What does GDPR mean for tech businesses?
Red tape and data
From 25th May 2018, new legislation will control the way businesses store and use the data of European citizens. The General Data Protection Regulation will replace the UK Data Protection Act 1998, and aims to give citizens back control over their personal data.
According to big tech players, IBM, citizens are becoming “increasingly data savvy” and are concerned about:
- How brands are using their data for sales and marketing purposes
- Their rights when it comes to the use of their personal data
- The well-publicised threat of cyber data theft.
GDPR aims to tackle all of these issues, and give businesses a singular framework when it comes to European data management (previously, each member state set their own data regulation rules).
Keep reading to find out more about GDPR, and how it will affect UK tech businesses.
What is GDPR?
The GDPR is a new piece of legislation being introduced to make data protection rules consistent across the European Union.
It will help protect the data rights of European citizens and stop the exportation of personal data outside of the EU. Because GDPR applies to European citizens, any company that handles the data of a Europen person needs to follow GDPR legislation – regardless of where in the world they are based.
Detailed information about what GDPR entails can be found on the ICO website, but here are a few of the key points:
- Companies must only process and store customer data that is absolutely necessary to their business
- Some businesses will be required to hire data protection officers
- More explicit consent must be obtained from a customer before a business can collect their data
- Businesses must report any suspected data breaches must report the breach within 72 hour
- Individuals have the right to access their data at any time, and the right to be forgotten
GDPR will come into force from May 2018. Any businesses not in compliance can be slapped with a hefty fine, as well as those found to have suffered a data breach.
Penalties for data breaches or non-compliance means a fine of whichever is greater:
- Up to 4% of annual revenue
- Up to €20m
What type of data does GDPR apply to?
GDPR covers more ‘sensitive data’ than previous EU legislation, or the Data Protection Act.
The GDPR considers any data that can be used to identify an individual as personal information. As well as typical details like name, address, and contact details, the GDPR now applies to details such as genetic, mental, cultural, economic or social information.
According to privacy lawyer, Karsten Kinast, “From now, hardly any personal data will not fall under the GDPR, making it difficult for organisations to avoid having to comply with its requirements.”
How does GDPR affect tech businesses?
Firstly, there are no exceptions. Any business that handles the data of EU citizens is required to comply with GDPR rules – even small businesses.
However, that doesn’t mean that every startup needs to rush out and hire a data protection officer – that only applies to companies with 250 or more employees. But, if handling personal data is core to a business’s operations – such as for data processors or data security companies – an SME or startup may need a data protection officer in this instance.
Tech businesses should also be aware that the current level of consumer opt-in required for marketing emails will not be enough under the new GDPR legislation. At the moment, brands can send marketing emails to anyone who has ‘opted in’ by clicking a box. When GDPR comes into force, customers have to specifically agree to receive marketing emails. Bettina Specht explains all on the Litmus blog:
“Many practices that marketers previously used to grow their database won’t be compliant under GDPR. Someone left their email address to download a whitepaper or provided their contact information to enter a contest? If you didn’t tell them you’d use their personal data to send marketing messages—and if they didn’t actively agree that it is okay to use their data for that very reason—it won’t be legal to add those email addresses to your mailing list.”
One of the biggest ways GDPR will affect tech businesses is the threat of serious fines in the case of breach or non-compliance. The loss of 4% revenue or €20m could hit a cash-strapped tech startup pretty hard.
It’s not all doom and gloom, though. According to Kinast, speaking in Computer Weekly, GDPR will “make it simpler and cheaper for organisations” to comply with data regulations, “but at the same time, EU citizens sill have the right to approach any data protection authority of their choice to lodge complaints.”
How will Brexit affect GDPR?
According to Information Age, 1 in 4 UK businesses have cancelled their preparations for GDPR as they believe they will not have to comply now that the UK is leaving the European Union.
Unfortunately for them, that’s not the case. Here’s John Culkin, director of information management at Crown Records Management, to explain why:
“Firstly, [GDPR] is likely to be in place before any Brexit. Secondly, although an independent Britain would no longer be a signatory it will still apply to all businesses which handle the personal information of European citizens.”
So there you have it. Don’t scrap the GDPR plans just yet.
It’s still early days, and we’re likely to find out much more information about GDPR as time progresses. Keep checking back on the blog for more updates as and when they appear.