Many small business owners will have pencilled in May 25, 2018 as the date when the European General Data Protection Regulation (GDPR) comes into force. But it’s also likely they all have the same question: what does GDPR mean for my business and me?
The simple answer is that it means a lot. Any company, big or small, will have to comply with new regulations regarding the secure collection, storage and usage of personal information. What’s more, violations will be met with fines.
In fact, Article 30 of the regulation declares that organisations with fewer than 250 employees will not be bound by GDPR – although there are several stipulations that we will come to that mean they probably still should.
What does GDPR mean: The central objectives
But let’s start at the beginning with ‘what does GDPR mean’. The two central objectives of GDPR are: 1) give citizens and residents back control of their personal data and 2) simplify the regulatory environment for international business by unifying the regulation within the EU.
Overall the legislation has been introduced to encourage companies across the EU to think seriously about data protection. But beware if you think you can ignore it; GDPR also comes with some fairly harsh penalties for those that do not comply with new regulations. What’s more, individuals can sue you for compensation to recover both material damage and non-material damage, like distress.
Another point to remember is that although the UK has voted to leave the EU, UK business will still have to comply with new regulations if the data they handle is about EU citizens, or has the potential to identify individuals within the EU. What’s more, digital minister Matt Hancock has confirmed that the UK will replace the 1988 Data Protection Act (DPA) with legislation that mirrors the GDPR post-Brexit.
The key stipulations of GDPR are:
- Firms of over 250 employees must employ a Data Protection Officer (DPO). This person is responsible for ensuring that a business collects and secures personal data responsibly.
- GDPR will also apply to small businesses under 250 employees if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9.
- Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours.
- Individuals have more rights dictating how businesses use their personal data. In particular, they have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.
- Failure to comply with the GDPR will lead to heavier punishments than ever before. Under current rules, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for malpractice but the GDPR will be able to fine up to €20 million or 4 per cent of annual turnover (whichever is higher).
If you’re unsure of whether or not GDPR applies to you, consider how regularly you deal with personal data – and that includes present and past employees and suppliers, not just customer data. If it’s a routine occurrence, then you should abide by the GDPR. The ICO has also stated that any businesses affected by the DPA will also fall under the GDPR. But the key difference between the DPA and the GPDR is that the latter will be much more strict in what is defined as personal data.
Understanding the type of data that will be affected under the GPDR is one thing, but having to search for where that data is held and who is responsible for it is another issue entirely and, unfortunately, without the right tools I can see many smaller business running into trouble.
In a perfect world all data would be stored securely and processes would be in place to ensure personal data is kept separately under a security framework.
But in my experience, that’s just not the reality. Across the businesses we have worked with there is an average of 10GB of unstructured data per employee, and 9 per cent of that data contains personally identifiable information.
So what can you do to get a handle on your data? Well, better management of your data has to begin with discovery. GDPR will mean that every piece of personal information held by your business needs to be identified – even if it’s on a mobile device or in the cloud.
It’s a complex task for sure, but one that needs to be carried out to ensure efficient handling of data in the future. Some businesses may think they can achieve compliance by using a complicated spreadsheet. But this won’t help you find the data that you don’t know you have.
But technology can help. New solutions are available that can offer a thorough approach to data discovery today. Properly implemented, data discovery will often lead you to data that you did not know about.
When you understand where you’re holding personal data, you’ll then be able to better monitor compliance and the processes involved in dealing with that data.
You’ll also be prepared for Subject Access Requests (SARs) – a request under the DPA used by individuals who want to see a copy of the information an organisation holds about them – and the ’right to be forgotten’, which may require you to identify and erase all of an individual’s data.
Preparation will be key, but GDPR compliance will be an ongoing task that will require careful monitoring. Being aware of the new regulations and what they mean for your business is vital. So don’t stick your head in the sand and wait for it to pass. After all, once the GDPR arrives, it’s here to stay.