Lewis Boyce is a student at BPP law school studying the GDL. Lewis also volunteers with the BPP Pro Bono Centre as a Student Assistant for the BPP Enterprise Pro bono Clinic. With a keen interest in how changes in data protection law affect business, Lewis authored this article under the supervision of Angela Cahill, Supervising Solicitor for the Clinic. The Clinic can provide free commercial legal advice on changes under the data protection law and how your business can comply. Please contact us on 0330 060 3633 or blac@bpp.com to book an appointment.
What is GDPR?
The General Data Protection Regulations (GDPR) regulates how your business protects your customers, suppliers and your employees’ data. It became legally binding on May 25th 2018. Whilst the Regulations attracted a lot of attention this Spring, it’s not too late to think about how to change the way you collect and use your customer’s data to become compliant.
Who will it affect?
Prior to May, the way your business processed data was governed by the Data Protection Act 1998 (DPA) which affected almost all businesses and GDPR is expected to do the same. It will impact all businesses that regularly process (use/collect/store) personal data of EU citizens, regardless of size or location.
Key concepts
Data controller vs. data processor: GDPR distinguishes between businesses that determine the purpose and means of processing customer’s personal data (data controllers), and those that process data on behalf of a controller (a data processor). Most customer facing businesses will be data controllers even where they are involved in processing the data too, whereas a third-party data storage company e.g. Google Docs or Analytics, would be a processor.
The Information Commissioner’s Office (ICO): this is the independent public authority that is responsible for GDPR enforcement. Their pages on GDPR are very helpful and are constantly being updated. They also have a page dedicated to small businesses.
Key changes
Penalties: GDPR will be stricter than the DPA. The ICO, can fine companies up to €20 million or 4% of global annual turnover (whichever is higher). However, the ICO will use fines as a last resort and stresses cooperation over punishment. Of the 17,300 data breaches reported in 2016/17, only 16 organisations were fined. The fines are also proportional to the size of the business, and the ICO will take into account the nature of the breach (e.g. whether it was done by accident and if it was a repeat offence).
Personal Data: The definition of personal data has also been expanded. It previously covered data like names, addresses, email, date of birth, photos etc. It now also refers to any information that can directly or indirectly identify a person. This means new data will now be considered personal data under GDPR, such as IP addresses, mobile device IDs, or CCTV images.
Your customer’s rights: GDPR will give data subjects’ greater rights. Obtaining consent will require an active opt-in from the user, also referred to as ‘positive consent’, meaning there can be no pre-ticked boxes (e.g. for marketing emails). It should be easy for the customer to withdraw from having their data collected and processed, separate from general terms and conditions, and all parties to whom consent is given to must be named. Data subjects must also be informed immediately if there is a high-risk breach and can request their data at any time in a commonly used readable format.
Tips to be GDPR compliant
The GDPR can be confusing and the Information Commissioner anticipates that small businesses will have questions about their responsibilities. For this reason, it has set up the Small Business Helpline on 03031231113 which will answer your questions on data protection.
Brexit
Finally, it is important to note that you will still need to be GDPR compliant in spite of Brexit. This is not only because Brexit will occur at least 10 months after GDPR compliance is required, but also because GDPR will apply to countries whether they are inside the EU or not – the only requirement needed for GDPR to apply is that the company processes EU citizen’s data.
The UK will be able to make changes to GDPR once it has officially left, but the government has indicated that it will implement an equivalent or very similar legal mechanisms upon leaving as GDPR has been endorsed by both the ICO and the UK government.