Have you got questions about the General Data Protection Regulation, which comes into force on 25 May 2018? Are people in your business asking “what is the GDPR” or “what does the GDPR mean for our company”? To answer those questions and more, we have put some answers together to help your business prepare for the new legislation.
What is the GDPR?
The General Data Protection Regulation (GDPR) is the European Union’s new data protection legislation, which replaces the EU Data Protection Directive.
The EU has worked on bringing data protection legislation in line with how data is used today. For example, the internet and social media didn’t have as big as an effect on personal data as they did when the current legislation was brought in. The new legislation will reflect this.
What does the GDPR mean?
The GDPR means individuals will have more say over what businesses and organisations can do with their personal data. There are tougher fines for those businesses that don’t comply with GDPR or don’t report data breaches.
Those fines could be as much as 4% of annual turnover or €20m, whichever is greater. In the UK, the Information Commissioner’s Office (ICO) will be tasked with investigating data breaches or wrongdoings as far as the GDPR is concerned. It will also potentially issue fines.
What is the Data Protection Bill?
The Data Protection Bill is the UK government’s new data protection legislation and it was published on 13 September 2017. It will implement most of the GDPR legislation into UK law once it’s been passed by Parliament.
The bill is currently making its way through the House of Commons and House of Lords and they need to approve any amendments before the bill can become an Act of Parliament. Once passed, the Data Protection Bill will replace the Data Protection Act 1998.
As an EU piece of legislation, the GDPR’s data protection rules will be harmonised across the EU – although there is some flexibility on how countries implement GDPR, which is where the UK government comes in with the Data Protection Bill.
What does GDPR stand for?
GDPR stands for General Data Protection Regulation.
Get ready for GDPR with our webinar
Join us for a live webinar so you have a better understanding of GDPR, which comes into force on 25 May 2018, and learn about the steps your business can take to prepare for it.
When does GDPR come into force?
On 25 May 2018, the GDPR will come into force across all EU member states.
The GDPR was approved by the EU Parliament on 14 April 2016, following four years of preparation and debate. That approval required the EU member states to agree to the final text of the new legislation. However, businesses were given two years – until 25 May 2018 – to prepare for the changes. And from that date onwards, GDPR must be put into practice.
According to research undertaken by Sage (as part of our GDPR customer survey in October 2017, which featured 100 respondents), 57% of UK business lack awareness of GDPR, while 60% don’t know what it means for their business.
With that in mind, now is the time for your business to put a plan in place so you can prepare to be compliant when the new legislation comes into force on 25 May 2018.
Will GDPR affect my business?
In a word, yes. Even if your business is completely au fait with the Data Protection Act 1998, the requirements of the GDPR surpass it, so it’s unlikely that your company will already be compliant (unless it has already taken the necessary steps to be so).
What is a data controller?
The person, public authority, agency or other body who, alone or jointly with others, determines the purposes and means of the processing of personal data. If you are collecting personal data for your own use and purposes, you are the controller and fully liable for being compliant with the GDPR, including all security.
What is a data processor?
A person, public authority, agency or other body who processes personal data on behalf of a controller (other than employees of that controller). If you are processing personal data on behalf of another organisation, you are the processor and must only act on the instructions of the controller organisation. The GDPR now imposes direct obligations on data processors, not just data controllers.
What is personal data?
This includes but isn’t limited to a name, an identification number, location data, or an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
Three things your business should do to prepare for the GDPR
Our Sage Business Experts have some useful tips to help you along the way so you are ready for the GDPR when it comes into force. Here’s what they have to say:
Nicky Larkin, founder and managing director of Goringe Accountants: “If you realise GDPR is going to be a big requirement for your business – and obviously it’s tight now because of the deadline – use an external consultant.”
Keith Tully, a partner at Real Business Rescue: “Don’t panic. There is a wealth of information to help you and your business prepare, much of which is completely free.”
Three articles you should read now to prepare for the GDPR
We have written a series of articles that will help you and your business to prepare for the GDPR.
- A guide for small businesses: https://www.sage.com/en-gb/blog/gdpr-guide-small-businesses/
- A GDPR checklist: https://www.sage.com/en-gb/blog/gdpr-12-important-things/
- What employers need to know: https://www.sage.com/en-gb/blog/gdpr-what-employers-need-to-know/
GDPR: A Guide For Small Businesses
The General Data Protection Regulation has been called the biggest ever shake-up relating to how personal data about individuals can be collected, stored and used. Get your free guide and get ready for GDPR.