The General Data Protection Regulation (GDPR) is on its way and there's no getting around it. The only thing businesses can do is understand what the legislation is and make sure their business has all the processes, policies and most importantly technology in place to be as ready as they can for when it comes into effect. In order to help your business navigate the GDPR landscape, we've put together this comprehensive article, outlining the most important information you need to know when it comes to the EU's new data privacy law. Over the coming weeks and months, as we close in on GDPR's go-live date, we will be creating an array of articles, webinars, and events in order to make sure your business has the most up-to-date and relevant information.
So, let's get into it.
Will GDPR affect U.K. businesses?
Yes. Brexit or not, GDPR will affect any business around the world that deals with the personal information of EU citizens. The EU's new privacy law comes into full effect 25 May 2018, and if you haven't started to already, today's as good a day as any to start getting your business GDPR ready.
Why is GDPR so important?
GDPR is the biggest change to privacy laws Europe has seen in over two decades. The whole purpose of the law is to make sure EU residents have more control over their personal data and ensures the rules around data protection are aligned with recent advancements in technology and marketing practices.
GDPR will result in fundamental changes to how you collect, store and use personal information, including how you accommodate new transparency requirements, detect and report personal data breaches, and how you train employees that have access to any customer information.
If you take away nothing else from this article, know that the two most important things about GDPR are that there's nowhere to hide and the fines for not complying are hefty.
Nowhere to hide
It doesn't matter if you're the person collecting the data, storing it or simply using it to ensure the right package gets delivered to the right person, if you touch any information which the EU considers to be personal data, then you are responsible for making sure the correct systems and processes are in place so that your management of that data is GDPR compliant.
It's also important to note that with GDPR, there's no distinction between a person's public, private or work personas. That means, even if you have no external customers, all B2B client information, as well as employee information needs to be GDPR compliant. I don't like using the word literally, but this legislation literally affects every single business, regardless of size or industry that deals with EU citizens, in any way.
Money, money, money
If your business is found to have violated the requirements in GDPR you'll need to reach deep into your pockets. Failure to comply can result in fines as large as €20 million (£17.5 million) or 4 percent of your annual global turnover, depending on whichever amount is greater. And because the EU is keen to enforce this new legislation, there is no indication that there will be any leniency when handing out these fines. In fact, the expectation is that they will be quite strict in order to make an example of those businesses found not to be complying.
If you're a small or medium-sized business, alarm bells should be going off. £17.5m or 4 percent of global turnover is not just a huge sum of money - it has the potential to cripple your business entirely. GDPR is important, you need to be prepared.
What does the EU consider to be 'personal data?'
GDPR defines personal data as any information relating to an individual that identifies them in any way. And with no distinction between a person's private, public or work personas, personal data can include:
- Email address
- Social media posts
- Physical, physiological, or genetic information
- Medical information
- Bank details
- IP address
- Cultural identity
When should I start getting ready?
If you haven't started getting your business GDPR ready by now, then you need to start doing so immediately. GDPR is a far-reaching and highly complex piece of legislation and the changes your business will need to make, in order to be compliant, will not be able to happen overnight. You need to start reviewing your privacy and data management practices today.
One of the biggest changes U.K. businesses will have to adjust to is adherence to the "data subject rights." These rights involve a business providing data subjects, i.e. any individual which your business collects information on, with the following:
- Access to readily-available information that's in plain and easy-to-understand language
- Access to their personal data
- Have incorrect personal data deleted or corrected
- Have personal data rectified and erased in certain circumstances (referred to commonly as the 'right to be forgotten')
- Restrict or object to processing of personal data
- Receiving a copy of personal data
- Object to processing of personal data for specific uses, such as marketing or profiling
Where should I start?
Discover, Manage, Protect and Report. If you're at a loss as to where to start, these four steps will help you get the ball rolling:
- Discover: Identify what personal data you have and where it resides
- Manage: Regulate how personal data is used and accessed
- Protect: Establish security controls to prevent, detect and respond to vulnerabilities and data breaches
- Report: Action data subject requests and keep required documentation
Download Microsoft's GDPR Detailed Assessment Remediation Checklist and keep track of how your business is performing at each of the Discover, Manage, Protect and Report stages.
Finally, as with all things data security related, it's a good idea to implement technical and organisational measures that align to ISO 27001 standards.
For more information on GDPR legislation click here.
If you'd like to find out more about how Advantage can help your business get GDPR ready talk to us today.
Words by Camilo Lascano Tribin