GDPR has officially arrived – here’s our guide to all the key details
GDPR has been all over the news recently, as companies of all sizes scrabble to make sure they’re ready for the new regulations.
Following the May 25th deadline, the new rules have now come into force, meaning your business now has to ensure it is compliant.
But what exactly does GDPR entail? Here’s our guide to everything you need to know.
What is GDPR?
The General Data Protection Regulation, or GDPR, (or EU Regulation 2016/679 if you want to be official) is one of the most significant and wide-ranging pieces of legislation passed relating to technology and the internet.
Approved by the European Union in April 2016, and having come into force in the UK on May 25, GDPR looks to bring together several existing laws and regulations to harmonize rulings across the EU.
Primarily, it replaces the UK’s 1984 Data Protection Act and the EU’s Data Protection Directive, which initially came into force in 1995, with new guidelines that are better suited to the modern, technology-dominated world.
The main points of GDPR concern the privacy rights of everyday users and the data they create online, and will affect businesses of all sizes due to their effect on how companies gather, store, and look after their data.
Under GDPR, companies will also need to give explicit notice when collecting the personal data of their customers. This will mean that consent will need to be explicitly given, and that companies will have to detail the exact purpose for which customers’ data will be used.
This personal data will also need to be encrypted by default as part of a process known as pseudonymization, meaning that it can’t be linked to a specific person without being accompanied by extra information.
Personal data applies to a wide range of information – effectively anything that could be used to directly or indirectly identify a person online. This could include names, email addresses, images, bank details, posts on social networking websites, medical information, or even a computer IP address.
Users will also have the right to know exactly what details a company or organization holds about them, and also request that any of this information be deleted if they feel their rights to privacy are being infringed as part of the new ‘right to erasure’.
Companies that suffer data breaches, whether accidental or as part of a cyber-attack, will need to disclose this event to the relevant authorities within 72 hours of it happening, although there’s no requirement to notify users unless instructed.
Who does GDPR apply to?
Put simply, if your business offers goods or services to anyone living within the European Union, GDPR will apply to you.
This means that companies outside Europe will also need to ensure they’re compliant with the rules, as they could also be subject to fines if found not to be up to speed.
If you have mailing lists for newsletters or promotions, and some of your prospects or customers are EU citizens, GDPR applies to you.
What do I need to do to be ready for GDPR?
As mentioned above, if you deal with customers within the EU, you’ll need to ensure that the way you gather, store and use their data is GDPR-compliant.
For starters, you’ll need to identify exactly what data you currently own, and the means by which you acquired it. Many organizations may be unaware of the sheer mountain of information they own on their customers – just as their customers might be unaware how much info they have shared.
All the data will need to be properly secured to ensure it remains protected, so it’s definitely worth instigating new policies to limit access to the most precious data to a few key team members.
You should also be frequently backing up your data, as under GDPR customers are able to request to view exactly what information you have on them at any time.
If your business carries out large-scale data practices, you will also need to appoint a Data Protection Officer (DPO).
A DPO will be able to take responsibility for much of the heavy lifting when it comes to GDPR, including overseeing compliance and data protection.
Lastly, you’ll need to ensure that all your employees are clued up about what exactly GDPR means. The rules aren’t just the prerogative of the IT department, but could affect everyone in your organization.
What happens if you’re not GDPR-ready?
GDPR is a huge deal, and as such the punishments for non-compliance are significant.
Any organisation found to not be conforming to the new regulations after the May 25 deadline could face heavy fines, equivalent to 4% of annual global turnover, or €20 million, whichever is greater.
It remains to be seen exactly how GDPR will be monitored, and if fines will be handed out to every company large and small, but for now the best course of action is to prepare as fully as you can.