Collecting and holding personal data has always been a bit of a minefield – the current Data Protection Act as well as the Privacy of Electronic Communications Regulation) cover both how you need to store data and how you’re allowed to use it.
But that’s about to have significant weight and complexity added to it with the introduction of the General Data Protection Regulation (GDPR), a European Union-led policy set to come into effect on 25 May 2018.
GDPR is expected to raise the bar not only in terms of protecting consumer rights and the protection of personal data, but also the actual definition of what constitutes personal data.
From May, companies will need to apply the same level of protection to individual’s IP addresses and cookie data as they do to names, addresses and contact details.
What sort of information will GDPR protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Which companies does GDPR affect?
- Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
- A presence in an EU country.
- No presence in the EU, but it processes personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but its data-processing impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data. That effectively means almost all companies.
What will implementation cost?
The costs are undefined as yet, however compliance could incur significant expense, and companies should be aware of this as the deadline draws closer.
Who is responsible for compliance?
Simply put, anyone involved with data processing and management – whether internally positioned within a company, or a third party supplier. In the instance of breach, both would be held liable.
What if your company misses the deadline for compliance?
The EU is known for dishing out signficant financial penalties for non-compliance, and GDPR is no exception.
Fines can be up to 20-million Euros or 4% of your global annual turnover, whichever is higher.
What should you be doing to prepare for compliance?
- Ensure a sense of urgency is clearly communicated.
- Involve all parties in the process – your data management company, IT departments, accounts departments – any part of your operation that involves data collection and management.
- Know your current position – what data do you currently hold, and how is it stored? Identify areas that need adjustment and put project plans and teams in place to upgrade systems where necessary to ensure compliance. In the case of using a third party, request full compliance assessments and assurances from them.
- Don’t forget about mobiles – within your organisation, if you have employees with company mobiles, then there’s a chance they’ve downloaded Apps. If any of those Apps store personal data, they need to be GDPR compliant.
- Know what paperwork you need to complete well ahead of time – find out more at https://www.eugdpr.org/
- Have incident response plans in place – GDPR requires an incident response time no longer than 72 hours.
- Include GDPR into your employees work contracts, KPIs and Performance Appraisals.
Get all the information you need at https://www.eugdpr.org/
For advice on data storage and management, and legal and best practice around using marketing lists, contact Realnet today on +44 1223 55 08 00.