On 25th May 2018, a new set of laws will come into force across the EU updating data protection and privacy regulations – The GDPR (General Data Protection Regulation). The changes are largely due of the rapid advances in communications technology and data handling practises seen over the past decade.
The General Data Protection Regulation (GDPR) will apply to all businesses which either operate within the EU or handle the personal data of EU citizens as part of their day-to-day operations. As Brexit will not have been completed by that point, all UK businesses will need to be compliant with the GDPR from next May, or face potential penalties. The Queen’s speech delivered on 21st June 2017 confirmed that there will be a new law to ensure the United Kingdom “retains its world-class regime protecting personal data, and proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”
This has caused a lot of confusion amongst UK businesses, especially SMEs. According to research from online security firm Webroot, as many as half of small UK businesses are still not sure how the GDPR relates to them, or what they need to do in preparation.
To help clear up the picture, here’s brief overview of the main points in the GDPR, how it will affect SMEs, and how it relates to technology being used in the workplace.
What the GDPR Says
Thanks to improvements in technology, more and more businesses are able to collect larger quantities of data about their customers than ever before. But this has led to concerns, firstly over the ethics of collecting private and personal information, and secondly over the practicalities of keeping enormous data stores safe and secure from risks such as identity theft.
The GDPR aims to tighten the privacy rights of EU citizens in relation to data collection, whilst also ensuring that organisations can continue to collect and use data in ways that are legitimate, transparent, safe and ethical.
Personal data may be collected for all sorts of reasons. Any business which signs customers up for a service will automatically gather names, addresses, telephone numbers, email addresses, perhaps ages and details of personal circumstances. Many businesses collect this sort of information for marketing purposes, creating customer databases so they can target offers or analyse demographic patterns.
More broadly, any business which sells goods or services using electronic payment systems, whether in person or online, is implicated in data protection regulations through handling personal financial details.
In the UK, the GDPR will replace the Data Protection Act 1998. The main changes will be as follows:
●Greater accountability: Organisations will be expected to demonstrate ‘privacy by design’, showing how they actively ensure privacy protection according to the terms of the GDPR in all systems and operations. Not being able to demonstrate this could in itself be considered a breach.
●Stricter reporting procedures: Businesses will be expected to self-monitor data systems, and report any suspected breaches to the relevant authorities, generally within 72 hours.
●Tougher penalties: Any company found to be culpable for a data breach, for example through not having rigorous enough protection procedures in place, will face fines up to a maximum of up to €20,000,000 or 4 per cent of turnover, whichever is greater.
●Rights to access and erasure: The GDPR will enshrine private citizens’ rights to know what information is being collected, what it is being used for and how it is being stored. They will also be able to request all records held about them be deleted.
What SMEs Need to Do
In practice, compliance with the GDPR will depend partly on putting specific processes in place, and partly on adopting certain cultural changes within the organisation.
The cultural changes will mainly centre around the concept of Privacy by Design. What this means is that companies will be expected to build their organisation around privacy and data protection as a priority, which will require a major shift in thinking for many organisations. For example, one piece of research showed that around three quarters of UK SMEs believe they have good cyber security systems in place, yet half of that number had actually lost data through an attack.
In the future, that kind of complacency could result in a hefty fine. Not being fully aware of the extent of risks to data protection will be considered a reason for blame, not mitigation. Put simply, businesses need to think very carefully about how they gather, use and protect customer data, or they risk being caught out.
A positive first step is to carry out an audit of your data collecting practices, and then compare them to the requirements of the GDPR. Things to include would be:
●What data you collect, and whether it is necessary to the functioning of your business. The GDPR states that businesses should only collect the data they need, so anything else should be jettisoned. For example, if you keep a customer database for sending out newsletters and promotions, you would be justified in keeping names and email addresses, but would you need ages and phone numbers, too?
●How and where data is stored. This is crucial, as most data breaches occur from lax storage and security. If you keep databases linked to an online network, you obviously need to think about anti-virus and firewall protections. But the use of encryption is also critical – if a laptop or mobile with unencrypted customer data was lost, you would be held accountable.
●Access to data. Deciding who has access to data should follow the same rule as the nature of the data collected – keep to what is absolutely necessary. If someone in your organisation does not need to see customer data as part of their job, make sure they cannot get to it.
As obvious from the above, just carrying out an audit will reveal important action points for your business to follow up on. But there are also new processes and procedures businesses will need to put in place which will not be flagged up by an audit.
●Gaining consent. As this has not been a requirement before, all organizations will need to think about how they inform customers of what data they are collecting, and what it is used for. A model would be the messages used to inform people that phone calls are being recorded. However, there also needs to be an opt out option – as long as a customer does not choose to opt out, that would be considered consent. The provision of consent must be recorded, and can be taken away at any time.
●Draw up a data protection plan. It is expected that SMEs will be spared the burden of GDPR administration in full spate, such as keeping detailed records of all data-handling transactions on an on-going basis. SMEs will, however, be expected to have their own policy document outlining things like protocols they will follow in the event of a data breach, and how they will respond to requests from customers about the data held about them.
The Role of Technology
As we have seen, technology is central to the GDPR being introduced in the first place. But it can also play a significant role in helping SMEs achieve and maintain compliance.
The rise and rise of digital data has been accompanied by the rapid evolution of data analytics. ‘Big Data’ software tools are used to mine data sets to identify patterns which can help businesses do everything from predict customer buying habits to plan resources for periods of peak activity.
In relation to GDPR compliance, analytics tools can help in four key areas:
●Revealing key information about how data is stored and used as part of the audit, and what types of data are held.
●Monitoring threats, including raising the alarm on any data breaches which may occur.
●Providing centralised and even automated management over who can do what with data.
●Generating detailed reports on data use.
In summary, the key message on GDPR compliance is to act now. With less than a year to go before it comes into force, no business can afford to delay any longer, although there is still time to get ready. The GDPR will affect every business in the UK come May 2018, so it is not worth risking the high penalties for non-compliance by ignoring it.