You have probably been the recipient of many emails over the last few weeks, requesting you to respond to a message asking you to remain a subscriber with businesses. In fact, you have probably received emails from companies recently that you had in actual fact, long forgotten about. But why are you suddenly receiving all these emails? Well, it is all to do with GDPR regulations that have come into force this month, but what exactly is it? TechRound explores exactly what this acronym means and what it entails for you.
What is GDPR?
First of all, lets clear up exactly what GDPR stands for. The acronym stands for General Data Protection Regulation. This new EU legislation came into force very recently in the UK, on May 25th 2018 (although it was initially approved on 14th April 2016) and it is one of the most significant changes to date privacy regulation in the last twenty years. This regulation will see the implementation of far stricter data privacy laws across Europe (despite the result of Brexit, the UK still adopts incoming EU regulations at this moment in time) changing the way in which data protection is handled quite considerably.
The enforcement of this regulation is replacing the 1995 Data Protection Directive, and it is intended to harmonise all data privacy laws across Europe, helping to reshape the way organisation at all levels across different regions approach data privacy. The GDPR will come into effect for all governments belonging to the EU and will be handled by the Information Commissioner’s Office. The new legislation does not require government approval for it to take action.
GDPR post-Brexit
When it comes to the UK post-Brexit, the government has stated that despite the decision that has been made to leave the EU, the GDPR ruling will still be fully in effect, but there will be some modifications to it through the introduction of the data protection bill.
The new regulations may have some exceptions for those in the journalism industry to ensure that their ability to report is not impacted by data protection laws. This works in similarity to the previous bill.
Who will GDPR apply to?
The new legislation will impact:
- Companies or an organisation that handles and process personal information as one of its core activities in branches that are based in the EU (but where the actual data is processed is not relevant)
- Companies that are established outside of the EU but offer goods (free or paid) in the EU, or who monitor behaviour in the EU
- As a small or medium-sized enterprise (SME) that processes personal data, it will also be a requirement to be GDPR compliant.
Nevertheless, it is important to note that if handling personal data does not form one of the core activities in your business (nor does it create risk for individuals) then it may be the case that certain parts of GDPR will not be applicable to you. For example, your company or organisation may need to appoint a Data Protection Officer.
When GDPR does not apply
If your business is a service provider based outside of the EU the new regulations will not be applicable to you. The rules will also not apply if:
- The company is outside of the EU and provides services to clients who are also outside of the EU
- Homes and household users are also exempt from the GDPR ruling
- There are also exceptions for some small and medium-sized enterprises if the business has less than 250 employees in total, this is because the legislation acknowledges the fact that most SMEs generally tend to pose a far smaller risk to the privacy of data subjects than much larger, global corporations
What happens if you do not comply with GDPR?
Under this new ruling, there are major financial consequences of not becoming GDPR complaint. Companies or organisations who fail to meet the new standards on data regulations could end up receiving a fine of up to 20 million euros (this is far more than the previous fine you could receive, which was capped at 500,000 euros) or it can be the equivalent of 4% of turnover, whichever is the greater amount. Evidently, receiving such a huge fine due to not being GDPR compliant could create major problems for a company, even leading it to close down. Therefore, making sure that the company or organisation has taken the necessary steps to meet the new legislation is of vital importance.
How to become GDPR complaint
There are a number of ways businesses can become GDPR compliant. For example:
- Adding encryption to your website to make it more secure. One way of doing this that is recommended is through getting a Single Socket Layer certificate (a website that has this will have a ‘padlock’ symbol that is visibly present) which helps to reduce the chances of data breaches and security attacks. This is particularly important if you are a company who accepts online payments
- Remove pre-ticked boxes on forms: under the new GDPR ruling, it is not allowed to have pre-ticked boxes on online forms, as it is not seen as consent. Instead, you will need to give an opt-in box
- Creating a more detailed privacy policy: the new policy will need to be far more detailed and give greater clarity to customers about how their personal information will be stored and processed by the company or organisation
- The way in which cookies are used also needs to be clearly stated in the business’s privacy policy. You should state what information will be collected on the customer, as well as what the information will then be used for
- Look at data protection by Design and Data Protection Impact Assessments to understand in further details the code of practice when it comes to GDPR
- Assigning a Data Protection Officer who can educate everyone in the organisation on how GDPR works and help to assess the areas in which the company needs to become GDPR compliant