The UK Business Owner’s Quick Guide to GDPR
Next May, a privacy law like nothing the world has ever seen will take effect in the European Union. Called the General Data Protection Regulation (GDPR), it calls for businesses even beyond the EU to undergo gigantic changes in the way they handle data.
The changes are in order, too. It’s been over twenty years since privacy regulations were last updated. And with current technologies, that puts data privacy in a vulnerable state of being. How does GDPR protect people’s personal data? And what do UK business owners need to know?
GDPR in a Nutshell
The new GDPR law was created to give residents of the EU more control over their personal data—how it’s collected, how it’s stored, and where it ends up. For private citizens, it’s a tremendous step forward for their privacy rights.
For businesses, it’s something entirely different. Companies who do business online face a complex web of rules and regulations concerning the data they collect on their customers. Simply understanding what’s required has been a struggle, and as the May 2018 deadline for compliance nears, the preparation is in full swing for the changes ahead.
What do UK Businesses Need to Know?
One of the most sweeping changes in GDPR concerns Increased Territorial Scope. GDPR may be an EU law, but its reach extends to any company with EU customers. Where your headquarters are located makes absolutely no difference whatsoever.
Although the UK is exiting the EU, GDPR is still a major force of change for UK businesses. Plus, Brexit is not an instantaneous process. There will be a period of overlap between GDPR taking full effect and the final stages of Brexit.
Companies who don’t comply with the new data protection measures put into effect by GDPR will face penalties up to 4 percent of annual global turnover. What will they need to do? Here’s a quick look at the six main areas of change.
Basic Requirements of GDPR
Under GDPR, consumers will have more rights over their personal data. That means greater transparency for them as well as certain rights if they feel concerned about the security of their personal data.
Pragmatically speaking, here’s what companies will need to do.
- Consent – Write clear consent statements that consumers can read in plain language without legalese. There must also be a way to opt out.
- Breach Notification – Notify consumers when there has been a security breach.
- Right to Access – Divulge information (free of charge) to consumers about their personal data: whether it’s being processed, where it’s being processed, and why.
- Data Portability – Hand over personal data to the data subject in machine readable format.
- Right to be Forgotten – If asked by the data subject, erase their personal data and cease transmitting it.
- Privacy by Design – Work privacy measures into the design of their technical systems rather than tacking on security and privacy measures as an afterthought.
- Data Protection Officers (DPO) – Hire a DPO who will oversee internal record keeping requirements.
In an increasingly data-driven world, privacy and security regulation needs to keep up the pace. The UK and the EU have been operating under guidelines that were written back in 1988 and 1995, respectively.
With the onset of GDPR and the UK’s legislation that mirrors GDPR, we can be assured of better data flow, increased security, and safer handling of consumer data. That’s a win not just for consumer privacy rights, but also for businesses who want to continue operating in the digital world.