What does the General Data Protection Regulation (GDPR) mean for startups and SMEs?

In 2018, the laws stipulating how companies are required to protect customer data will change, with the Data Protection Act (DPA) being replaced by the General Data Protection Regulation (GDPR). The GDPR is an EU regulation which comes into effect on 28 May 2018. According to the Information Commissioner’s Office, it will apply in the UK regardless of Brexit negotiations.

The new regulation is apparently intended to be skewed towards individuals rather than companies, and aims to protect citizens’ data privacy.

Whereas the DPA only applied to the UK, the GDPR applies to the whole of the EU and, importantly, any global company which holds data on EU citizens.

Here’s a few pointers on how this could affect your business, including:

• Customer and employee rights – you must ensure that anyone you hold data on has these rights
• Company responsibilities – the changes you need to make inside your company to suit the new regulations
• Fines for non compliance
• Further reading

Note: This post is intended as a primer only. The new regulations will affect each unique business differently and it is definitely worth getting to grips with the official documentation before making any decisions.

Customer and employee rights

Consent

One of the big topics of the GDPR is consent and proving you have it. According to the ICO, consent needs to be completely unambiguous and the GDPR explicitly bans pre-ticked opt in boxes.

You must keep records and make it easy for people to withdraw consent.

Under the DPA: A negative opt-in was an acceptable form of consent (e.g. tick here if you do not wish to receive communications).

Under the GDPR: If you market directly to prospects or customers, a positive opt-in will be required. Individuals must opt-in whenever data is collected and there must be clear privacy notices. Those notices must be concise and transparent and consent must be able to be withdrawn at any time.

There are workarounds to getting consent in specific situations. This doc on consent from the ICO should cover most of it.

Right to be forgotten

Under the DPA, there was no requirement for an organisation to remove all data they hold on an individual, unless it caused unwarranted substantial damage or distress. Under the DPA, organisations were permitted to charge a reasonable fee for data requests, and the rights for erasure or rectification were a matter of common law.

Under the GDPR, an individual will have the ‘right to erasure’ – which means that all data on them can be permanently deleted. They also will have the right to transfer this data to another company.

Read more about the right to erasure here.

Data portability

Under the DPA, data portability was recommended via the Government’s midata initiative, but not enforced.

Under the GDPR, all consumers have the right to move their personal data between providers. As a business, it’s your responsibility to:

• Provide this data in a commonly used format (e.g. a csv) free of charge when asked
• Pass data onto another provider if its technically feasible

Read more on data portability from the ICO here.

Company responsibilities

Data Protection Officers (DPOs)

Under the DPA, there was no requirement for data protection officers.

Under the GDPR, companies must appoint a data protection officer if they:

• are a public authority (except for courts acting in their judicial capacity);
• carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
• carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

This can be an existing member of staff, as long as there is no conflict of interest with their current role. You don’t need any formal training or qualifications to be a DPO, but you “must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices.”

You can find out more at eugdpr.org and the ICO website.

Privacy Impact Assessments (PIAs)

Under the DPA, Protection Impact Assessments (PIAs) were not a legal requirement, although they have always been ‘championed’ by the ICO.

Under the GDPR, PIAs will be mandatory if data processing is risky for individuals. The ICO gives the following examples (PDF):

• where a new technology is being deployed;
• where a profiling operation is likely to significantly affect individuals;
• or where there is processing on a large scale of the special categories of data

Security breaches

Under the DPA, there was no legal obligation to report security breaches, unless the breach affected an organisation providing a service allowing members of the public to send electronic messages (e.g. telecoms providers or internet service providers), as laid out in the Privacy and Electronic Communications Regulations (PECR).

Under the GDPR, all organisations will be required to report a security breach if that breach is likely to “result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage” (via ICO).

Fines for non-compliance

The GDPR has two levels of fines.

1. Up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. This will be considered according to Article 83(4) of the GDPR.
2. Up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. This will be considered for infringements covered in Article 83(5) of the GDPR.

Fines will be considered on a case by case basis and will be dependent on things like how intentional or negligent the infringement was, how the company attempted to mitigate the damages, any previous infringements, cooperation with authorities and the nature of the data affected.

Find out more about Article 83 here.

Summary

For the most part, the GDPR is in line with the DPA so if you’re already complying, you shouldn’t have a lot to worry about.

The ICO have created a 12 step checklist to prepare companies for the GDPR that you should definitely familiarise yourself with. It is likely that the ICO will continue to release guidance until the GDPR comes into effect so do keep an eye on them.

While you may not need to formally assign a Data Protection Officer, it’s worth getting someone within your company to brush up on the regulation to make sure you’re complying so you don’t get hit with a potentially fatal fine.

Further reading

• Preparing for the GDPR: 12 steps to take now – ICO
• Overview of the GDPR – ICO
• EUGDPR.org

If we’ve missed anything, please get in touch to let us know and we’ll update this post.