As you may well know GDPR stands for General Data Protection Regulation and is a regulation by which the European Parliament, the Council of the European Union and the European Commission aim to strengthen and unify data protection for all individuals within the European Union.
With this new law, the EU intends to offer more protection to consumers when it comes to their personal data. This is done by building on existing data protection concepts and introducing new ones to create a more complete set of rules with regard to the collection, processing and storage of personal data.
According to the GDPR directive, personal data is “any information related to a person such as a name, a photo, an email address, bank details, updates on social networking websites, location details, medical information, Genetic or biometric data or a computer IP address”.
There is no distinction between personal data, individuals in their private, public or work roles are always persons. Even in a B2B setting, everything is about individuals interacting and sharing information with and about each other. Customers in B2B markets are companies but the relationships that handle the business topics are people or individuals.
Why is it important to comply?
It’s essential to keep your customer’s information completely safe. Even more so now, the GDPR will make businesses pay high fees to those that do not follow the rules accordingly. Penalties will be as high as €20 million or a 4% of the annual global turnover, whichever is higher.
If this wasn’t enough, the increased pressure that businesses have to maintain data protection standards means that the PR fallout and reputational damage of a data breach will be meaningfully magnified.
Furthermore, stricter deadlines will also be applied when reporting data breaches. Businesses must notify their national data protection authority (ICO in the UK) of any breaches within 72 hours.
What do I have to do to comply?
- Businesses may have to hire a data protection officer to explain the regulations and apply them to the business.
- All data processes be logged and audit trail must be available for historic transactions.
- The above will then be presented to the Data Protection Association (DPA), who will be responsible for enforcing GDPR.
- Businesses will have to locate and secure any Personal Identifiable Information, that can directly or indirectly identify an EU citizen. Companies must identify where this information is stored, who has access to it, which external companies have access to this information and for what reasons.
Companies will have to give evidence that Data:
- Is being lawfully processed
- Obtained, secured and stored for legitimately basis
- Is always accurate and up-to-date
- Only for as long as required
- Can be destroyed (erased) should the customer requested
- Companies have to continually evaluate the need to have access to this information .
- Assess other risks, with the goal of identifying and mitigating vulnerabilities in all business processes.
- Finally, it is of the utmost important to keep track of these processes to show the DPA how and when they are going to address these outstanding risks.
Will it have an impact on Brexit?
As it’s well known, Brexit is happening, and although the UK will not be a part of the European Union, the UK will still be an EU member when the GDPR comes in on the 25th of May 2018. The only way the UK would not have to worry about the GDPR is if the government takes specific action to repeal it.
However, this is highly unlikely because the UK’s Information Commissioner’s Office has always promoted the GDPR as a positive development. It is also important to remember that a lot of UK businesses will still do business across the EU and that means that the GDPR law would still have to be respected to avoid its sanctions.
Let’s be ready!
The General Data Protection Regulation not only applies to businesses in the EU; all businesses, marketing services or goods to EU citizens should be preparing to comply with GDPR as well. By complying with GDPR requirements, businesses will benefit from avoiding penalties while improving customer data protection, trust and reputation.
Talk to S9 Tech so we can help you plan for the imminent arrival of GDPR.