General Data Protection Regulation (GDPR) is a law brought in by the European Union (EU) in May 2018. It replaced the Data Protection Directive 1995, also known as the Data Protection Act 1998 in the UK.
The aim of GDPR is to modernise the laws that protect the personal information of individuals. GDPR applies to any business collecting personal data. It enforces the way data should be stored and handled within a business environment, and places sole responsibilty on business owners.
After Brexit, the EU law was replaced in the UK by UK GDPR. In essence, this holds UK organisations to very similar data protection regulations as under the EU GDPR. There are some minor technical changes, but the core principles remain the same.
If businesses fail to follow the guidelines for storing and processing personal data, it can result in hefty penalties. The likes of Google, H&M and British Airways are just some companies who have been hit by multi-million pound fines for breaching GDPR.
In this blog, we explore GDPR in more detail, so you know exactly how it impacts your business.
What does GDPR consider as personal data?
Under GDPR, personal data is any information that relates to an identified or identifiable living individual. This definition is broad and can encompass a wide range of data.
Directly identifiable data is information that can directly identify a person, such as:
- Name
- Address
- Email address
- Phone number
- ID number
Indirectly identifiable data doesn’t always directly name someone, but it can be used to identify specific people. Examples include:
- Location data (GPS coordinates, IP address)
- Online identifiers (cookies, username)
- Health data
- Genetic data
- Political opinions
- Religious beliefs
What does GDPR mean for UK businesses?
GDPR has also introduced strict penalties for companies that suffer data breaches. In order to meet the guidelines, your business must:
- Compliance with UK GDPR: UK businesses must comply with the UK GDPR, which incorporates most of the original EU regulation. This means following similar rules on how personal data is collected, stored, and used.
- Following eight individual rights: Individuals have eight rights regarding their personal data under UK GDPR. These rights include access, rectification, erasure (to be forgotten), restriction of processing, data portability, objection, and rights related to automated decision-making. Your business must be prepared to handle requests related to these rights.
- Legal basis for processing: You need a lawful reason to process personal data. Common reasons include consent, contractual necessity or legitimate interests. You should be transparent about the reason for processing data and be able to demonstrate compliance.
- Data security: GDPR requires appropriate technical and organisational measures to protect personal data from unauthorised access, disclosure, alteration or destruction.
You need to make sure you have processes in place to abide by these rules – including secure systems.
What to does it mean if your company has a data breach?
If your business has a data breach, whether this is from a cyber-attack or human error, you have the responsibility of reporting it to the ICO within 72 hours of the occurrence. If you fail to notify the ICO within the stated timeframe of 72 hours upon discovery of data breach, a 2% of annual turnover penalty may apply.
That’s not to mention the reputational damage your business will face, plus the personal impact to customers whose data is breached.
Steps for your business to follow now
-
Understand and map your data
A good place to start is identifying what personal data you collect, store, and process. Understand where this data comes from and for what purposes it’s used. Remember, you should aim only to store the data you really need, while protecting individual rights.
You should also pinpoint how long you retain the data and how it’s ultimately disposed of. This should always be done safely to minimise the risk of breaches.
-
Be transparent with data subjects
Every business should have a clear and concise privacy policy, outlining how you handle personal data. Within this, you should specify the lawful basis for processing data (covering consent and contract). You should also explain individual rights under GDPR and how to exercise them.
Make sure this policy is readily available, so anyone who you collect data from understands how it’ll be used.
-
Obtain lawful consent
Whenever you collect data from someone, you must obtain unambiguous consent before you process anything. This might include tick boxes on online forms, adding consent statements into paperwork or asking for it orally.
Make it easy for users to withdraw consent at any time, in case they change their mind. This could include giving them contact details for withdrawals or adding unsubscribe links to your emails.
-
Implement stringent data security measures
You must also have inn place appropriate safeguards to protect personal data from unauthorised access, disclosure, alteration or destruction.
Examples of such measures include:
- Encryption. Encryption acts as an impenetrable lock, scrambling data with a key so only authorised users can access it. This applies to data at rest (stored on devices) and in transit (transmitted over networks).
- Set access controls. Access controls determine who holds the key. Granting access on a “need-to-know” basis ensures only essential personnel can view data. Strong passwords, multi-factor authentication and permission levels further tighten security.
- Conduct regular assessments. Regular security assessments can identity data protection weaknesses. Penetration testing simulates cyberattacks to expose vulnerabilities, while vulnerability scans highlight software flaws.
- Security awareness training. This educates employees to be vigilant against social engineering tricks.
By combining these safeguards and fostering a culture of security, businesses can build a robust defence against data breaches. It’s also wise to follow general cyber security best practice to avoid the chances of hacking, leading to breaches.
-
Manage data breaches
Your business should establish a plan for identifying and containing data breaches before they ever happen. Part of this includes having procedures in place to notify the Information Commissioner’s Office (ICO) and affected individuals within required timeframes.
Once you’ve created the plan, it must be followed every time you face a breach.
-
Appoint a Data Protection Officer (if applicable)
Organisations that handle large volumes of data can benefit from having a specific Data Protection Officer (DPO) in place. They ensure all staff and management adhere to the businesses data protection obligations. More importantly, they oversee the data protection strategy for the entire business to ensure the business is compliant with GDPR and other related regulations.
The DPO role can be given to an existing staff member, but they must be clued up on the regulations. Typically, it will be given to IT personnel who already have a role in processing and protecting data.
-
Train staff on GDPR
GDPR can be confusing, but knowing what it means is crucial to getting it right. Take time to educate your employees on their data protection responsibilities under GDPR.
As part of the training, inform them on data security best practices and how to handle data subject requests.
-
Maintain records of processing activities
Make sure you document your data processing activities, including the data collected, its purpose and legal basis for processing. This may fall into the DPO’s responsibilities if you have one.
If you do need get asked about your processes, having a paper trail will make them much easier to validate.
Get GDPR advice
Achieving GDPR Compliance is different for each business, depending on their setup. In these instances, it’s best to get tailored advice for your business and data needs.
Our GDPR consultants will work with you to identify any risks and recommend a range of industry leading security solutions to keep your data protected.
We also can conduct audits and GAP analysis to identify non-compliant areas of your business, leaving you with a series of recommendations to work to.