Data Protection is changing - will your business be affected?
All UK businesses should be abiding by the Data Protection Act in order to make sure that all personal data remains just that - personal. But in 2018 there will be changes made to it to bring it up to date and more relevant with today's technology.
What does the current Act say?
Whether you're self-employed, or part of a large business, if you're handling personal data then you will need to abide by the Data Protection Act. If you want to know the full terms of the Act then take a look at the GOV.UK website. But in brief, they can be seen as 8 principles, which are:
- Have permission to collect, store and use data from the individual.
- Only use data in the way it was laid out when it was collected.
- Only collect data that's needed. E.g. if you're running an email newsletter you won't need to collect home addresses or phone numbers.
- Keep the information accurate and up-to-date.
- Not hold the data for longer than required.
- Tell the consumer how their information is being used, especially when asked.
- Keep personal information safe and secure.
- Keep all data within the UK, never share it or store it outside the EEA.
So what's going to change?
As of 25th May 2018 the UK will be moving over to the General Data Protection Regulation (GDPR) which is used throughout the EU. This means there will be a few changes coming into force. These Include:
- The GDPR applies to all of the EU, not just the UK
- This means an increase in data privacy for people and companies outside of the UK.
- There will be a new set of rule in place governed by a Supervisory Authority (SA) in each country.
- Individual SAs will monitor compliance and other SA's can support where required.
- Privacy Impact Statements should be carried out for all projects and initiatives where privacy can be impacted.
- All information collected will have to be accompanied by clear and concise privacy notes, this will stand for all information.
- Currently an annual notification of data processing is made to the ICO (Information Commissioner's Office). The GDPR brings an increased responsibility and accountability - you will have to include details on data retention and contact details on an annual basis.
- Dedicated Data Protection Officers (DPO's) will be required for companies which have more than 250 employees.
- You must notify the relevant authority of any Data Protection Breach within 72 hours
- This is currently encouraged but not required
- Fines can be issued to the value of up to €20m or 4% of the annual global turnover. You can be fined for breaches or non-compliance.
- The consumer has the right to erase their own data. You will have to remove all records, including web, for the data subject if requested and specific circumstances are met.
- All data collected will need to have the ability to be moved between systems, this could mean system development within individual companies in order to meet requirements.
How can my business prepare for these changes?
None of these will be put into place until 2018, so there's time to prepare. However, if you want to start making changes now in order to have less to do when the time comes, then follow these 5 tips:
- Get top-level management on board; all changes are driven from the top.
- Understand your current level of compliance with the new rules by conducting an assessment.
- Start to develop a security incident process which includes notifying the government of any breaches.
- Create and update policies and procedures to better protect personal information.
- Provide additional training for employees so that they fully understand their responsibilities when it comes to data protection.
The GDPR can seem as though it's bringing in a lot of changes but these can be easily managed if you start thinking a little differently and taking even more care with and personal information your business is handling.
You should also consider that as the UK is in the process of leaving the EU, this may impact these changes too, so these updates may very well change.
For more information, please check out the Overview of the GDPR from the ICO.