Living in an increasingly digital world has brought about undeniable changes to our lives.
One of the consequences of this is the amount of data we all share, including many of our personal details. Medical professionals, retailers, insurers and numerous other service providers all hold personal data, some of which is highly sensitive.
However, the way our data is used isn’t always clear and nor can we be sure it is being kept secure. The new General Data Protection Regulation (GDPR) the EU is introducing next May aims to tackle this by creating new rules to keep data safe. It will also give people greater control over how their personal data is used.
While many organisations are now aware of the legislation, they are not as clear about the precise impact it will have on them and what new data practices they need to adopt. What’s more, there is no shortage of conjecture on the subject. So, Sam Reed, a certified GDPR Practitioner and the Chief Technology Officer at AirIT, is going to clarify the truth behind some of the myths circulating.
Myth – It’s not relevant to the UK because of Brexit.
Because the legislation is being introduced while Brexit is being negotiated, some believe it won’t apply to the UK. Others believe it will only apply until March 2019, when we are due to leave the EU.
In fact, the legislation will apply to anyone who offers services to EU citizens, regardless of where you are based. Even if you don’t handle EU citizen’s data, you will still have to adhere to new data protection laws being introduced to the UK. The government says the proposed changes, which have already been detailed in a Data Protection Bill, will incorporate GDPR’s rules. They are doing this to help Britain prepare for a successful Brexit.
The new UK law will replace the 1998 Data Protection Act and aims to make the UK fit for the digital age.
Myth – There isn’t enough clear information on consent available to start preparing.
One of the changes GDPR will make is raising the standards for getting consent to use people’s data.
Some organisations believe they should wait for the Information Comissioner’s Office to issue their final guidance on consent before they make any changes but this isn’t necessary.
The ICO says it is waiting for Europe-wide consent guidelines to be published, so they can offer consistent guidance. In the meantime, they have given draft consent guidance which they don’t expect to change much when they publish the formal guidance.
The guidance given includes obtaining explicit consent, naming third parties who will rely on the consent, and making it easy for people to withdraw consent. An important point to clarify is that you don’t always need consent. For example, banks sharing data for fraud protection, or local authorities processing council tax information, can use a different lawful basis to consent.
Myth – It is going to put an unfair burden on businesses.
There are some who feel GDPR is putting undue pressure on businesses to change their working practices, or risk a hefty fine.
However, the ICO has pointed out that the new higher fines being quoted are the maximum allowed and will not be routine. They say fines will remain a last resort and will be issued proportionately. So, those concerned that the maximum fine of £17 million, or 4% of turnover, will be imposed simply to set an example early on need not worry.
Rather than putting undue pressure on businesses, I believe the new legislation offers the ideal opportunity to review your data and ensure it is up to date. So, in the end, you may end up with less data but it will be of a better quality.
It is also a good opportunity to review your cyber security measures because new threats are constantly emerging and can affect business of all sizes. Some small businesses mistakenly believe they are unlikely to be targeted.
However, according to the Federation of Self Employed and Small Businesses (FSB), cyber crime is one of the fastest growing risks to small businesses. An FSB report found that 19,000 cyber crimes are committed against small businesses in the UK every day. While a government report estimates that the average cost of a breach to a small business is £3,100.
Making sure you have robust cyber security measures in place is wise, regardless of the legislation. The National Cyber Security Centre gives 10 steps you can take to protect yourself.
Rather than hampering the ability of businesses to use data, GDPR may make people more willing to share their data because of the new security standards. ICO research shows that people “would be more willing to provide their data, and for different uses, if they felt they could trust organisations to handle it fairly, securely and responsibly.”
Myth – GDPR is going to revolutionise the way we handle and use data.
There is currently so much hype surrounding GDPR, it is easy to believe it is going to completely change how we use data. But the ICO is keen to point out the new law is “an evolution not a revolution”.
The new law will keep many of the same principles as the current data laws and simply build on these.
Those who follow the current data protection laws are already likely to be in a good place. They now simply need to review and update their current procedures, which won’t just keepthem on the right side of the new law but will benefit them too.
Myth – Everyone needs to appoint a Data Protection Officer.
There is also some concern that every organisation now has to appoint a data protection officer. The DPO is meant to be the data protection expert in an organisation. Although many organisations will need a DPO, including small businesses, everyone doesn’t need to appoint one.
Under GDPR, you must appoint a data protection officer (DPO) if you:
● are a public authority (except for courts acting in their judicial capacity)
● carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
● carry out large scale processing of special categories of data, or data relating to criminal convictions and offences.
It is important to make sure you fully understand the role of a DPO before appointing one because the position needs to meet particular requirements laid out in the law. For example, the DPO needs to be independent and the business must provide them with the resources to complete their work.
With roughly six months to go before GDPR comes into effect, there is no reason to wait before you review your data practices. The ICO has laid out 12 steps you can take now to prepare. Using this simple guide is a good way to start getting ready for GDPR but be sure to get expert legal advice on anything you are unclear about.