The “ABC” of GDPR: 100 Days to go
When the acronym “GDPR” comes up, is your workplace filled with dread or confusion? The General Data Protection Regulation (GDPR) is the biggest change in data regulation that Europe has ever seen. GDPR will update legislation aligned with how data is now used, which inevitably has vastly changed in the 20 years since the current European data regulation was implemented. In 2011, a study by The Economist estimated that 90% of the world’s data had been generated in the preceding two years. With outdated legislation no longer fit for purpose, the time has come for an overhaul!
The GDPR deadline of 25 May is looming, with just 100 days to go . Whilst your business or organisations should be well on its way to compliance by now, we’re sharing our “ABC” of GDPR to make sure that you are completely clued up on some of the most basic principles:
- Autonomy and Accountability: GDPR aims to bring greater control to the individual, and makes it easier for people to find out what data is being held about them through ‘subject access requests’. This information must be sent within a month of the request, and be provided free of charge. Additionally, your business or organisation must adhere to an accountability principle, whereby you must be able to actively show exactly how you are compliant with GDPR.
- Brexit: Anyone who processes personal data within the EU must adhere to GDPR from May 2018. After we officially leave the EU in March 2019, the UK will continue to adhere to GDPR, with most provisions unchanged. The Information Commissioner’s Office (ICO) will enforce GDPR in the UK.
- Consent: Individuals will be required to actively give their consent to receive communications from your business or organisation. Asking individuals for consent needs to be clear, transparent, and in the form of an ‘opt-in’ system. Consent must be actively given, and not just taken through ‘pre-ticked’ or hidden check boxes.
- Deletion of Data: This principle is also known as ‘the right to be forgotten’, and means that individuals are able to request that you delete their personal data where there is no compelling reason to keep it. Essentially, personal data must be destroyed or deleted if there is no legitimate reason to retain it, such as it is no longer accurate, or if consent by the individual is withdrawn.
- Education: It is important to educate your staff and make them aware that compliance with GDPR is everyone’s responsibility, and does not just fall to the one person – the one currently panicking!
- Fines: Any failure to comply with GDPR will be met with significant fines and penalties, the maximum being the equivalent of €20 million, or 4% of global annual turnover. While fines and penalties are proportional to the size of your business or organisation, and the size of the error, GDPR must be taken seriously; don’t risk your business or organisation being made an example of, it won’t help your reputation.
While it’s highly likely that most of you already comply with current GDPR principles, you should prepare now for the new legislation and ensure your organisation’s processes are fully compliant. It is imperative to not lose sight of how important personal data is to people. Businesses and organisations must get it right, and the clock is ticking. 25 May is just around the corner. Are you #GDPRReady?