An Introduction to GDPR
You’ve probably heard a lot about GDPR; it’s a popular acronym in the last few months .
However, having done some market research, I’m aware that there is a huge gap in understanding of the people it impacts most: business leaders and owners who need to ensure they comply by 25 May 2018.
With that in mind, I am writing a series of blog posts – of which this is the first – breaking down various aspects of GDPR into manageable chunks that are short, practical and easy to understand and implement.
This post, which is the first in a series, introduces GDPR, explains what it is (and isn’t!), and who it affects.
The existing Data Protection laws in the EU date back to 1995, and while it was thorough and wide-ranging – it covered aspects such as processing personal data, how that data can be used, and transferring that data to countries outside the EU – that was before the internet grew to the extent it has.
It also pre-dates companies like Amazon, Google and Facebook becoming the technological and data behemoths they are today.
Realising this, the European Commission started the process of reforming the existing rules in 2012, specifically to reinforce people’s online privacy rights, and boost Europe’s digital economy.
After an extended process of proposals, consultations and legislation, the General Data Protection Regulation (GDPR) came into force in May 2016, with relevant organisations having a two-year transition (so, till 25 May 2018) to comply.
What GDPR Is
GDPR sets out to ensure individual rights are adequately protected, particularly in the digital and online space.
It does this by providing eight specific rights, which I will expand on in a separate blog post.
It also now means that EU data protection law now applies to companies even if they are NOT based in the EU, as long as they handle data belonging to EU citizens and residents.
What GDPR Is NOT!
It’s important to emphasise that GDPR is not:
New: The concept of GDPR – which is essentially protecting individuals’ rights – is not a new one.
Its predecessor (the Data Protection Directive) had this at its core; GDPR builds on and extends these for the digital age.
If compliant with the previous directive (which all businesses should be!) in reality there’s no reason for any business to start the process of complying with the new regulation from scratch.
Only for big brick-and-mortar businesses: GDPR doesn’t just apply to large businesses, or those with a physical presence.
There are no exclusions for small businesses, one- or two-man businesses, or those that only operate online. Are you an accountant with clients across the country? An artisan selling your wares through your website or Etsy? A freelance marketing professional with a limited company? GDPR is to be complied with by all businesses.
As complex as it seems: It’s worth bearing in mind that the new regulation isn’t as revolutionary in approach as it may first appear.
As is the case with incoming regulation cottage industries have been created, and there are hordes of “experts” hawking their services.
While I am not suggesting there isn’t a place for this, some of the tales circulating about what is needed to comply have achieved mythical status. I will tackle these in a separate post but for now, a good place to start is with an initial assessment of where you are with data protection in your business, and where you need to get to.
About being done once-and-for all: The enforcement deadline is 25 May 2018, but that doesn’t mean your responsibility for data protection ends there.
Compliance is something you’ll need continue to execute and monitor.
Affected by Brexit.
Even though the United Kingdom is due to exit the European Union in 2019, it has confirmed that GDPR is still applicable.
Who GDPR Affects
GDPR affects the following businesses:
- Data controllers who collect and hold data from EU citizens and residents (such as employers with employee data, or businesses with customer data)
- Data processors who process data belonging to EU citizens and residents (such as IT cloud computing services).
It also applies to businesses outside the EU, if they collect or process data belonging to EU citizens and residents.
Good Places to Start
The Information Commissioner’s Office will enforce GDPR in the UK, and has a useful guide.
The ICO has also outlined 12 steps to help you prepare.
*Please note that this blog post does not constitute advice on the legalities of GDPR or data protection. It is for awareness and information purposes only; you remain responsible for getting independent advice and ensuring your business complies with the regulation.