This article provides a simple outline of what the GDPR is, what it means to your business, and some of the steps you can take to ensure compliance. This is not provided as legal advice – should you have concerns over your compliance please consult a legal professional with the relevant expertise. In particular large organisations (250+ employees) who process a lot of data should already be fully prepared for the new laws as they will be more affected.
What is the GDPR?
The General Data Protection Regulation is a set of consistent data protection rules which applies to any company who processes personal data about individuals in the EU.
What sort of data are we talking about?
Not just that of your customers – any personal data you hold relating to past and present employees and suppliers is also included.
Who does it affect?
If your business collects, stores and uses any personal information pertaining to an EU resident, it affects you.
When does it come into force?
The GDPR applies from 25th May 2018.
What happens if I don’t comply?
Certain violations of the GDPR can carry a fine up to €20m or 4% of global annual revenue.
What are the main stipulations?
- Companies who employ over 250 staff must employ a Data Protection Officer.
- Any data security breaches must be reported to the Information Commissioner’s Office (ICO) within 72 hours.
- Individuals now have the ‘right to be forgotten’ – they can withdraw consent for you to hold their information at any time. They can also send you an SAR (Subject Access Request) – a request for information relating to what data you hold, what you use it for, where it is stored, and how it is encrypted. You have one month to respond with answers to their questions or risk a fine.
What does it mean for my small business?
- You now need to know where every scrap of personal information you store is held (including staffs’ smartphones, tablets and laptops as well as any cloud hosting services you use), what it is, how you process it (and how often) and when you were given permission to use it. If you don’t know when you were given permission, you’ll need to repermission this data from the individual concerned. Large companies will need to carry out a full information audit.
- You can no longer automatically opt-in to mailing lists etc when individuals use forms on your website – forms should now have an ‘opt-in’ tick box which is unchecked by default granting you permission to use their data.
- Your privacy/data policies now need to indicate explicitly what you use people’s data for, so should be updated as such and made easily accessible from your website as well as being flagged up to existing users.
- Your data security is a key consideration: consider improving security by installing an SSL certificate on your website, locking access to your systems down to one IP address (ie. your business premises) and two factor authentication login procedures. You need to ensure you’re protecting the personal data you hold as well as properly recording how and when you acquired it.
For further information on your responsibilities and how to prepare for the GDPR please read this guide produced by the ICO.