What is GDPR and how could it affect your business?
Since its approval in 2016, GDPR has caused quite the stir amongst the business world. This EU privacy law threatens penalties as large as €20 million, or 4% annual global turnover (whichever is higher) – ouch. For many businesses, a penalty like this could be the end of them, and even larger companies aren’t taking any risks – in July 2017, pub chain Wetherspoons deleted their entire customer email database to keep themselves covered.
If that sounds familiar, you’ve got GDPR to thank for that!
But what is GDPR? It caused us a lot of confusion to start with so if you’re not sure, you’re not alone! To help clear a few things up, we created this simple GDPR summary guide…
Who does it affect?
GDPR will affect any EU based businesses and any businesses external to the EU that sell to EU citizens.
The new regulations will affect all customers of the affected businesses (so, pretty much everyone), as they now have increased rights to their data and how it is stored and used.
You may read some articles discussing the three parties that are affected by GDPR: data controllers, data processors and data subjects. All three are explained below:
Data Controllers– those controlling the processing of the data (usually an organisation)
Data Processors– those actually processing the data on behalf of the controller (such as the HR and marketing departments, suppliers or subcontractors like call centres)
Data Subjects– EU residents who are customers or employees of the data controllers
So, how does it work?
GDPR works by protecting the personal and sensitive data of the subjects, including:
- Online Identifiers – such as names, email addresses, home addresses and ID numbers
- Web Data – such as cookies data and IP addresses
- Sensitive Data – such as health, genetic and biometric data, and additional things like religious views
The protection of this data means that the data subjects now have certain rights, including:
Customers must clearly and explicitly be explained how a business will use and store their data, and the customers must provide their consent for the business to do so
Customers have the right to know exactly what data is collected and how it is used and stored by a business
Customers can modify any incorrect data
In some cases, customers can ask for all their data to be deleted from a business’ database. This is also known as the right to be forgotten
Customers have the right to move their data between processing systems, such as servers
Customers don’t have to be included in something just because the processing is automated
To uphold these rights, data controllers have certain obligations, which include:
Businesses must demonstrate compliance by keeping records of all data processing
Data Protection Impact Assessment
This must be carried out if the data being processed could cause high risk to the subjects
All data must be kept secure. This should be done at a technical level through encryption to attempt to protect the data in the event of a breach, and at an organisational level also
Businesses must report any security breaches within 72 hours to a data regulator (ICO – Information Commissioner’s Office) and inform the individuals affected by it. Reports must state how the breach occurred, how it is being dealt with and the future protections being put in place.
Data Protection Officer
Organisations must appoint a Data Protection Officer to aid the protection of data if they fit the following criteria:
- They are a public authority
- They monitor individuals on a large scale
- They process sensitive data
Transferring data is only permitted if there are appropriate security measures in place
Not demonstrating compliance with the above criteria puts businesses at risk of prosecution. Penalties for not complying are listed below:
- Non-compliant businesses could face fines of up to €10 million or 2% of global annual turnover, and those that are intentionally non-compliant, face fines of up to €20 million or 4% of global annual turnover. All violations are carefully considered and assessed before the fine is issued.
- Another cost that businesses could face is that data subjects may claim against them if they do not handle data appropriately.
- Finally, businesses that are not compliant will also suffer with customers losing trust in them – something so valuable to many businesses.
Will it affect my cloud storage?
A lot of businesses rely on cloud-based apps for a number of things, such as emailing and image sharing. Where GDPR is concerned, if your company uses cloud storage for client data, you will need to ensure that it meets regulations. So, what do you need to do to become GDPR compliant when using the cloud?
So, what do you need to do now?
GDPR came into full effect on 25th May 2018, meaning that businesses have no time to waste to ensure they are meeting the requirements of the new law. Any businesses that are not abiding by the new regulations will be viewed as non-compliant and will be prosecuted. But, all is not lost – if you have yet to take action, now is the time!
The steps you will need to follow are as below:
Clean your data
- Inform your customers of how you use and store their data for transparency purposes and then ask for their consent to remain doing so
- Delete or amend any data that is inaccurate, incomplete or duplicated
- Delete any data that is not necessary to the functioning of your business
At both an organisational level to ensure consistency, and a technical level through encryption
Provide the adequate training to all members of staff. Having an understanding creates less chance of a violation
Appoint a DPO if necessary
Refer to the criteria listed above to help you decide if you need one
Check suppliers and subcontractors are GDPR compliant
Ensure your contracts with them protect you from any potential breaches also
Check cloud data storage
Take action as above
And finally, as long as you ensure you’re following all of the above obligations and fulfilling your customers’ individual rights, then you’re good to go.
GDPR and the potential penalties might seem daunting, but becoming compliant is easy to do once you have the required information. Plus, being GDPR compliant is seen as a benefit by many and so will encourage business by building trust with customers.
If you are not yet compliant, or are generally still uncertain about GDPR, there are a wealth of resources available online. Here are a few good ones to get you started: