Data privacy legislation has existed for many years and is changing again on 25 May 2018 with the General Data Protection Regulations (GDPR) coming into effect. As part of the new legislation businesses will need to look at all the data held which is linked to individuals.
GDPR applies to all businesses and organisations, including sole traders who hold or process personal data of individuals in the EU. It sets out the responsibilities of businesses in relation to the collection, use, disclosure, retention and protection of personal data. It also governs the processes businesses use for managing that personal data.
>See also: GDPR – Are your tech platforms secured for first contact?
Recent research undertaken by Sage shows that 57% of UK businesses lack awareness surrounding GDPR, while 60% don’t understand what GDPR means for their business. With 100 days until the deadline, businesses will need to prioritise updating their current policies and procedures for handling personal data, ensuring their processing activities are prepared for the requirements of GDPR.
Proof of compliance
Businesses will also need to demonstrate that they’re complying with GDPR and this means submitting some rather onerous record-keeping requirements. It’s not enough to merely comply with the new GDPR, businesses must be able to prove they’re doing so. Under GDPRs requirement for ‘accountability’ records should be maintained and reflect processing activities such as:
• Processing activities
• Subject access requests
• How consents are obtained
• Privacy impact assessments
Third party compliance
It’s not just businesses that collect personal data who are liable for breaches, but also any third-party that processes the personal data on behalf of that business, whether that’s another business, organisation, or individual.
>See also: The multinational impact of GDPR
Additionally, businesses can’t simply hand over personal data to a third-party without doing their due diligence – they must make sure third-party suppliers are also compliant with GDPR.
Will businesses need to appoint a Data Protection Officer?
With 75% of businesses unsure on whether to appoint a Data Protection Officer to comply with GDPR, it’s worth pointing out that it won’t be a requirement for every business.
Although it would be good practise to appoint someone to lead on the companies GDPR readiness programme and implement additional practices and safeguards. The appointed Data Protection Officer (DPO) could be an existing employee who is willing to undertake the required training, or it might be someone contacted from outside the business. Either way, it’s important to inform the supervisory authority of who they are.
However, certain businesses will need to appoint a DPO for instance public authorities or businesses with core activities involving the monitoring of individuals on a large scale. As well as business which handle medical data or information relating to criminal convictions and offences.
How much will the GDPR cost a business?
Expenses for an average business are likely to include some if not all of the following:
• An ICO registration fee, payable by organisations that process personal data; this will be based on size and turnover, and will also take into account the amount of personal data processed.
>See also: Only 5% of EU companies ready for GDPR compliance – Alert Logic
• Audits of all processes in all departments, ideally by a qualified individual or business.
• Modifications such as staff retraining and information technology adaptations.
• Potentially appointing and training a Data Protection Officer.
• Setting-up and maintaining continual documentation processes demonstrating compliance with the GDPR.
• Voluntary certification costs, especially if your business processes data on behalf of other companies.
What are the consequences of breaching the GDPR?
There are strict penalties for organisations that don’t adhere to the new rules and fines could be as high as €20 million or 4% of annual global turnover – whichever is greater.
Another key element of GDPR is a requirement for companies to issue notifications of data breaches within 72 hours of becoming aware of them. If the breach poses a high-risk to the individuals involved, then companies must also notify those affected as soon as possible. Although to keep in mind that it’s possible to breach the GDPR outside of having an actual data loss, so being ready to comply is extremely important.
>See also: GDPR: Compliance to commitment
It may seem like there is a lot to consider in a short amount of time but do take the time to think about your business data. What have you got, why have you got it and what do you use it for? Review your personal data collection and data processing systems to ensure they’re in line with GDPR. It might be worth considering an audit from both legal and technological standpoints, amongst others.
Question how to dispose of data that isn’t needed and safeguard the information that’s relevant. Evaluate how the business would deal with a subject access request, for example if one of your employees asks what personal information you hold on them, and how it is processed.
Sourced by Adam Prince, VP of Compliance, Product Management at Sage