If you own a business, then you need to know about the GDPR – or General Data Protection Regulation (GDPR) – which comes into effect this year. It is a law that brings tougher penalties for customer data and compliance breaches and allows individuals to have more control over the way that companies handle their data. It’s the result of four years of EU-wide work and standardises previously disparate approaches to data protection across member states.
The new GDPR directive supersedes the Data Protection Act of 1998, and it is essential that businesses get up to speed with the provisions of the act and what it means for their business. Heavy fines could be levied on companies that do not adequately secure customer data. It comes into effect from May 25 of this year, and it applies automatically.
Surveys show that most IT professionals know about GDPR, but less than half are actively preparing for it. Key things to know are those data processors and controllers must identify themselves and follow strict rules. Processing companies handle customer data. Controllers say how the data is processed, so this can be any firm, government body, charity or non-profit.
All customer personal data must be processed according to the detail of the law in a way that is for an intended and defined purpose and managed in a transparent way. The data must then be deleted when that purpose expires. The subject must have given consent for their data to be used or processed, or it must have been gathered within other legislation concerned with criminal law, contracting, public interest, fraud prevention and so forth.
Consent can no longer be assumed. Instead, the data subject must give active consent. This means that opt-outs and pre-populated tick boxes will no longer be permitted. Data controllers must record how and when individuals gave consent and manage the withdrawal of that consent at any time. Remember that personal data now includes more things than a name, address, order history, age and so forth – it also includes things such as IP addresses, cultural information, etc.
Crucially, the law also includes provision for the Right To Be Forgotten, which is new and gives individuals the right to request that their digital history is removed from an organisation’s records. You may have already seen the impact of these types of a request via online searches, which flag up where certain pieces of web content have already been removed.
There is a lot to learn about GDPR, but it absolutely must be adhered to. For small businesses, it’s good to know that most of the rules are in line with current good practice. Help is available, and the vital thing is to begin the compliance journey now and not put it off until the last minute.