As of summer 2019, there have been some recent high-profile fines for historical data breaches by large companies.
The new regulations on data protection are designed to bring about a lot of changes in the way businesses manage personal data. From tech giants, like Facebook or Google, to smaller companies and startups, everyone must update their data policies to comply with the General Data Protection Regulation (GDPR).
Those who don’t comply or fail to report a data breach within 72 hours risk fines that could reach as much as €10 million (£8.7 million). In some cases, penalties can go as high as €20 million, or 4 percent of annual global turnover.
So if you’re running a small business and handle any kind of data belonging to EU citizens, you’ll need to update your processes to make them compliant. You must make GDPR a priority, not just for your IT department, but for the entire company. You’ll need to analyse your data, update it if necessary, and make sure you can protect it.
What is GDPR?
GDPR is the new European law on data protection. The latest rules are in line with the way companies process data today, as former European laws on data protection were outdated and unable to protect citizens.
Essentially, GDPR provides a unique law for all EU countries and gives Europeans more power to decide what happens with their personal data. With the new rules, citizens can decide when, for what purposes and for how long a company can make use of their personal data.
It applies to all organisations who handle personal information, from government and charity to companies and conglomerates. The law establishes a difference between “data controllers” (who decide to use data for their benefit) and “data processors” (who carry out the actual work of collecting and analyzing data). Yet, both parties can be held responsible for misusing personal data, including cloud providers.
GDPR outlines clearer stipulations about:
- The sources companies use to obtain data
- The purposes of collecting data
- How companies explain their rights to citizens in terms of data privacy
- For how long companies can handle personal data
- Ways of communicating breaches in the system
- Exporting data outside the EU
How Much Does GDPR Compliance Cost?
That depends on how much data you hold and how you’re planning to use it. Tech giants and large companies have declared that they’re spending millions on compliance, but smaller companies will have lower costs to deal with. These will vary depending on the size of your company, the industry, and the efforts you’ve made in the past to protect personal data. You may spend a hundred euros, or hundreds of thousands.
If you already have a data policy plan, all you’ll need to do is update it to comply with the new rules. Among the key changes, you’ll need to come up with clearer messages when asking for consent. You should also invest in updating your systems to be able to provide better protection.
Small companies don’t need a data protection officer, but you should consider hiring a legal expert to help you prepare for these changes. A privacy audit can help you understand where you stand and how far you’ll need to go with your processes to comply with the new rules.
If you can’t afford any extra costs, you can ask the Information Commissioner’s Office (ICO) for help.
GDPR Compliance Involves The Entire Company
GDPR compliance will make changes in many of your departments, so include all these details in your budget:
IT and IT Security
- Install a well configured firewall
- Make sure you’ll be able to identify and announce any breach in your system in time (72 hours)
- Be ready and able to provide all information you hold on a person, correct it and cancel it on request
- Identify any weakness in your system to prevent attacks
- Most marketing involves company processes using data to tailor their messages and campaigns, so you’ll need to train your employees about the new regulations
- GDPR isn’t only about customer’s data, so pay attention to what information you hold on employees and how you use it
Learning & Development
- Revise all apps and tools you use for data collection
- Update web forms and newsletters to comply with the new laws
- Check your contracts with companies that help you collect and/or process data
Learn About The Personal Data You Handle
Having a clear image about the personal data you hold is essential when you’re planning to protect it.
Personal information includes anything that can help you identify a person, such as:
- Email address
- Medical information
- Social media activity
- IP address and cookie data
- Bank details
- Political views
- Sexual orientation
It’s essential for you to know the source of the information and for what purposes you plan on using it.
Make Sure You Have Consent
The methods you use for gaining consent are key changes in the GDPR. You’ll need to explain to users in simple words who you are, what you need their data for and how you intend to use it.
Security notifications should also let people know that they have the right to decide at any moment what happens to their data. And that, if they want their personal data removed from your system, they can ask.
When you ask for consent, you should express clear purposes. Once you’ve achieved your goals, be ready to delete all personal data you hold.
You may also need to revise your existing consent methods, if they don’t comply with the new regulations.
