On May 25th 2018, the European Union's General Data Protection Regulation (GDPR) comes into effect in the UK.
And your business almost certainly needs to comply.
There are two main goals of the GDPR:
- Strengthen the rights of individuals to control their data
- Apply a consistent approach to data protection across EU member states
As more and more personal data is collected, stored, used and transferred across borders, the previous EU data protection regulations became inadequate. The GDPR refreshes the older regulations to reflect the increased role of data in everyday life - and business.
Research shows that only 27% of businesses think that GDPR applies to them, but in reality, almost every business will need to comply with the new rules.
Data Controllers vs. Data Processors
A data controller determines the purposes for which and the manner in which data is processed. Data controllers might be businesses that subscribe to your service, or a doctor's surgery that collects patient information.
Data processors process data on behalf of the controller, but don't have a say in which data is processed. Processors include cloud service providers (like RotaCloud), accountants, and payroll companies.
You can be both a data processor and a data controller. For example, RotaCloud processes client data but also controls the data of our own employees.
Under previous data protection rules, data processors had very few responsibilities - that's set to change under the GDPR. From May 2018, data controllers and data processors alike will have to up their game when it comes to data protection.
In this article, we'll focus on the responsibilities of data controllers rather than data processors. Retailers, cafes, restaurants and most other small businesses will be classed as data controllers.
Any business that stores the data of EU citizens in EU states must comply with the GDPR - so you'll still need to comply even once the UK leaves the EU.
GDPR looks daunting on the surface, so let's break it down.
- Consent. Companies must ask for consent to store individuals' data. Consent must be 'positive' (not the default option). The language used should be clear and straightforward, and it must be as easy to withdraw consent, too.
- Strengthened data rights. Individuals have more rights when it comes to their data. This includes the right to access their data from data controllers at no cost (unless the request is unfounded, excessive, or has been made numerous times), the right to be forgotten (under certain circumstances), the right to have their data rectified (if it is inaccurate or incomplete), and the right to data portability (in other words, transferring personal data to other IT services).
- Data breach reporting. If a data breach takes place that presents a risk to the rights and freedoms of individuals (for example, if personal data is lost that might lead to identity theft), you must notify the relevant authority. If there's a high risk of a data breach affecting individual rights and freedoms, you must inform the affected individuals.
- Subject access requests. You're probably familiar with subject access requests, where an individual can request a copy of all the data held on them by an organisation. When the GDPR comes into force, you must not fulfil these request without 'undue delay', and within a month in most circumstances. You can no longer charge a fee for these requests, unless they're excessive.
- Data protection officers. Organisations will need to appoint a data protection if one of the following is true: a) you are a public authority; b) you carry out large scale systematic monitoring of individuals; or c) you carry out large scale processing of special categories of data* or data related to criminal convictions and offences.
*Special categories of personal data under the GDPR include data pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, sex life, and sexual orientation.
What You Need to Do to Prepare
As a data controller, you probably need to adjust your processes so that you're ready for GDPR. Every business will have different data protection requirements, so we can't give you specifics here — but we can offer some general advice for working towards compliance.
- Boost awareness of GDPR and its implications amongst managers and key decision makers.
- Map data usage at your business. Include where data enters your organisation, how it is stored and managed, and any organisations that process your data.
- Check you can fulfil requests made by individuals based on their new rights. Go through each of the new rights (such as the right to rectify data) and work out how you would respond if an individual chose to exercise these rights. Would there be any difficulties in finding their data, or changing it?
- Plan for more, speedier access requests. Subject access requests are likely to become more common under GDPR, as they must be processed for free. You'll also need to respond more quickly than previously, so ensure that you have the resources to do so.
- Determine your lawful basis for processing. Familiarise yourselves with the six lawful bases for processing personal data, and how each one affects the rights available to individuals. Many of the bases are similar to the 'conditions for processing' under the Data Protection Act. You must be transparent about the lawful bases for processing you choose, and you can't change this at a later date - so if you're unsure which to choose, seek legal advice.
- Revisit consent. Any time you ask for an individual's consent to manage, store or process data, check the wording and mechanism used - and that they comply with the new rules.
- Change your processes if you manage children's data. You may need to add an age verification system and/or seek the consent of parents or guardians to process children's data.
- Plan how you'll respond to data breaches. Prepare for what you'll do if you discover a data breach, including how and when you'll report it to the Information Commissioners Office (ICO), other bodies, and the affected individuals. Understanding these procedures now will make the reporting process far less stressful if and when you do suffer from a data breach.
- Determine if you need to carry out a data protection impact assessment (DPIA). Under the GDPR, certain companies must conduct a DPIA. The criteria are slightly vague, but in general a DPIA must be carried out where data processing carries a high risk to individuals. Read more about DPIAs here.
- Check if your data processors are GDPR complaint.
Pretty much every business within the EU (and plenty outside the EU) will need to comply with GDPR from 25th May 2018. But many of the new rules aren't too different from those you should already be following under the Data Protection Act.
We recommend checking out the ICO website for more details on the regulations, and seeking legal advice if you're at all unsure of your obligations.
RotaCloud are working towards GDPR compliance. Click here to find out what we're doing to meet these new data protection requirements.