The new European personal data regulations come into force in 2018 – You need to start preparing now.
In May next year, the Data Protection Act (DPA) will be replaced by the EU’s General Data Protection Regulation (GDPR), a framework with greater scope and much tougher punishments for those who fail to comply with new rules around the storage and handling of personal data.
While this new framework comes into place as the UK enters the process of uncoupling from the EU, the Great Repeal Act means it is likely to be converted into British law.
The DPA dates from the 1990s, and a time when only the largest companies had the means to collect and store significant amounts of data.
In the intervening years, the ease and sophistication of data collection means that thousands of SMEs not only collect personal details, but store, move and access them online. Personal data is used in everything from sales to customer relationship management to marketing.
The GDPR is considered long overdue by many authorities, and ignorance will be no defence for businesses who fail to comply.
What does GDPR mean for your business?
Under the new regulations, companies must keep a thorough record of how and when an individual gives consent to store and use their personal data.
And consent will mean active agreement. It can no longer be inferred from, say, a pre-ticked box. Companies that control how and why data is processed will have to show a clear audit trail of consent, including screen grabs or saved consent forms.
Individuals also have the right to withdraw consent at any time, easily and swiftly. When somebody does withdraw consent, their details must be permanently erased, and not just deleted from a mailing list. GDPR gives individuals the right to be forgotten.
In the event of a data breach, GDPR forces companies to inform relevant authorities within 72 hours, giving full details of the breach and proposals for mitigating its effects.
These new conditions alone – and there are many more – show just how demanding the new regulations will be for companies of all sizes. GDPR forces you to know exactly what personal data they hold and where it is located (whether on PCs, on servers, or in the Cloud), and have procedures in place to ensure its complete removal when a request to do so is made. Monitoring protocols must be able to recognise and act on breaches as soon as they happen, and an incident recovery plan put in place to deal with the repercussions.
Preparing for all this will require a full information audit and, for many companies, a change in culture, which businesses should start to plan and implement well in advance of the 2018 deadline. Personal data is a key tool for your business looking to target and retain customers: GDPR means it must be handled with the utmost care.
BT has produced a white paper, Dealing with new EU data-protection regulation, which outlines the implications of the new regulations and offers insight into how to best prepare for their implementation.