GDPR stands for ‘General Data Protection Regulation’. It’s the result of four years of EU work to bring data protection legislation up to date. With the enforcement date of May 25th 2018 just around the corner, GDPR is a term that all businesses, large or small should be aware of.
We asked Jo Fortune from our Legal Partners Lawbite to pull together the facts and information that you need to know to ensure you’ll be ready.
Why is GDPR being introduced?
Data is used in multiple ways that weren’t envisaged in the 90s, so the Data Protection Act 1998 is no longer fit for purpose. There’s vulnerability in the current legislation and the general public expect to be protected.
GDPR applies across all EU member states and individual EU country data protection laws will disappear.
When will GDPR come into force?
GDPR is actually already here. The approved text was published in March to April of 2016 with it coming into force in May of that year.
There’s been a two year grace period to give organisations time to ensure they’re fully GDPR compliant, but the actual enforcement date in the UK (in the form of the Data Protection Bill 2018) is May 25th 2018.
What types of business will GDPR affect?
All businesses and organisations that hold personal data are affected by GDPR, no matter what their size or structure. However, there are some differences depending on the number of employees you have.
If you have fewer than 250 employees, GDPR means you need to hold internal records of your processing activities, where the data being processed could risk somebody’s rights and freedoms, or where that data relates to criminal convictions and offences.
Those with more than 250 employees must keep more detailed records; for example the name and details of your organisation, your data protection officer, why you’re processing the data, a description of the types of individual and categories of their personal data, as well as categories of recipients of this data.
You might still need to record extra facets like these if you’re a smaller business though. In fact, you’re only exempt from these extra record-keeping duties if you only process personal data of EU residents occasionally. It’s best to get some advice on exactly what will apply to you here.
How do I know if my business is affected by GDPR?
All businesses will be affected in some capacity and it’s important to understand how, and what you’ll need to do to ensure your business is compliant.
GDPR requires businesses to implement data protection “by design” and “by default”.
Data Protection By Design
Simply put, privacy by design is an approach to projects that promote privacy and data protection compliance from the start – for example when building new IT systems for storing or accessing personal data, ensuring that privacy and data protection is a key consideration in the early stages of any project and then throughout its lifecycle.
Data Protection By Default
Data protection by default, on the other hand, refers to the activation of such safeguards as a default setting. As a business, you have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.
The extent to which businesses are affected depends on practises already in place, as well as adherence to elements of the current Data Protection Act that will still be applicable.
When do I need to start taking action?
We’d recommend getting started as soon as possible. If you haven’t already documented and started making all the changes that you may need to in order to comply, then you really should start straight away.
What happens to businesses that don’t comply with the new GDPR rules?
Major GDPR breaches
There’s been some scaremongering in the media but fines for major breaches of GDPR could reach up to the larger of:
- 4% of annual worldwide turnover or
- €20 million.
Other GDPR infringements
These could attract a fine of up to the larger of:
- 2% of annual worldwide turnover or
Will GDPR still apply after Brexit?
It’s likely that UK businesses aren’t going to miss any of the fun of complying with GDPR, as the new law comes into effect before the two year period for Brexit ends.
In addition, the law is consumer-friendly and is, therefore, unlikely to be unravelled by the UK Government.
Finally, if we want to continue to trade as freely as possible with the EU this will undoubtedly be one of those laws we have to continue to comply with, especially given that UK websites will be accessible by EU citizens, for example.
How do I make sure my business is compliant with GDPR?
The Information Commissioner’s Office (ICO) has a huge amount of information on GDPR and what actions business need to take on their ICO website.
We’d hate for your business to get caught out, so our legal partner Lawbite has a useful free online GDPR Checklist tool designed to highlight areas businesses need to think about. They also offer free 15 minute legal consultations to help businesses identify exactly what they need to do for GDPR compliance. You can call our partners at Lawbite on 0207 148 1066 to speak to a lawyer (tell them we sent you!).
What is Crunch doing to ensure my data is protected?
Jo Fortune is Partnerships Manager at LawBite.