1. Home>
  2. Resources>
  3. Privacy & Security>

How will GDPR affect businesses?

We have previously discussed what the General Data Protection Regulation (GDPR) is, when it will come into play and the consequences of breaching it. In this blog, we want to focus on the key provisions of GDPR and how it will affect businesses.

To recap, GDPR is an important new law that affects how businesses deal with data protection. It was introduced to bring the current data protection laws in line with advancements in technology and social media. GDPR introduces stricter data protection rules and is due to replace the Data Protection Act 1998 in May 2018. It gives individuals greater control over how their personal data is dealt with and imposes greater fines on businesses for data breaches.

    What type of business does GDPR apply to?

    GDPR applies to all data controllers and data processors, which covers the vast majority of businesses in the UK and EU.

    Data controllers determine the purposes and ways in which data is collated and processed; data processors are businesses that process personal data on behalf of data controllers.

      What are the implications of GDPR for businesses?

      Stricter data security obligations

      One important aspect of GDPR is the new principle of accountability that it will introduce. This principle will require businesses to be more accountable for how they handle personal data, as well as ensure that they can show how they comply with the requirements of GDPR.

      To comply with this principle, businesses will be required to review and improve their data security measures. There are several aspects to this.
      For example, businesses will need to carry out thorough data mapping. This involves reviewing the flow of information within and outside of the organisation to identify any deficiencies and safeguards that need to be implemented to secure data. Businesses will need to review how they protect data and consider improving these procedures if they identify any deficiencies, for example by using data encryption.

      In addition, businesses will need to review their data processing and record-keeping policies and procedures, as well as consider how they document evidence of compliance with the requirements of GDPR.

        Data must be processed lawfully

        Under GDPR, businesses must ensure that they process personal data for a lawful reason. GDPR is quite prescriptive in this regard, setting out some of the reasons for processing data that would be considered lawful.

        For example, personal data would be processed lawfully in a situation where an individual provides consent for the processing of their data, or where the processing is necessary for the performance of a contract with a customer or to pursue a legitimate interest.
        There are strict requirements under GDPR for obtaining consent. Consent must be valid, meaning that an individual actively provided consent. Consent must also be verifiable; therefore, businesses need to keep records showing how and when an individual has consented. Arrangements where individuals are automatically deemed to consent unless they opt out or untick a box will not comply with GDPR.

          Increased individual rights

          GDPR provides individuals with a multitude of new rights, which businesses will need to be aware of and ensure they do not breach.
          For example, there will be a new right to be forgotten, which is the right of an individual to have their personal data removed from a business’ system. Individuals will have a new right of data portability: the right to have their personal data copied and transferred to a separate organisation for processing.
          There are certain rights that are likely to affect businesses engaged in marketing. GDPR will give individuals the right to object to their data being processed for direct marketing purposes, for example.

            Stricter notification requirements for data breaches

             A further impact on businesses will be the requirement for data controllers to notify the relevant data protection authority about a data breach within 72 hours of it occurring.
            The Information Commissioner is the relevant data protection authority for the UK. The data controller may also need to inform individuals whose personal data is involved in the breach, if there is a risk to them.

            Tougher fines for data breaches

             Tougher fines are to be introduced for data breaches: businesses who breach the data protection requirements under GDPR could be issued a penalty up to €20 million, or 4% of their global annual turnover.

            SD Worx aims to give guidance and provide news on this historic legislation from an HR and Payroll stand point which will impact businesses across the globe. For more information please visit our GDPR Page or, please email WeAreGlobal@sdworx.com

              Jean-Luc Barbier