With the long countdown to Christmas and the New Year now over, another countdown has begun for UK businesses – towards the impending introduction of GDPR, or the General Data Protection Regulation.
What is GDPR?
The General Data Protection Regulation is set to become law throughout the EU on 25th May 2018, following a two-year transition from existing legislation known as the Data Protection Directive (and the Data Protection Act in the UK), which it replaces. It is broadly intended to give people greater control over of how their data is used, and to update data protection laws and businesses practices for an age in which consumer data is more widely stored, accessed and shared than ever before. It will also standardise data protection legislation across the EU.
GDPR will come into force automatically in all EU countries on 25th May, with no need for any further laws to be drafted. Though the UK is set to leave the EU, if British businesses handle data belonging to residents of the EU then they will still be required to follow the legislation after this point.
What does it change?
- The scope of what will be considered personal data – while the previous legislation left grey areas as a result of advances like social media made after its enactment, GDPR expands the definition of personal data to include virtually all user information. This includes things like social media posts and pictures, IP addresses, email addresses and any user-generated data.
- The nature of consent – while in the past it was possible to passively obtain consent with pre-filled checkboxes and similar devices, businesses will now be required to obtain active consent via the user actually opting in.
- Records – If you handle data you must make accurate records of how the data is used and store these for possible inspection.
- Personnel – If you employ more than 250 people you will need to have an official Data Protection Officer.
- Notification – If a security breach involving user data occurs you must inform the regulatory body within 72 hours.
One of the main reasons why businesses need to pay special attention to these changes is that the penalties for not complying with them can be high. Though a formal warning is issued in the first instance, continuing non-compliance can result in substantial fines of 20m Euros or 4% of global revenue.
Does the GDPR apply to us?
If your business controls personal data – ie it collects it and uses it – then as a ‘controller’ of data you will need to adhere to new legislation. If you process data on behalf of another organisation, then as a ‘processor’ you are also required to conform to the new standards and practices set out in the GDPR.
Protecting personal data with document management solutions
One of the most important requirements of the GDPR, aside from actually ensuring that you use the data properly, is making sure that it is secure, and actively preventing the exposure of sensitive personal data. Document management solutions such as Nuance’s Power PDF can help protect personal data that is under your control in a number of ways:
- Encrypt (128-bit or 256-bit AES) documents in PDF format so that they can be securely communicated or stored electronically
- Apply passwords to sensitive data so that they can only be accessed by authorised personnel
- Redact (censor) sensitive information so that it is not exposed
- Control who can access, print and share data
It’s important to be prepared for the upcoming changes to data protection law and data protection principles, and this means understanding your legal obligations, and seeking out the tools that will help you to ensure that you uphold them. Take a closer look at Power PDF to see how it can help you protect personal data.