From 25 May 2018, the new General Data Protection Regulation (GDPR) will come into force in the UK. It will replace the existing Data Protection Act (DPA), which hasn't changed since 1998.
For businesses of every size, this new regulation could have a huge impact. Getting to grips with the new requirements and putting systems in place in good time will be vital to ensure compliance.
Why GDPR has been introduced
GDPR has been introduced by the EU to meet the demands of a growing digital landscape. Like the DPA, the new framework will focus on the way personal data is collected and stored, but it will have a much wider scope.
Data protection laws were originally aimed at large organisations who had the systems to collect and store customer data, but with the advent of digital technology, even small businesses now have the capacity to store personal data easily.
With cybercrime becoming an increasing problem, and small businesses in particular being regarded as a soft target for stealing customer data, the more stringent requirements of the GDPR will make it harder for criminals to pilfer personal details online.
GDPR compliance will affect businesses in the EU and those outside the EU who trade with EU countries. The UK will still be included in the new directive, despite Brexit.
Requirements of GDPR
GDPR will require businesses to comply with the new data protection laws. Businesses currently subject to the DPA are likely to be subject to GDPR too.
Similar to the DPA, GDPR relates to personal data but its definition is broader and includes any online identifier such as IP addresses, internet cookies and DNA. Businesses will need to ensure that when they collect and store data, nobody can be identified by any of these means.
Controllers and processors of personal data will have wider obligations under the new laws. They'll need to provide explicit proof that consumers have given consent for them to use their personal data and store all information securely.
Individuals will also have more freedom to move their data between companies under the new legislation. Equally, the reforms give consumers the control to ask businesses and social media sites to remove their data permanently, with the 'right to be forgotten'.
Consumers will also have the right to demand that their personal data is evaluated by a human being rather than a machine when profiling their details.
Businesses that flout the new rules will be heavily punished, with fines up to £17m or 4% of a firm's turnover. A plea of ignorance won't be enough to avoid a fine, so the new data protection regulation will force businesses to take measures to secure personal data. The wider definition of personal data to include online identifiers also means businesses will need to have more stringent technology in place to protect data.
Companies can also safeguard sensitive information by using Access Control Solutions from ISGUS. These robust and secure products limit access to rooms, such as server rooms that hold personal data. Stay on the right side of the law with the help of ISGUS.