In the world of technology, you may have heard a big buzz recently about GDPR with intimidating phrases like cyber security, penalties, business costs and hackers being thrown around. It’s not as scary as all that but as a business owner you will need to pay attention because if you house any sensitive data at all, you are leaving yourself liable if you aren’t making changes. Here is the low-down on GDPR, what it means for you and your business and how you can get ahead of it to ensure you are protected.
What is GDPR?
The General Data Protection Regulation (GDPR) is the new European legislation coming into effect that aims to protect user data to enhance data protection in line with the digital age and increasing technological capabilities.
Simply put, it’s a new EU regulation that means if you aren’t protecting personal data effectively, you are liable to be fined.
The European Commission had this to say about the implementation of the GDPR regulation:
“The Regulation updates and modernises the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights. It focuses on:
- reinforcing individuals’ rights;
- strengthening the EU internal market;
- ensuring stronger enforcement of the rules;
- streamlining international transfers of personal data and;
- setting global data protection standards.
The changes will give people more control over their personal data and make it easier to access it. They are designed to make sure that people’s personal information is protected – no matter where it is sent, processed or stored – even outside the EU, as may often be the case on the internet.”
What Counts As Personal Data Under GDPR?
Any information that will allow you to identify a person or that relates to an identifiable person is considered personal data. Examples of identifiers include:
- Identity that can be defined by physical, genetic, cultural or economic factors
- Location data
- ID numbers
- Biometric information (e.g. fingerprints, retinal scans)
- IP addresses
- Consumer preferences
- Pseudonyms – data that has been adapted to try and hide personal data by attributing other elements for example encryptions etc. However, businesses that exercise pseudonyms as part of a way to encrypt personal information will have more lenient fines because it is seen as lower risk for the users and complies with GDPR.
What Does GDPR Now Require?
- Data is fairly, lawfully and securely handled, stored and exported to meet data protection.
- That digital data that was once not included e.g. IP addresses or mobile device identification is now subject to the same privacy rights as other personal data.
- Accuracy and integrity of data
Who Are The ICO?
The ICO are representing the UK as part of the data protection working party for the EU’s Article 29.
Dates of GDPR Implementation
The main date you need to be aware of is the 25th May 2018 when the changes are officially actionable and will come into force. That doesn’t mean that you have an excuse to wait however, because GDPR was approved on April 14th 2016 and introduced in 2017 to give businesses fair warning before the actionable dates.
5 Ways GDPR Is Going To Affect Your Business
- Check Current Data – Data that you have collected previously will become umbrella’d under GDPR which means you need to ensure that you have full permission from your users and if you are unsure, contact them.
- Train Staff – It is important that staff know how to handle sensitive information going forward, not just your IT staff but also any departments that access personal data e.g. HR, finance etc.
- Review Procedures – Check your data collection adheres with GDPR guidelines and has active agreement settings rather than passive.
- Security Audit – Who has access to the personal data and should they? How they are able to export the data and whether each employee has business NEEDS to be accessing it. If not, remove them. *Don’t forget employees who no longer work for your organisation or third parties.
- Check 3rd Party Software – It is your business’ responsibility to ensure that any software you use to store data is GDPR compliant so you will need to contact 3rd party suppliers and get assurances or proof they are actioning this as well. In the event of a breach, you would also be liable.
Are There Any Benefits To My Business?
It sounds like a lot of doom and gloom for your business that could turn out quite costly but there are some plus points to the new regulations.
Consistent Legislation – It is no longer a confusing “grey area” that it has been for many years so it is easier to understand what is and isn’t needed and how to implement this.
Universal Standards – Some may feel that larger companies can do whatever they want with data (e.g. selling it on without permission) because the previous fine was more affordable. With GDPR everyone is held to the same standards.
What Sort of Fines Could I Be Facing Under GDPR?
It’s ultimately up to ICO as to the fine amount of breaches and this can depend on how the breach is dealt with, the level of protection that was in place as well as if the business followed GDPR protocols post breach. Here are some fine examples:
- Failure to notify users of a breach within 72-hours – up to €10 Million (or 2% of your revenue worldwide, whichever is highest.)
- Failure to gain consent – up to €20 Million (or 4% of your revenue worldwide, whichever is highest.)
- Transferring personal data internationally without adhering to GDPR – up to €20 Million (or 4% of your revenue worldwide, whichever is highest.)
- Failure to consider long-term data privacy within project planning – up to €10 Million (or 2% of your revenue worldwide, whichever is highest.)
- Ignoring data processing principles (i.e. GDPR guidelines)- up to €20 Million (or 4% of your revenue worldwide, whichever is highest.)
Things you need to know:
- The GDPR is citizen specific not business specific. This means that it doesn’t matter where your company is based, if you are handling the data of an EU citizen you need to be compliant.
- GDPR consent needs to be deliberate. For example, consumers need to actively give you consent rather than a “pre-selected” or “opt-out” feature.
- Withdrawal of permission can be done by an individual at any time under the GDPR regulation and this means that the business must erase the data pertaining to the individual as well as tell relevant third parties to delete any copies.
- Breaches of information need to be notified to users within 72 hours, even before reporting to the data protection authority. If not, you could face fines of up to €10 Million (or 2% of your revenue worldwide, whichever is highest.)
Brexit and GDPR
Some UK businesses may feel that as the UK is leaving the EU, GDPR practices won’t apply to them and while technically true, the UK have been putting forward data protection legislation of its own. This legislation mirrors the GDPR regulations and highlights that any businesses not handling data (in virtually the same way as the GDPR regulations state) will be subject to a fine of 4% of revenue worldwide or £17 million (whichever is closest.) Which is a far cry from the £500,000 limit set by the 1998 Data Protection Act. Plus, if you have any European customers, you are still liable to follow GDPR rules anyway!
How We Can Help
We offer GDPR training and workshops so that your employees and IT department can become GDPR compliant and avoid those massive fines. For more information contact us on:
UK Office: +44-203-637-2404
Israel Office: 972 (0) 74-7036680