The aim of the GDPR is to put people in control of their personal information. It reinforces what is in the Data Protection Act (DPA), adds some new requirements to safeguard data and allows for much larger fines that should act as the incentive for companies of all sizes to take action. If you already meet all the criteria in the DPA, you have most things covered.
It isn't a scheme to replace data protection authorities across Europe - we have the Information Commissioners Office (ICO) in the UK - with a central body. The ICO will be responsible for issuing guidance on how to comply in the UK and issuing fines. The ICO are still working on the guidance notes, so precise details of what will happen in some areas are unknown.
The following is based on what has already been published.
What is personal information?
The definition has been made wider to include any information ‘relating to’ an individual. It specifically includes ‘online identifiers’ such as cookies, plus anything that contributes to identifying an individual (name, address, email address, IP address, images etc.), or links to such identifying information. If you think it could relate to an individual, it probably does, and you need to protect it.
What does this mean for SMEs?
To avoid a very long blog, here are some of the key points. Starting with a positive one for SMEs.
- SMEs will not need to appoint a Data Protection Officer unless large-scale data processing is their core activity. The ICO still has to define what 'large-scale' and 'core activity' mean, but the vast majority of SMEs are unlikely to need a Data Protection Officer
- Fines can be up to 4% of global turnover or €20m, whichever is the higher. Fines can be for breaches or not being able to demonstrate compliance
- Consent to process to data needs to be 'unambiguous'. Pre-ticked boxes, inactivity, and silence, do not constitute consent. Websites signup pages may need updating to say explicitly what is being signed up for and make sure boxes are not pre-ticked. You also need proof that consent to process information, which includes sending out email updates, has been given. If you have existing email subscriber lists and no record of consent, you will need to send out an email asking for consent and store that
- If you process data for another company, you fall within the remit of the GDPR and can be fined for non-compliance. Currently, it is just the company that owns the data that is responsible and can be fined. It will be very important to establish the contractual relationships and liabilities of different parties in a controller/processor relationship
- There is a 'right to be forgotten'. This is already in the DPA, but in a weaker form. If someone says they want to be forgotten/removed you need to remove all records; paper, electronic records, and images. If you have provided their information to another company, you will need to contact them and get them to confirm it has been removed. Another reason to review contractual relationships and liabilities