GDPR?
As you can imagine, in 200-odd pages there are quite a number of elements that every needs to pay attention to, but for the basics of GDPR, some highlights include:
- Mandatory breach notification– if an organisation discovers it has suffered a data breach it will have to inform the supervisory authority (in the UK’s case, the ICO) within 72 hours of first identifying the issue
- Consent– any business that is going to store and use a person’s data must ask that individual for consent, as well as explain what the data will be used for
- Right to access– individuals will be able to submit a Subject Access Request (SAR) to a company requesting all the data it holds on that person. The company must be able to provide electronic copies of that data, as well as explain where the data is stored and what it is being used for
- Data portability – linked to the right to access, individuals will also be able to obtain and reuse their personal data for their own purposes across different services and businesses will therefore be required to provide that data in an appropriate format
- Right to be forgotten– individuals can request a business holding their data not only delete it, but also don’t share it with third parties
- Data protection officers (DPO)– anyone holding or processing personal data will have to appoint a DPO (although that person can be a member of the organisation’s existing staff)
- Penalties – fines for failing to comply with the laws can be up to four per cent of the businesses global annual turnover or up to €20m.
The EU GDPR represents a fundamental change in how UK and European businesses process and approach data. Over the next few weeks, we’ll be going beyond the basics of GDPR into these changes in detail, as well as the steps you can take to make sure your business is compliant before 28 May 2018.
If you have burning GDPR questions that you’d like answered, please send them to Zen.Terrelonge@realbusiness.co.uk and we’ll get these answered for you.
GDPR doctor Neil Larkins co-founded Egress Software Technologies in 2007 and currently serves as chief operations officer, playing an instrumental role in shaping the strategic direction of the business, with particular emphasis on product and service development.