GDPR (General Data Protection Regulation) will apply in all EU member states from 25 May 2018, but is your organisation ready? First, let’s break down what GDPR is all about:
-The EU wants to give people more control over how their personal data is used whilst improving trust in the emerging digital economy.
-The GDPR also aims to simplify the regulatory environment for international business by unifying the regulation within the EU.
-As the GDPR applies harsh penalties and fines for those who do not comply, it encourages EU companies to think seriously about data protection.
“While the overwhelming majority of IT security professionals are aware of GDPR, just under half of them are preparing for its arrival.” – IT pro
SMEs take note: GDPR still affects small businesses
-All companies, however small, will have to comply with new regulations regarding the secure collection, storage and usage of personal information.
-GDPR recognises that smaller businesses require different treatment to large or public enterprises.
-Article 30 of the regulation declares that organisations with fewer than 250 employees will not be bound by GDPR – although there are several stipulations that we will come to that mean they probably still should.
Okay, so you’re getting the message that you need to comply. But what are the main conditions of GDPR?
-SMEs: GDPR will also apply to small businesses under 250 employees if the processing carried out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data as defined in GDPR Article 9.
–Data Breaches: Breaches in data security must be reported immediately to data protection authorities such as the Information Commissioner’s Office (ICO) in the UK. Ideally, breaches should be reported within 24 hours if possible but at least within 72 hours. Small businesses shouldn’t assume this doesn’t apply to them because they think that they’re unlikely to be hit.
-A company of any size can be targeted.
-Regulators will also want to see a procedure for notifying local regulators (and, in some cases, customers) of a compromise.
-Consent: Individuals have more rights dictating how businesses use their personal data.
-They have the ‘right to be forgotten’ if they either withdraw their consent to the use of their personal data or if keeping that data is no longer required.
-GDPR’s ‘unbundled’ consent also means getting separate permission to use customer data for different things, such as marketing, maintenance, fraud checks and support.
-Documentation is stricter too: businesses must record when consent was given.
-Punishment: Failure to comply with the GDPR will lead to heavier punishments than ever before. Under current rules, the UK’s Information Commissioner’s Office (ICO) can fine up to £500,000 for malpractice but the GDPR will be able to fine up to €20 million or 4 per cent of annual turnover (whichever is higher).
A note on Brexit:
Some SMEs think that Brexit will rescue them from all the hassle. However, the UK will fall under GDPR long before it leaves the EU, and in any case the UK needs to demonstrate equivalent rules if the EU is to exchange data with it. This must be one of the motivations for an impending national law – the Data Protection Bill – which will implement GDPR’s rules locally.
“If a small business has been winging it without a grown-up IT department, they’ll need to source this technical expertise from somewhere to tackle these GDPR requirements.” – The Register
Where you should begin in order to prepare for the GDPR:
-Assess data holdings: audit the data you already hold and those held by third parties.
-Review privacy communication, legal frameworks, and approach to consent: assess how you communicate privacy information to data subjects and document the legal basis of what you’re doing with their personal data. You will need to explain this legal justification to individuals whose data you handle.
-Review ability to subject access requests: check existing procedures (and the technology that supports them) to see how you will cover individuals’ new rights under GDPR.
-Revise approach to children’s data: the GDPR enforces protection for children, requiring a parent or guardian’s consent to process their data. As an SME, you must document processes relating to data collection for children and adjust as necessary.
-Prepare for data breaches: you must ensure you have the procedures in place to detect and investigate a data breach, and also to report it.
-Review system privacy and introduce impact assessments: examine existing systems that process high-risk data and ensure that your design is based on sound privacy principles. You must conduct privacy impact assessments for these systems to ensure that you support the requirements laid out in the GDPR.
Where Valis can help:
SMEs are generally resource constrained and have less margin for error than large enterprises, who often have a bigger cashflow buffer to tackle wide-reaching challenges like GDPR.