What is GDPR and how could it affect your business?

Since its approval in 2016, GDPR has caused quite the stir amongst the business world. This EU privacy law threatens penalties as large as €20 million, or 4% annual global turnover (whichever is higher) – ouch. For many businesses, a penalty like this could be the end of them, and even larger companies aren’t taking any risks – in July 2017, pub chain Wetherspoons deleted their entire customer email database to keep themselves covered.

If you were unaware of any of this happening in the business world (although we would be surprised as it’s all anyone’s been talking about), you may have noticed it from a customer’s perspective…we’re talking any online store you’ve ever bought from sending out a privacy policy update email. 

If that sounds familiar, you’ve got GDPR to thank for that!

But what is GDPR? It caused us a lot of confusion to start with so if you’re not sure, you’re not alone! To help clear a few things up, we created this simple GDPR summary guide…

What does GDPR stand for?

General Data Protection Regulation

What does it mean?

GDPR is an EU approved privacy law that will replace all previous privacy laws. It works to strengthen the rights of all EU citizens by protecting their data in how it’s processed, used, stored and exchanged by businesses. 

Who does it affect?

Businesses

GDPR will affect any EU based businesses and any businesses external to the EU that sell to EU citizens.

Customers

The new regulations will affect all customers of the affected businesses (so, pretty much everyone), as they now have increased rights to their data and how it is stored and used.

You may read some articles discussing the three parties that are affected by GDPR: data controllers, data processors and data subjects. All three are explained below:

Data Controllers– those controlling the processing of the data (usually an organisation)

Data Processors– those actually processing the data on behalf of the controller (such as the HR and marketing departments, suppliers or subcontractors like call centres)

Data Subjects– EU residents who are customers or employees of the data controllers

So, how does it work?

GDPR works by protecting the personal and sensitive data of the subjects, including:

  • Online Identifiers – such as names, email addresses, home addresses and ID numbers
  • Web Data – such as cookies data and IP addresses
  • Sensitive Data – such as health, genetic and biometric data, and additional things like religious views

Individual Rights

The protection of this data means that the data subjects now have certain rights, including:

Informed Consent

Customers must clearly and explicitly be explained how a business will use and store their data, and the customers must provide their consent for the business to do so

Transparency

Customers have the right to know exactly what data is collected and how it is used and stored by a business

Correction

Customers can modify any incorrect data

Erasure

In some cases, customers can ask for all their data to be deleted from a business’ database. This is also known as the right to be forgotten

Data Portability

Customers have the right to move their data between processing systems, such as servers

Automated Processing

Customers don’t have to be included in something just because the processing is automated

Business Obligations

To uphold these rights, data controllers have certain obligations, which include:

Accountability

Businesses must demonstrate compliance by keeping records of all data processing

Data Protection Impact Assessment

This must be carried out if the data being processed could cause high risk to the subjects

Data Security

All data must be kept secure. This should be done at a technical level through encryption to attempt to protect the data in the event of a breach, and at an organisational level also

Data Breaches

Businesses must report any security breaches within 72 hours to a data regulator (ICO – Information Commissioner’s Office) and inform the individuals affected by it. Reports must state how the breach occurred, how it is being dealt with and the future protections being put in place.

Data Protection Officer

Organisations must appoint a Data Protection Officer to aid the protection of data if they fit the following criteria:

  • They are a public authority
  • They monitor individuals on a large scale
  • They process sensitive data

Data Transfer

Transferring data is only permitted if there are appropriate security measures in place

Penalty Risk

Not demonstrating compliance with the above criteria puts businesses at risk of prosecution. Penalties for not complying are listed below:

  • Non-compliant businesses could face fines of up to €10 million or 2% of global annual turnover, and those that are intentionally non-compliant, face fines of up to €20 million or 4% of global annual turnover. All violations are carefully considered and assessed before the fine is issued.
  • Another cost that businesses could face is that data subjects may claim against them if they do not handle data appropriately.
  • Finally, businesses that are not compliant will also suffer with customers losing trust in them – something so valuable to many businesses.

Will it affect my cloud storage?

A lot of businesses rely on cloud-based apps for a number of things, such as emailing and image sharing. Where GDPR is concerned, if your company uses cloud storage for client data, you will need to ensure that it meets regulations. So, what do you need to do to become GDPR compliant when using the cloud?

  • Know where your data is stored and how it is moved
  • Ensure you take appropriate security measures to protect data
  • Only store the data that is required, rather than more detailed things such as ethnicity, religious beliefs or political views
  • Ensure data can be deleted when/if you close your accounts

So, what do you need to do now?

GDPR came into full effect on 25th May 2018, meaning that businesses have no time to waste to ensure they are meeting the requirements of the new law. Any businesses that are not abiding by the new regulations will be viewed as non-compliant and will be prosecuted. But, all is not lost – if you have yet to take action, now is the time!

The steps you will need to follow are as below:

Clean your data

  • Inform your customers of how you use and store their data for transparency purposes and then ask for their consent to remain doing so
  • Delete or amend any data that is inaccurate, incomplete or duplicated
  • Delete any data that is not necessary to the functioning of your business

Increase security

At both an organisational level to ensure consistency, and a technical level through encryption

Train staff

Provide the adequate training to all members of staff. Having an understanding creates less chance of a violation

Appoint a DPO if necessary

Refer to the criteria listed above to help you decide if you need one

Check suppliers and subcontractors are GDPR compliant

Ensure your contracts with them protect you from any potential breaches also

Check cloud data storage

Take action as above

And finally, as long as you ensure you’re following all of the above obligations and fulfilling your customers’ individual rights, then you’re good to go.

GDPR and the potential penalties might seem daunting, but becoming compliant is easy to do once you have the required information. Plus, being GDPR compliant is seen as a benefit by many and so will encourage business by building trust with customers.

If you are not yet compliant, or are generally still uncertain about GDPR, there are a wealth of resources available online. Here are a few good ones to get you started: