On Friday May 25 2018, the European Union’s General Data Protection Regulation (GDPR) legislation comes into force. The GDPR is one of the largest and furthest-reaching sets of data protection and privacy laws to come into existence and it will affect all businesses that handle the consumer data of EU citizens. It doesn’t matter where you are in the world, how big or small your business is or what your sector or industry is; if you have access to the data of EU citizens, you will have to comply.
Why has the EU decided to implement GDPR?
The EU has created and will implement GDPR so that its citizens once more have control over their personal data. It also, as it’s the same for all member states and anyone outside the EU doing business within the member states, makes regulation simpler as it’s consistent across the board.
GDPR was first conceived back in 2012 with the aim of creating consistent, easily understood data privacy laws for the EU states. GDPR will replace the 1995 Data Protection Directive, which was more of a set of recommendations that helped individual member states to devise their own (differing) data privacy laws.
What’s the main gist?
The main tenet of GDPR is that once an individual no longer wants their data to be held or processed by a company, the company must delete the data if it has no “…legitimate grounds for retaining it.”
Any person, business or third-party entity involved in holding or processing data must comply with this or they may be deemed to be in breach of GDPR.
My business is only small; does GDPR apply to me?
Yes, even small businesses (fewer than 250 employees) must comply with GDPR if they handle, process or collect the personal data of customers.
Small and medium-sized businesses don’t, however, have to appoint a data protection officer, unless data collection and processing is their main business activity.
Many small business-owners have thought that GDPR doesn’t apply to them because they’re not big multinationals with lots of overseas business, but this is wrong. If you collect any data from an EU citizen, from an email address for marketing to medical records, you must follow GDPR.
Why is it so important to protect data?
An email that receives marketing offers is pretty harmless in itself, but if that email leads to a postcode and then onto a GP surgery and then onto a medical condition that the person has, then it’s not so harmless. If an email can be used to identify someone and reveal aspects of their life, then it must be protected. Many insurance companies, for example, are having to delete almost 75% of the information they hold on customers.
If these companies don’t delete all the necessary information, then they could end up paying dearly. Non-compliance with GDPR can lead to fines of up to 4% of the company’s global revenue! This applies to big and small companies, which could mean you!
But we’re leaving the EU in 2019!
This will not make any difference to UK companies. If they still manage to do any trade within the EU after Brexit, they’ll still have to comply with GDPR as they’ll be dealing with EU citizens and their data. In fact, UK companies will need to be fully-compliant well before March 29 2019 as the UK has already committed to tighter data protection laws.
OK, what can I do to get my business ready?
If you’re already doing business in Europe, or you’re planning to, then this is how you become and stay GDPR-compliant.
Perform an analysis
Bring in a consultant or legal expert to explain the new data privacy regulations and how they apply to your business. You should then examine the systems you already have, looking in particular for flaws and holes. You must examine how you obtain, use and delete data.
Train your team
Your employees must be educated on their responsibilities when it comes to collecting and handling personal data, especially where it can be used to identify an individual. This includes the data of colleagues, contractors, family members, partners and associates. Everyone must understand how GDPR works, what they need to do to stay within its boundaries and why they must comply.
Appoint a compliance officer
If you can, then appoint a compliance officer to review and implement the changes in data protection laws. Realistically, it may be only medium-to-large businesses that can afford to do this, but this doesn’t exempt you. You can bring in a contractor for a number of hours each month if this is easier for you, or you can learn how to do it yourself (but do hire someone to review you on a regular basis). Going forward, you should factor in GDPR into all your new business processes and activities; the more time you invest in compliance, the better it is for your enterprise.
Work out which data comes under GDPR
You need to work out which data will be affected by the regulations. There may be EU citizen data in contracts, purchase histories, invoices and HR documents. You need to look at where it’s stored and how you deal with it, as well as who can see it. Once you know what data is relevant, you can start to devise company data-handling policies.
Review all your contracts
If you have any third-party vendors or associates, they also need to have very clearly-outlined policies and processes to become GDPR-compliant. You need to be careful here because although a contract can be signed in one country or jurisdiction, the data may not be stored there. You must find out how your vendors or other associates will be handling and storing your business’ data and that of your clients. They’ll need to show how they’ll become compliant and also how they’ll deal with breaches or violations.
Cover all your bases
It’s important to realise that the GDPR fines are calculated and levied according to each jurisdiction’s particular regulations and so if your business operates in several countries, you could face multiple risks – and fines. You’re still vulnerable to penalties even if it’s one of your associates that mishandles or misuses data, so make sure you do everything right.