The General Data Protection Regulation (GDPR) is an EU regulation that comes into force in May 2018. It’s designed to give EU citizens greater control over how their data is used and foster increased trust in the digital economy.
You might think that since the UK is in the process of leaving the EU this is something you don’t need to worry about. However, GDPR is designed to protect data relating to EU citizens wherever it’s stored and processed, so even businesses outside the EU are going to have to comply with its rules.
GDPR will affect any business, including those in the print and packaging industries that hold personal data relating to individuals. It applies to data controllers (those who decide how and why the data is used) and to data processors (those actually handling the data). A controller, therefore, could be anyone from Facebook to government bodies and charities through to smaller companies. A processor could be an IT services company, or a print supplier using data to create personalised documents or mailing labels.
What will it mean?
Once GDPR is in force, controllers will need to ensure that data processing is transparent, lawful and used for a specific purpose. If, after that purpose is complete, the data is no longer required it must be deleted. Information used to print one-off mailings, for example, will need to be discarded after it’s been used.
The ‘lawful’ aspect of this is important. Processing can be lawful if consent has been given by the subject to their data being used. It can also be useful if it’s to comply with some form of legal obligation or contract, or to protect the subject’s interests. Processing can also be lawful if it’s in the public interest, or in the interest of the controller in the case of an issue such as fraud prevention.
Key for businesses is that data controllers must obtain active consent from the subject. Current systems that assume consent but allow for a tick-box opt-out will no longer be acceptable. The data controller needs to keep a record of when and how consent was granted. Subjects must also be able to withdraw their consent whenever they wish, they also have a ‘right to be forgotten’ which means they can demand that their data is deleted if they’ve chosen to withdraw their consent.
The definition of personal data is similar to that under the current UK Data Protection Act, however, under GDPR it’s extended to include other items including online identifiers like IP addresses. It’s possible that anonymised data may be covered too, depending on how easy it is to trace back to the individual. Data must be stored in commonly used formats so that it can be transferred to another organisation if requested.
If you suffer a data breach that risks people’s personal data, under GDPR you must inform your data protection authority (the ICO in the UK) within 72 hours. Companies that are in breach of GDPR regulations can be hit with a fine of €20 million or four percent of their worldwide annual revenue, whichever is greater.
We strongly advise you to seek independent legal advice relating to GDPR.
Athena Executive Search specialise in recruiting senior leadership positions in the Print and Packaging sectors across Europe. We have set up a working group and are currently ensuring that we are fully GDPR compliant by 25th May 2018. This involves a full review of our business and how we collect data and how it is managed. We will update our clients and candidates as we move closer to GDPR being implemented.