The General Data Protection Regulation (GDPR) has been called the biggest ever shake-up relating to how personal data about individuals can be stored.
Its implications are massive and almost certainly not fully comprehended by the majority of businesses, despite the fact the legislation is effective as of 25 May 2018.
The GDPR goes far beyond existing data protection measures and affects business of all sizes – from sole traders up to the biggest corporations. Research undertaken by Sage shows that 57% of UK businesses lack awareness surrounding GDPR, while 60% don’t understand what GDPR means for their business.
Unsurprisingly, businesses have many questions about GDPR – ranging from how it should be implemented to how it will impact their day-to-day work.
Here are the answers to some frequently asked questions. Got any other questions? Let us know in the comments below for a future update of this piece.
1. Does my business have to become “GDPR certified”?
No. The wording of the GDPR doesn’t specify or mandate a particular certification system but it does encourage voluntary certification via industry bodies or organisations compliant with EN-ISO/IEC 17065/2012 and that have been authorised by the relevant supervisory authorities, such as the Information Commissioner’s Office (ICO) in the UK.
While becoming GDPR-certified is encouraged to provide guarantees relating to technical and organisation security measures, among other things, doing so is of particular importance for third-parties that process data on behalf of others. To this end, the Cloud Select Industry Group (C-SIG) now has a Code of Conduct that is approved by the ICO and the EU’s Article 29 Working Party.
2. What’s the deadline for the GDPR?
The GDPR comes into effect on 25 May 2018. There’s no grace period or overlap for your business when this happens, so you must ensure your business is ready by then.
3. Will my business have to undergo GDPR audits or inspections?
There’s no requirement within the GDPR for regular governmental audits or inspections but supervisory authorities do have the right to carry out audits as part of their investigatory powers. However, this isn’t to say self-imposed audits or inspections aren’t a very good idea or even a de facto requirement for GDPR compliance.
For third-parties providing data processing services to others, the situation is a little more complicated. They will have to make available to the company employing them all information necessary to demonstrate compliance with their obligations under the GDPR. They must also allow for and contribute to audits, including inspections, that the business employing them mandates.
However, the GDPR does introduce significant and onerous new requirements for record keeping for all businesses. It’s not enough to merely comply with the GDPR. Any business must be able to prove it’s doing so.
Note that there’s a possibility governments might implement formal, regular audit processes when they implement the GDPR within national laws.
4. I run a very small business comprising just myself. Does the GDPR affect me?
Yes. The GDPR affects anybody or anything engaged in an economic activity and that processes personal data – and even organisations such as partnerships, charities or clubs/societies. It doesn’t matter if this entity is legally recognised or not.
5. Are products from Sage ready for the GDPR?
Sage is working to ensure all its active products are GDPR-ready. In line with the UK’s Cyber-Essentials guidance, and similar government recommendations in other countries, Sage recommends users always ensure they are running the latest versions of software.
Specifically, to assist organisations to meet their GDPR obligations, Sage may continue to provide additional enhancements and so customers are advised to periodically review the latest available version and install updates as appropriate. Customers running cloud products, such as those within the Sage Business Cloud, will benefit from always running the latest versions of software.
6. I’m already compliant with the Data Protection Act 1997. Do I need to do anything?
Probably. The GDPR supersedes all existing government laws regarding data protection for EU Member States. The requirements of the GDPR go significantly beyond the Data Protection Act 1998 so the possibility of a business finding itself already compliant is very unlikely.
7. In a nutshell, how does the GDPR differ from existing data protection legislation?
To be blunt the differences are so extensive that it’s impossible to sum-up in a quick answer. General Data Protection Regulation: The Sage Quick Start Guide for Businesses provides a concise and readable overview.
8. What are the consequences of breaching the GDPR?
Your business might be fined up to 4% of annual global turnover or €20m, whichever is the greater. Notably, it’s possible to breach the GDPR outside of having an actual data loss.
9. How will Brexit affect the GDPR?
The UK government has said it is implementing GDPR in proposed new data protection laws via the Data Protection Bill, and says this will continue to be in effect once Brexit takes place in 2019.
10. How much will the GDPR cost my business?
Expenses for an average business are likely to include some if not all of the following:
- An ICO registration fee, payable by organisations that process personal data; this will be based on size and turnover, and will also take into account the amount of personal data processed
- Audits of all processes in all departments, ideally by a qualified individual or business
- Modifications such as staff retraining and information technology adaptations
- Potentially appointing and training a Data Protection Officer (DPO; see Q11 below)
- Setting-up and maintaining continual documentation processes demonstrating compliance with the GDPR
- Voluntary certification costs, especially if your business processes data on behalf of other companies (see Q1 and Q3 above, remembering that you should only use certification bodies are compliant with EN-ISO/IEC 17065/2012 and that have been authorised by the relevant supervisory authorities, such as the ICO in the UK).
11. Will I need to appoint a Data Protection Officer (DPO)?
Some types of businesses will have to do so. Examples include if your business is a public authority, or your core activities involve the monitoring of individuals on a large scale (including profiling), or you handle data in special categories such as medical data or data relating to criminal convictions and offences.
Your Data Protection Officer could be an existing employee or you might contract somebody from outside your business, but you’ll have to inform the supervisory authority who they are and they will also need to be properly trained.
12. My business is not based in the EU. Am I affected?
The GDPR affects any business worldwide that processes the data of individuals in the EU. In fact, if you are offering goods or services to individuals in the EU or monitoring their behaviour, you will probably need to employ a representative within the EU to handle GDPR enquiries.
Additionally, you must let the supervisory authority know in writing who this is. Many third-parties already specialise in catering for this representation requirement and can be found online. At the very least, you might make enquiries to see if this is a requirement for your business.
Prior to enforcement of the GDPR, it’s at present difficult to predict the consequences for businesses outside the EU that contravene the GDPR but they could include being prohibited from transacting business within the EU until compliance is demonstrated, which could take some time. This could affect not just sales but also suppliers, so could have a devastating effect.