GDPR or General Data Protection Regulation is a new regulation commissioned by the EU that comes into effect on the 25th May 2018 and will be approved by our government for use after Brexit. It is an overhaul of the 1995 Data Protection Act and is probably well overdue.
The new regulation was actually passed in 2016 leaving enough time for businesses to implement the new rules but in reality certainly for small businesses it is only just really coming to light.
The old Data Protection Act was written before the internet boom and the UK doesn't have the same levels of data protection as current European countries. The rules will govern the usage and storage of data over new technology, social media and cloud software.
The Data Protection Act has a fine of up to £500,000 which may seem significant however it may be isn't enough to make larger companies comply. New GDPR fines will be up to €20 million or up to 4 per cent of a companies annual turnover based on which one is higher.
Who will GDPR effect?
GDPR will affect all businesses however Article 30 that states that businesses with less than 250 employees WILL NOT be be subject appointing an officer to administrate and be responsible for the regulation. It is still a good idea though that you comply where possible.
Businesses with under 250 employees will be subject to GDPR if there are circumstances as stated in Article 30:
Article 30 - EU GDPR - "Records of processing activities"
The obligations referred to in paragraphs 1 and 2 shall not apply to an enterprise or an organisation employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as referred to in Article 9(1) or personal data relating to criminal convictions and offences referred to in Article 10.
Basic GDPR requirements:
- Appoint a DPO (Data Protection Officer) responsible for the security of personal data
- Report data breaches to the ICO (Information Commissioner's Office) in the UK with 24 hours where possible but no later the 72 hours
What information is covered by GDPR?
The GDPR is to regulate personal data. Personal data is classed as anything that can identify a person. This includes the "normal" way we perceive personal data i.e. names, email addresses, bank details but also some other new methods of using personal data such as IP addresses, and new biometric data such as finger print recognition and facial recognition.
This covers some of the basics if you are unsure what GDPR means, in our next post we will be looking at how GDPR can affect your website.