Businesses: Don’t get stung by GDPR
On May 25th 2018 a new EU regulation could mean big fines for businesses of all sizes if they don’t follow new personal data and privacy rules.
General Data Protection Regulation (GDPR) will replace the 1995 Data Protection Directive and will restrict the way that businesses collect, store and export personal data.
This includes data held on customers, potential customers, suppliers, employees and any other EU residents.
Who does it apply to?
GDPR regulations apply to small businesses as well as big companies, but small companies that don’t handle much data are down the list of priorities compared with big data-hungry technology companies like Amazon, Google and Facebook.
Data intensive companies need to name a Data Protection Officer who will become the direct point of contact for GDPR queries.
What does it mean for businesses?
Fundamentally, the regulations are about giving individuals more rights over how their data is used and managed. The EU is trying to level the playing field between organisations what use data and private citizens who surrender it.
On May 25th, individuals will get more rights over how businesses use their data.
In many circumstances, individuals will have a ‘right to be forgotten,’ meaning that businesses will have to delete personal data when consent is withdrawn.
Individuals also have a right to request all the data that you hold about them for free via a ‘data subject request’.
Businesses should review all the data that they hold about any private individuals and put proper processes in place for how they handle it.
Make sure any data - particularly data collected by and stored on your website – is secured. And ensure that there are proper processes in place for how the data is used and exported.
There are a number of implications for how companies collect data about individuals.
Companies must be able to make a specific business case for collecting each piece of data. They should not collect extra information at the point of sign-up in case they might want to use it later.
Consent requests, which are typically backed up by complex terms and conditions must be replaced with simple and easy to understand forms that explain exactly how data will be used.
Consent must be unambiguous, so a data subject’s intentions for how they intend their data to be processed must be clear. If a data subject signs up to receive a newsletter, for example, that data should not be processed for multiple ambiguous purposes.
Data subjects must also give a ‘statement or clear affirmative action’ meaning that pre-ticked check boxes are not good enough. Consent must also be ‘freely given,’ so you cannot mislead or otherwise tempt people into giving up their consent.
It must be as easy to withdraw consent as it is to give it. And if there are any serious data breaches then company must inform their customers and the Information Commissioners Office within 72 hours.
The most serious penalties for GDPR failures are steep – whichever is highest of 20 million Euros or 4% of your annual turnover.
Small businesses are unlikely to face these top level penalties but this is not an excuse to not get compliant.