From the 25 May 2018, companies that collect data on citizens in European Union (EU) countries need to comply with strict new rules regarding the protection of customers – in line with the General Data Protection Regulation (GDPR).
The Federation of Small Businesses (FSB) warned that time was running out for small businesses to be ready, and that these businesses may face an ‘uphill challenge’ in ensuring that they are compliant.
‘As the GDPR deadline swiftly approaches, there is a real danger that many small businesses are yet to have adequately prepared for the changes. Fortunately for these businesses, there is still time on the clock to start, or finish, their preparations.
‘The GDPR is the largest shake-up of data protection laws for years, and, whether you are a personal trainer or a consultant, most businesses will have to implement changes to their current practices to make sure they are complying with the new rules.’
If you are not compliant yet, then here is a quick guide to help you get there.
What types of privacy data does the GDPR protect?
- Basic identity information such as name, address, and ID numbers
- Web data such as location, IP address, cookie data, and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Which companies are affected by the GDPR?
Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are:
- A presence in an EU country.
- No presence in the EU, but the processing of personal data of European residents.
- More than 250 employees.
- Fewer than 250 employees but whose data-processing either impacts the rights and freedoms of data subjects, is not occasional, or includes certain types of sensitive personal data.
What are the benefits of GDPR for customers?
- It strengthens the rights individuals have over their personal data.
- It seeks to unify data protection laws across Europe.
What happens if my company is not in compliance with the GDPR?
The GDPR allows for steep penalties of up to €20 million or 4 percent of global annual turnover for non-compliance.
Five steps to prepare immediately for GDPR:
- Involve all the stakeholders:
- Conduct a risk assessment:
- Create a data protection plan:
- Implement measures to mitigate risk:
- Set up a process for ongoing assessment:
This should be done as soon as possible, and across all functions, to understand what is required and by when. Consider appointing a Data Protection Officer to be the one source of co-ordination and accountability to ensure compliance. Ensure there is no conflict of interest in their role.
This could be achieved via a deep dive into understanding what data you store and process on EU citizens – and where you store it. This must include all “shadow IT systems” that might be collecting and storing personal client / customer information. Mobile platforms must be reviewed, including how they also store and record data.
Ensure the plan is in line with the requirements of GDPR and report on your progress across the business, completing the Record of Processing Activities (RoPA) (article 30 of the GDPR regulation).
Once you’ve identified the risks and how to mitigate them, you must put those measures into place. For smaller companies that may not have the resources, look outside for advice and technical experts to guide you through the process and to test incident response plans. This is key, as GDPR requires that companies report breaches within 72 hours – so go through this as a test to see how your company can perform.
You want to ensure that you remain in compliance, and that will require monitoring and continuous improvement. Some companies are considering incentives and penalties to ensure that employees follow the new policies. According to a survey by Veritas Technologies, 47% of respondents will likely add mandatory GDPR policy observances to employee contracts. 25% might withhold bonuses or benefits if a GDPR violation occurs, and 34% say they will reward employees for complying with GDPR.