What is GDPR?
The General Data Protection Regulation 2016/679 (GDPR) is the EU regulation concerning data protection and privacy for all individuals within the EU. It applies to companies handling data from EU citizens located inside and outside of the EU. It doesn’t matter where the companies are physically located: If you as a company are handling data from EU citizens, your company must comply with the GDPR. The regulation enters into force on May 25, 2018.
The aim of the GDPR is to give back EU citizens control over their personal data. People must (and should) have the right to know what information companies have on them. From a societal point of view, GDPR gives people the rights to claim insight into an until now unchartered territory. And this is a good thing. That being said, it can be a b**** for companies as GDPR compliance is more than a mouthful.
How does GDPR affect my business?
The new GDPR regulation is a modification of the preceding directive but with some important changes that impact your business in a significant way. Below you can find new and modified concepts that are important to be aware of. The list below should not be seen as a comprehensive list but an outline of important areas that will affect your company:
- Breach notification
- Right to access
- Right to be forgotten
- Data portability
Consent relates to persons’ explicit approval that allows your company to use their data in numerous ways. This doesn’t mean that companies must require consent from the person every time personal data is collected. To give you an example, think of the scenario where you went to a website that offers a free healthy meal plan. To give you the best plan, you need to provide information (personal data) about yourself. You need to fill out how old you are, how much you weigh etc. All this information is required to give you a healthy meal plan. You don’t need consent to collect the personal data in this case, as the data is part of giving you a great meal plan, i.e. a “legitimate use”. But. If the information is also used for marketing purposes, consent would be needed for using the data in that regard.
All data breaches are not created equal. The spectrum of what is defined as a data breach is very broad. The actions required change along the spectrum dependent on the specific data breach. If an employee loses his company phone, you as a company do not have to report it to the data authorities as long as the phone is password protected or otherwise encrypted. In the other end of the spectrum, if your company experience that your database is hacked then it’s your responsibility to inform relevant data authorities about the breach within 72 hours of becoming aware of the breach.
Right to access
Persons have the right to request access to all personal data concerning them. That means that your company needs to present all the personal data that you have on that specific person, free of charge and in a format that is electronic and understandable. And don’t try sending it in binary code… I have witnessed companies asking about this (surprise smiley).
Right to be forgotten
Forgetting everything you know about a person means that your company must delete the personal data in question and stop disseminating the data further. This, however, only if a company does not have a legitimate use for the data AND the person actively requests its deletion.
The person can under different circumstances request that your company either provides the subject all the personal data concerning the subject or that you send that data to another company. Be aware that it needs to be in a machine-readable format! Hence, no binary code here as well.
What happens if I do not comply with GDPR?
Simply put – not adhering to GDPR can have devastating consequences for your business. Non-compliance can cost you fines up to 20 million EUR or 4% of your global turnover – whichever is higher. Regardless of the size of your company or the scope of your business you can’t afford not to comply with the GDPR.
If this does not scare you then let me give you a likely scenario after 25 May. A recent study by Veritas (http://bit.ly/2KLJ9xu) claims that 40% of EU citizens plan to exercise their right to access the data that companies have on them. Put in practical terms, there is a great chance that previous or present customers or employees will demand that you inform them about the data that you have on them. Not mentioning the imminent threat of huge fines, think of the time it will cost your company to manage these requests. You need not only send the data to persons, but your company needs to find that data quickly to maintain operational efficiency. FYI – you have one month from the request is received to delivery of data. Also, if your company receives many access requests, it may be too big of a task if you do not have procedures in place – which can ultimately lead to a breach.
How to get your company started with GDPR
To be GDPR compliant, you need to locate all personal data in your company. Simply put: you can’t report on personal data if you don’t know where it is located. This should be your first and highest priority. Divide your compliance process into steps and take it one at a time. The journey is long and daunting, so make it manageable for yourself.