You may have heard of the General Data Protection Regulations (GDPR) but might not know when they were introduced.
Under GDPR, your business must collect, store and process data lawfully. You can face fines of up to £18 million if you don’t.
This blog will answer the question when did GDPR come into force, explain why adopting GDPR best practice is necessary and give some tips on staying compliant.
A Brief History of the GDPR
Data laws aren’t new. Our privacy has been recognised for many years. Decades, in fact. Article 8 of the 1950 European Convention on Human Rights stated that everyone has the right to privacy.
Decades later, the European Data Protection Directive (Directive 95/46/EC) was enacted in 1955. The aim was to control personal data processing. It was introduced at a time when the internet was in its infancy.
With the meteoric usage and dependence on the internet, there needed to be stricter controls. But the 1995 directive would not be enough for the vast changes in how our personal data was to be used and abused.
So, in 2011 work started on revising the directive, and in 2016 the GDPR was finally approved by the entire EU. Member states were given until May 25 2018, to implement the regulations.
Here in the UK, GDPR falls under the Data Protection Act 2018. It is often referred to as UK GDPR for this reason.
Breaches Before the GDPR
Remember the Facebook/Cambridge Analytica scandal of 2016? This is where the personal data of 87 million Facebook users were collected and used for political gain. Personal data such as names, page likes, birthdates and addresses were unlawfully captured.
This scandal happened before GDPR was enforced. At the time, Facebook was fined just £500,000 under the Data Protection Act. Under GDPR, Facebook would have received a much more significant fine.
When Did the GDPR Become Enforceable?
The GDPR became enforceable on May 25 2018. From that date, businesses that collect, store and process the personal data of data subjects could be fined for non-conformance.
You don’t have to be located in the EU. All businesses that trade in the EU must comply.
When the UK left Europe, things changed somewhat. UK businesses had to comply with UK GDPR, which is almost identical to GDPR. The main difference is how UK businesses process the data of EU residents.
Now you have to appoint an EU representative and identify a lead supervisory authority in the EU. All your policies and procedures must also be updated to reflect UK GDPR.
Why is it Important to Adopt GDPR Best Practices?
There are many reasons why you need to follow the GDPR regulations. The main reason is to comply with the law. Companies that don’t can find themselves in the dock.
Let’s look at some more reasons:
Fines are issued by the Information Commissioner’s Office (ICO). They can be up to £18 million or 4% of annual turnover, whichever is greater.
Many international companies have received fines from the ICO. Amazon, Meta (formerly Facebook), Google and British Airways are just a few.
Amazon has received the highest so far. In 2021, they were fined $781 million because they didn’t get consent from customers before storing advertising cookies.
Harm to Data Subjects
Your data subjects can be harmed emotionally and financially if their personal details get into the wrong hands. Fraudsters can abuse their personal information. They can do such things as set up fake bank accounts, fake profiles and purchase unauthorised items. The effort needed to retrieve personal data and correct a breach of privacy will take a mental toll on anyone.
Being exposed as an organisation that has breached data laws will not be great for your reputation. Your customers, clients, shareholders and partners need to trust you. A breach of data laws can erase that trust. Staying within the law is good for business!
How to Stay Compliant
Understand the GDPR Regulations
Get to grips with the regulations. This is an excellent way to stay compliant. Understand what is required to lawfully process, gather and maintain data.
Create a GDPR Policy
Once you know what is required of you, create a policy. Your policy should break down roles and responsibilities and how your organisation will follow the regulations. Include how you will process data, inform data subjects of their privacy rights, and what happens if a breach occurs.
Your policy will inform your GDPR procedures. These procedures will act as the employees’ manual to ensure compliance. GDPR can be a dry subject, so try to make procedures concise but not too wordy.
All employees who handle personal data need to be trained. Training is vital to ensuring everyone is well informed on the legislation. Training helps employees understand what is required of them.
Trained employees are less likely to make mistakes. They are also more likely to know when something isn’t right and to take steps to rectify issues before they escalate.
Review Your Policy & Procedures Regularly
Keep up-to-date with data laws so you can review your policy accordingly when changes occur.
Get Ahead of Your Competitors with GDPR Training
Now that you are up to speed with when GDPR came into force, why not brush up on your data protection knowledge? Improving your knowledge on this crucial subject can help mitigate breaking data laws. GDPR Awareness Training will protect your business and your data subjects.