GDPR, or the European General Data Protection Regulation, comes into effect on 25th May 2018. It’s a new regulation that every business in the country needs to be aware of, but what exactly is GDPR and how is it likely to affect clients and contractors?
It’s all about data protection
GDPR means businesses everywhere will have to think about how they are handling data and what they should do to protect personal data given to them by individuals. The aim of the new regulation is to give control back to individuals over how their data is collected and how it is shared in future while encouraging businesses to be more proactive in ensuring all personal data is handled more securely. Failure to comply with the new GDPR rules after 25th May could have serious consequences, including a hefty fine, but more about that later.
So, what are the key features of GDPR?
- Any business that has more than 250 employees will be required to have a designated data protection officer. This may mean having to hire a new member of staff although you can assign an existing employee to the role provided they receive the relevant training and are fully up to speed with all that GDPR entails.
- Any breach of data needs to be reported to the Information Commissioner’s Office (ICO) as soon as possible and no later than 72 hours after any data is lost or stolen. If the breach is considered sufficiently serious that the public needs to be alerted, it is your organisation’s responsibility to do so as soon as possible.
- After 25th May, you will need to get the individual’s consent to use their data. Previously, by ignoring the ‘opt-out’ feature, consent was assumed to be given by default; now individuals will have to actively ‘opt-in’ before their data can be shared. Data controllers must be able to show that consent was given.
- Individuals will have enhanced rights to access their information, to ask for information about them deleted, to have inaccuracies corrected, to be able to prevent direct marketing, and prevent automated profiling.
- Parental or guardian consent for use of data of a child (aged 13 and under in the UK) must be given and be verifiable.
What GDPR means for smaller businesses
While the regulation is likely to have a bigger impact on companies with more than 250 employees, smaller businesses will not be exempt, especially those companies which handle or store any of the following data on individuals: health data, details about race or ethnicity, religious beliefs, sexual orientation, political beliefs, and any biometric and genetic information.
How will GDPR affect IT contractors?
Many of our readers will have seen this buzzword become almost omnipresent in recent months, as the deadline nears. Naturally, there are new opportunities associated with the implementation – as the penalties for data breaches by larger organisations are severe.
- According to the ISC, two in five European governments and companies are expected to expand their cybersecurity divisions by more than 15% by mid-2018 to cope with the new rules.
- A recent survey conducted by recruitment specialist, Robert Half UK, 64% of CIOs are planning to hire temporary or interim staff in 2018 to ensure they have the highly-skilled talent in place to manage the change in data management and reporting.
- Last week, the Recruitment & Employment Confederation reported a massive jump in scarce IT skills across the UK. GDPR-related skills are listed as ‘scarce’ for both permanent and contract workers, so there are potential opportunities available for contractors who specialise in information security roles or plan to train in those areas with an eye on the future.
- According to ITJobsWatch, the keyword ‘GDPR’ has become increasingly prominent within job postings over the past year. In fact, it is ranked 162 in the 6 months to 12th November 2017, having jumped 720 places in the keyword rankings since the same time last year.
- Unsurprisingly, the term is associated with 43% of data protection contracts, 21% of stakeholder management roles, and over 18% of information security jobs.
Possible consequences for non-compliance
We already have rules and regulations to protect data in the UK and the ICO can fine companies up to £500,000 for serious breaches or malpractice. Once GDPR becomes law, however, the penalties will be even greater and companies could face a fine of €20 million or 4% of global turnover – whichever is the highest.
What to do
To help you get prepared before the new legislation takes effect, your company/client should carry out a data audit as soon as possible to evaluate your current practices and see what changes need to be made. The ICO has produced a handy GDPR checklist, that details what you need to do. You can also get more information here.
Clients who outsource personal data processing tasks to third parties must also ensure that they review any current contracts to incorporate the broader demands of the GDPR. There’s a handy article on this topic on the Pinsent Masons website.