Companies in the UK now have less than a year to prepare for the arrival onto the statute books of the General Data Protection Regulation (GDPR) on the 25th of May 2018, and there is already a huge amount of noise about this.
This important legislation will mark a significant change in the way that companies are required to manage, process, store and share personal data and will be more robust than the Data Protection Act (1998) – which this new law builds on.
GDPR will apply across Europe and despite the UK’s imminent departure from the EU, it will still be “opting in” to the new law, a commitment reiterated in the recent Queen’s Speech following the general election.
There are very few businesses, even at the smaller end of the SME market, that won’t be affected in some way. For those wondering if the GDPR will affect them, as a general rule, those which are currently regulated by the UK Data Protection Act are likely to be affected by the GDPR.
With a recent survey suggesting that the majority of businesses in the UK have not yet committed any finances to make themselves compliant with the new regulations, there’s clearly some urgency for companies of all sizes to begin the internal processes to ensure they are legal next May.
Whenever a business makes changes to its internal processes, and for some GDPR could mean large-scale overhauls of IT systems and storage solutions, there’s more than likely going to be cost implications. GDPR may see the need for some companies to take on new staff in the form of a dedicated Data Protection Officer but even if this doesn’t apply to your business, the costs of researching, adjusting and retraining in preparation for the new legislation may be significant.
What are the main changes that GDPR will bring?
- For the first time ever, if your business handles the personal data of any EU citizen, you will be required to comply with the new legislation. For example, if your business has a customer database for marketing purposes which includes EU citizens (for example, if you trade overseas), or if you sell goods and services over the internet within the EU.
- Businesses will need to be clearer about the information they are requesting from customers and how they will use it.
- Confusing contracts and terms and conditions will no longer be legal. Companies will be obliged to be transparent during the collection of customer data to ensure consent is given unambiguously.
- Strict penalties will be introduced to businesses that breach the new legislation, with the maximum fine increasing from a maximum £500,000 under the previous law to €20m / £17.5m or 4% of global turnover for the most serious incidents when GDPR is introduced.
- GDPR requirements will apply to both processors and controllers of customer data. In simple terms, a processor is a legal person, public authority, agency or any other body which processes personal data on behalf of the controller
- The controller says how and why personal data may be collected, and then uses a processor to carry out the collection
If you are a business looking for more comprehensive information about GDPR and what you need to do to become compliant in time for next May, there’s a huge amount of information available.
A clear, concise summary has been published by the ICO (Information Commissioner’s Office) and is an excellent starting point to understand more about this.
As ever, Ultimate Finance is on hand to help business owners get easy access to the funding that they need to make their lives that little bit more straightforward. If you’re worried about the costs of adjusting to the requirements of GDPR then please do get in touch. We will be happy to help.