GDPR: A Guide to the Key Changes
GDPR refers to the EU General Data Protection Regulations. The GDPR supplements, and provides additional information alongside, the Data Protection Act 1988. These changes take effect on the 25th of May 2018, and businesses must be ready to implement the changes by this date.
Although GDPR is an EU regulation, it still affects UK businesses. The aim of the GDPR is to protect the rights of EU citizens and, as such, it affects organisations within the EU as well as any business that does trade with EU citizens. This means that, regardless of UK membership in the EU, data protection law in the UK must match that of GDPR for businesses to continue to offer goods and services within the EU.
This article will outline GDPR key changes and how to ensure you comply with the new regulations.
GDPR Key Changes
It is important that you are aware of GDPR key changes and how to implement GDPR. To help you with this, we have summarised the key points:
- There is an increased territorial scope – it applies to all companies that process personal data of people residing in the union, regardless of the company’s location.
- You must give data subjects more information when you are collecting their personal data.
- There are new regulations for gaining consent to collect personal data. Both consent and explicit consent now require clear affirmative action.
- The age barrier for collecting data is rising from 13 to 16.
- You must delete data that you are not using for its original purpose.
- People can revoke their consent to data processing at any time, and it must be easy for them to do so. More control must be given to the data subjects.
- You have 72 hours to notify data breaches to regulators, unless the breach is unlikely to result in a risk to data subjects.
- There is a single national office for complaints.
- Large data controllers must appoint a Data Protection Officer.
- If you do not comply with the GDPR, you could face fines of up to €20,000,000 (roughly £18,000,000) or 4% of your total global annual turnover for the preceding financial year.
Does GDPR apply to me?
The GDPR applies to anyone who processes the personal data of EU residents. This means that, whether your business is small or international, you must comply with the new regulations for secure collection, storage, and usage of personal information.
However, the GDPR does recognise that smaller businesses require different treatment compared to larger enterprises. Article 30 of the regulation states that organisations with fewer than 250 employees will not be as strictly bound by GDPR.
GDPR applies to businesses with under 250 employees if:
- The processing of personal data is likely to result in a risk to the rights of data subjects.
- The processing is frequent and not occasional.
- Special categories are included in the processing.
If you are unsure of whether your business must abide by GDPR, there is one general rule – if you regularly deal with personal data, including that of employees, suppliers, and customers, you should abide by GDPR.
What Happens if I Don’t Comply with GDPR?
The GDPR introduces a new concept of accountability, which requires you to be able to demonstrate how you comply with the GDPR. This means that you must keep detailed records of your processing activities, and implement appropriate measures to be able to demonstrate that your processing is in accordance with the GDPR.
If you do not comply with GDPR, you are at risk of receiving large fines.
The GDPR has a tiered penalty structure – the amount you will be fined depends on the size of your income. Non-compliance can result in up to 4% of global revenue for the previous financial year.
Some levels of the tiering are:
- A fine of up to 2% of global revenue for neglected or disordered records.
- Up to 2% for not notifying the supervising authority and the data subject about a data breach.
- Up to 2% for not conducting impact assessments.
- A fine of up to 4% for violating basic principles of data security.
- Up to 4% for violating conditions of consent.
The GDPR hope to keep compliance with the regulations high by ensuring all companies have a Data Protection Officer (DPO). The DPO is responsible for reducing risk, reporting data breaches within 72 hours, and generally ensuring compliance.
What to Read Next:
- Quick Guide to Selecting Suitable Data Protection Methods
- How to Apply for a Data Protection Licence
- GDPR Online Training