GDPR – in simple terms!

GDPR will replace the current Data Protection Act 1988.

If your business is compliant with the act, you probably already fulfil many of the requirements of GDPR.

However, there are some key changes you need to know.

I’ve summarised the key differences below to help you consider what action you may need to take to update your existing information systems, there is still time to take action – and there’s no time like now.

What are the differences and how will GDPR affect the way I run my business?

1. Location

Current: The Data Protection Act applies only to organisations the UK.

New: GDPR regulations extends its reach to encompass all European states.

It will apply even though Britain is leaving the European Union. It also applies to any global company holding data on EU citizens (Facebook is one example).

2. Definition of personal data

Current: Personal data and sensitive personal data which could identify someone directly or indirectly.

New: Definition is extended to include online information which could identify a person, for example, IP addresses, mobile device IDs and encrypted data.

There are also new responsibilities to protect children’s personal data.

3. Responsibility

Current: Only the data controller has responsibility for the security of information

New: GDPR also makes the data processor responsible. Companies require a DPO if you are a public authority (except for courts acting in their judicial capacity); your core activities require large-scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences. Consumers could hold both the data processor and the data controller responsible for data breaches.

4. Accountability

Current: Under the DPA businesses had to indicate intent and willingness to comply

New: GDPR means businesses and organisations have mandatory responsibility to demonstrate compliance. Ways in which this can be shown include:

• Staff training

• Internal audits and documentation of data processing activities

• Internal HR policy review

• Meet all the principles of data protection by design

• Implement protection impact assessments

5. Consent

Curr ent: Data collection does not necessarily require an opt-in.

New: There must be clear privacy notices, which must be concise and transparent and consent must be able to be withdrawn at any time. Note that consent is just one of six legal bases to process data - it is worth exploring these to see which legal basis is best for the processing of each group of data you keep.

Those notices must be concise and transparent and consent must be able to be withdrawn at any time.

6. Subject access requests

Current: People have the right to request to see what information you hold about them.

These requests carry a £10 charge and there is a requirement to respond to the applicant within 40 days.

New: Under GDPR subject access requests will be free of charge and must be responded to within one month.

7. Data Breaches

Current: Companies are not obliged to report data breaches, though it is considered best practice under the current act.

New: GDPR carries a mandatory requirement for all data breaches to be reported to the regulator within 72 hours.

8. Data removal

Current: There is no requirement for an organisation to remove all data they hold on an individual.

New: An individual will have the right to erasure, which includes all data including web records with all information being permanently deleted.

9. Enforcement and penalties

Current: Enforced by the Information Commissioner’s Office (ICO) in the UK. It can issue fines of up to £500,000 or one percent of annual turnover to any UK organisation that "serious breaches" the DPA.

New: Each European country will have its own supervisory authority to monitor GDPR compliance.

The ICO will be the supervisory authority in the UK.

From May 25, organisations that fail to comply with GDPR could be fined up to €20 million or four percent of their annual global turnover, whichever is higher.

10. Privacy by design

Current: Protection impact assessments (PIAs or DPIAs) are not a legal requirement under the act.

New: DPIAs will be mandatory and must be carried out when there may be a high risk to the freedoms of the individual.

A DPIA helps an organisation to ensure they meet an individual’s expectation of privacy.

How do I check my company’s compliance?

GDPR differs to DPA with increased mandatory regulations and more accountability.

Every business needs to consider how the GDPR will affect them and to start planning for it now, as this is not a process that can be achieved overnight.

“There are various routes to GDPR compliance,” says Kate Armstrong, GDPR Fundamentals practitioner for Blue Shadow Growth Agency .

“There is plenty of training available if you’re planning to use in-house resources to implement the changes.

"However, be sure that the training is delivered by a reputable and accredited provider and offers a full and detailed overview of how to bring your organisation up to speed.

"There are plenty of providers that are offering GDPR training that only covers the issue of consent in marketing, for example; such training isn’t going to be of much value if you still need to fathom out compliance implications with regards to your staff, systems and procedures.

"Expect to pay good money for quality training that you can take back to the office and turn theory into practice.

“Another good option for SMEs is to ask an external consultant to audit your organisation, resulting in a list of recommendations that you need to meet to reach the standards required by GDPR.

"Depending on the size of your organisation and level of internal resources, this could be an economical alternative to training, as a good auditor will talk you through his or her findings, which will ensure that you (and key staff in your organisation) understand GDPR in direct relation to the organisation.

"Depending on the outcome of the audit, you can then decide whether you’re going to implement the recommendations in-house or outsource them to a reliable GDPR practitioner, while you continue to focus on your core business.

"The important thing is to be aware of it, to seek advice from a reputable source sooner rather than later and to plan your route to compliance.”

Blue Shadow Growth Agency is GDPR Fundamentals accredited and Kate Armstrong is registered as a GDPR Fundamentals practitioner, which means that she is recognised as a specialist in helping SMEs become GDPR compliant.

Business Doctors will be delivering a mix of half and full day workshops and two-hour GDPR seminars across the county over the next few months in association with our partners.

Please keep an eye on Business Doctors events website for an event near you.

Or alternatively, email peterfleming@businessdoctors.co.uk

Disclaimer: www.ico.org.uk is the original and best source to download the regulations in full, regular information updates and a plain English summary of what GDPR really means.

This information is aimed at giving you a summary of current and emerging data protection and privacy regulations and guidance.

It is not intended as legal advice and is not represented as such by the author or publisher.

It is advised that legal counsel is sought to ensure compliance with legislation.

If you are looking to grow your business, Business Doctors Cumbria offer a free business health check where we can help you to set a clear vision to understand the steps you need to take to fulfil your aspirations.

Contact Peter Fleming 0845 163 1490 or 07966 686112 or email peterfleming@businessdoctors.co.uk .

Or click here to view our website for other services we can offer you.