Your Processes Must Respect Individual Rights
When you collect or use data, make sure you respect these fundamental rights:
- The right to be informed. People have the right to know what information you hold on them. You should make sure you’re able to provide all requested details within 30 days, once a citizen asks you about his/her personal data.
- The right to access. Facebook, for example, allows its users to download information about them. Many companies will create similar automatic download buttons, to provide users easy access to information. This must be a free service.
- The right to rectification. You must be able to correct any information you hold. You can’t charge for this either, unless the request is excessive or unjustified.
- The right to erasure. You must cancel all data you hold on a person, if he/she requests.
- The right to restrict processing. You should restrict processing when a person claims the data isn’t accurate, or when you no longer need the personal data.
- The right to data portability. This right allows citizens to move their personal data from one environment to another in a secure way.
- The right to object – to direct marketing, profiling, and processing for statistics or scientific research.
Process Child Data with Care
GDPR protects children’s personal data, especially when companies use it for marketing purposes. If you handle data on citizens under 16, you’ll need special consent from a parent or guardian.
When asking for consent from children, you must be sure to use language that they can understand.
Keep Data Safe and Secure
Depending on the information you handle, you may need to encrypt your data to protect it. You should also limit access to specific information, to make sure the people inside your company use it for the right purposes, according to the given consent.
Change passwords often, make sure all your employees turn off their computers when they stop working, and teach your staff to protect their computers from viruses.
Your system should be able to detect breaches in time to prevent unauthorized access to personal data. If the breach places individual rights at risk, you must notify the supervisory authority.
Use Privacy Impact Assessments (PIAs) or Data Protection Impact Assessments (DPIAs) to evaluate your system and prevent risks. This way, you’ll meet expectations in terms of individual privacy and comply with your data protection obligations.
A Word on Brexit
If you work with personal data belonging to UK citizens only, you’ll still need to comply to the GDPR.
The UK is still currently part of the EU. If you lack compliance, you’ll risk serious contraventions. Furthermore, European business partners will stop working with you, as you won’t be in line with the law.
After Brexit, the UK will most probably convert GDPR to domestic law, to make data travelling possible to and from the EU. So, there’s no way you can skip your data privacy obligations as long as you do business inside the EU.
GDPR Compliance Checklist
If you collect any kind of data, you’ll need to update your processes to be in line with new European regulations. This means you’ll need to include a wide range of measures among your IT priorities and reflect them in your budget.
If you want to get started now, here are the main steps you’ll need to take to prepare your company for the new legislation, with our GDPR compliance checklist:
- Get Informed – Make sure that you and all key members of your organisation understand the changes that are coming and know what to expect and when.
- Do an Audit – Document all the personal data that you hold, who you share it with and where it comes from. You don’t want any surprises later on.
- Check Your Communications – Revise all your existing privacy notices and create a plan to update the information in time for the GDPR.
- Stand Up For Your Rights – Make sure that your corporation covers all individuals’ rights and that you have procedures in place to deal with requests, such as deleting or editing information.
- Update Your Procedures – Ensure that you’ll be able to respond to requests and provide all information necessary within the timeline.
- Check Your Consent Forms – Are they clear and do they cover all the points set out in the new changes? Do they meet GDPR standards?
- Look Out for Minors – Do you hold data on children under the age of 16? If so, do you have a system in place to obtain parental consent for data processing?
- Cover Your Bases – Be sure that your system can detect and report any breaches in data within 72 hours to avoid fines of €20 million or more.
- Designated Data Protector – Assign the task of data protection compliance to someone on your staff to ensure you meet the deadlines and demands.
- Identify Your Supervisor – If you do businesses in more than one EU country, find out where your lead data protection security authority is based – check Article 29 Working Party guidelines for confirmation of this.
With the law giving citizens more control over what companies do with their personal data, becoming compliant with the GDPR is a challenge for millions of companies and organisations across the EU and worldwide.
Train your staff to meet privacy expectations, identify all the personal data you hold, and evaluate your procedures, as well as those of any third party you work with. Both you and any third party you work with that handles your client data must have everything in order to ensure GDPR compliance.