A guide to the General Data Protection Regulation

A guide to the General Data Protection Regulation

— March 18

‘What is the General Data Protection Regulation and is my business compliant?’ Find out with Drumbeat’s guide to the GDPR right here on our blog.

A guide to the General Data Protection Regulation: your FAQs answered

The General Data Protection Regulation, commonly referred to as the GDPR, plans to overhaul the way that companies handle and process their data. With a number of significant enhancements set to come into play, the looming deadline is forcing business leaders to take note and install the changes necessary for a seamless transition. The GDPR, however, is a complex piece of legislation, comprising of 99 articles in total. So, rather than suggesting that you read every clause, we’ve boiled the key information down to these 10 FAQs posed by organisations wrestling with its implications.

1. What is the General Data Protection Regulation?

The GDPR is an order by which the European parliament, the council of the European Union (EU) and the European commission plan to harmonise the approach to data handling and protection across all EU member states. The law intends to unify data management principles, prioritise the rights of the individual and impose stringent procedures with tougher repercussions for those who fail to comply with the new rules. This shake-up of data industry practises will inevitably result in new obligations for companies of all sizes.

2. Will Brexit effect the implementation of the General Data Protection Regulation in the UK?

The GDPR will continue to be carried out across the UK, despite the decision to leave the EU. The government have stressed that post-Brexit, they aim to retain the ‘unhindered flow of data between the UK and the EU’ – something that the GDPR will guarantee.


3. When does the new regulation officially come into force?

The official implementation date is the 25th May 2018. The GDPR, however, was formed on the 27th April 2016, providing businesses with a 2-year transition window to adjust their data protection strategy accordingly.

4. Is my company going to be impacted?

In short, yes. According to the Information Commissioner’s Office (ICO): ‘if you are currently subject to the Data Protection Act, it is likely that you will be subject to the GDPR’. Individuals, organisations and companies of every size that are either ‘controllers’ (who determine the purpose and the manner in which any personal data is processed) or ‘processors’ (who process the data on behalf of the controller) of data will be effected, in some way, by the GDPR.

5. Do we not have data protection laws in the UK already?

Yes, we do. Back in 1998, the government enforced the Data Protection Act (DPA), a law developed with the intention to protect personal data recorded both physically and electronically. This act, however, is now almost 20 years old and no longer fit for purpose. Due to the technological advancements that have taken place over the past 2 decades, the amount of information that we create, capture and hold has dramatically increased. With so many businesses now operating across borders, international consistency surrounding data laws is paramount. The GDPR, in comparison to the DPA, adopts a more modernised approach and positions the safeguarding of data at the heart of its policies.

6. So, what is the difference between the Data Protection Act and the General Data Protection Regulation?

Although the GDPR may seem perplexing, the new order is simply an evolution in data protection. That said, there are some substantial differences that need to be noted:

— Whereas the DPA applies to solely the UK, the GDPR plans to be enforced across all EU member states, in addition to any third countries that possess the data of EU citizens.

— Compliance to the GDPR and its policies will no longer be overseen by the ICO, but more strictly monitored by a dedicated Supervisory Authority.

— Organisations that occupy over 250 employees will be required to recruit a Data Protection Officer - a member of staff that is responsible for managing the company’s data protection strategy.

— Some processes, like the deployment of a new technology in a company, can present potential high-risk situations. In these instances, businesses must conduct Privacy Impact Assessments to ensure safety of all data.

— Unlike the DPA, the GDPR emphasises the need for clear and straightforward opt-in consent rules, ensuring that citizens have full control over where their data is and who has access to it.

— The GDPR also provides individuals with the right to withdraw consent at any stage and if they wish, permanently erase their information from company’s databases.

— In order to keep citizens well-informed, if a breach of data is made then the organisation at hand must report the incident to the relevant supervisory authority within 72 hours.

— Under the power of the DPA, the ‘controller’ was accountable for the protection of data alone. Once the GDPR is implemented, however, both ‘controllers’ and ‘processors’ will become liable.

— The GDPR will introduce specific protections for minors by stunting their ability to consent to data processing without parental agreement.

— One of the most notorious differences between the DPA and GDPR is the new fining regime and the tougher repercussions for those who do not meet the new requirements. To give a bit of context and display the intensity of the matter, last year’s ICO fines would be 79x higher under the GDPR.

7. What are the penalties for non-compliance?

The conditions for consent have been strengthened and in turn, so have the punishments. As we mentioned above, abiding by the polices of the GDPR is not just a matter of best practise, but it will also prevent businesses from receiving serious penalties. For the most serious infringements, organisations could be fined up to 4% of their annual global turnover or a maximum of €20 million – whichever is the greatest out of the two. The bottom line is: if you fail to follow the basic principles of the GDPR, then you will incur significant financial consequences.

8. Does my business need to appoint a Data Protection Officer?

Firstly, let’s begin by defining what a Data Protection Officer (DPO) actually is. A DPO is a designated role, responsible for the management of a company’s data protection strategy. A DPO works with ‘controllers’ and ‘processors’, either in house or on a service contract, to help them operate in accordance with the GDPR’s practises.

There are certain scenarios in which the appointment of a Data Protection Officer (DPO) is mandatory. These include:

1. Processing that is carried out by a public body

2. Dealing with large-scale systematic monitoring of data

3. Managing sensitive data or data like criminal convictions or health records

If the above does not apply to your business, then you will not be required to employ a DPO.

9. How can I prepare for the General Data Protection Regulation?

One way to prevent feeling overwhelmed and tyrannised by the new regulation is by building its rules into your organisation’s everyday culture. To ensure that you are prepared as possible, take a read over the ICO’s 12 step guide. This simple checklist will help you to modify your business’ existing methodologies and ensure a stress-free transition.

10. Am I ready for the GDPR?

The Drum put it nicely when they said: ‘the best way to think of the GDPR rules is to put yourself in the shoes of the users and think to yourself – what would I expect them to do with my data?’ If your business already…

— Makes the option to opt-in completely clear and transparent

— Communicates to solely those who have given consent

— Only sends content that is relevant to users

— Provides individuals with the right to unsubscribe from your database

Then you are most probably already compliant with most of the GDPR’s policies.

If you are still feeling a bit lost and need some additional assistance, then the ICO have announced that they will be providing a phone service for small businesses, starting at the beginning of November. Or, if you fancy a read of the whole regulation, then you can here.