GDPR: How all businesses must prepare for the new privacy laws.
The General Data Protection Regulation (GDPR) will come into force on 25th May 2018. Its objective is to strengthen the legal framework for the protection of personal data in the European Union through a number of measures aimed to empower EU Citizens on use of their data by large corporations, and all businesses that work with this type of data.
UK businesses will also have to comply with GDPR after Brexit.
While there are only a few months left for companies to comply, or face heavy penalties, there are still many who have not undertaken the measures to comply with the law. But what is it exactly? As a small business owner should you be concerned? and how can you comply?
Main provisions of the General Data Protection Regulation
GDPR makes it possible to harmonise the rules relating to the protection of personal data, thus avoiding the fragmentation of national laws. It was born from the desire to allow citizens to exercise more control over their personal data. This involves several concrete measures:
• The introduction of “explicit” and “positive” consent prior to the use of personal data.
• The right to removal of data, as soon as possible.
• The right to information: Companies must send personal data to citizens who request it, in a format that can be understood by an average person, or send it directly to another service provider if it’s the choice of the person concerned.
• The right to be informed in the case of a breach of data.
• The stringent requirements of data protection, including a rule of “default security”, which requires any organisation to store and transfer data through an encryption protected system.
• Appointment of a Data Protection Officer and publication of privacy policies in clear and understandable language.
Companies that fail to comply with these measures may be fined up to 4% of their annual worldwide turnover. To comply with the new laws, a business must undertake certain measures.
General Data Protection Regulation, May 2018.
Here are a few measures that a small business owner must take to comply with the regulation before 18th May 2018.
The first step is to make an inventory of all types of customer data that the company holds, followed by identification of personal data. Under the General Data Protection Regulation, any information that can be attached to an identifiable person is considered as personal data. For example, an IP address or the physical address of a customer, or an email address.
A business must give most importance to securing the “Sensitive Personal Data”. This type of data includes information about a person’s health, political opinions, religious or trade union affiliation, sexual orientation, or philosophical beliefs, and misuse of this information could be particularly damaging to the individual. This type of data is subject to even stricter rules.
Once this inventory is drawn up, the company must consult with its customers to ask if it can keep their data.
1. For what purpose does the company have data? Is it still necessary to keep it? If there is no specific reason to keep it, it must be deleted or possibly anonymised.
2. What is the legal basis for the company to keep customer data? If there is no valid legal basis, the company cannot keep it.
3. Is the data accurate and still relevant? If this is not the case, the company must delete it or try to update it.
Obligations to be fulfilled for GDPR compliance
Incorporate new data collection procedures: As we’ve explained, companies are obliged to ask for explicit content of the person to use or store their data. To fulfil this obligation, they will have to modify their current data collection practices and take into account the new data protection provisions. Companies must also review all corporate documents to make them compatible with GDPR.
Designate a Data Protection Officer: To comply with the General Data Protection Regulation, companies must designate a specialised auditor called a “Data Protection Officer” who can be an internal employee of a company or an external independent advisor. This person must guarantee monitoring and control to verify compliance with the SA (Supervisory Authority at National level and, whenever required, the European Data Protection Board.
Safeguard Data: GDPR requires companies to make data security a priority. Data protection must now be taken into account in the design phase, i.e. when designing business practices and processes. To meet this obligation a company must implement security measures like Firewalls, and data encryption systems (SSL), to protect consumer data. At the same time, check carefully whether subcontractors or suppliers respect the confidentiality of the data. You may be held responsible for any non-compliance on their part.
Inform the consumers: Companies have an obligation to inform people about the data they have about them and what they do with it. In addition to this transparency, companies must comply with a customer’s request if they want their data to be erased, ask for a copy of their data or ask for correction of outdated data.
Failure to comply with the General Data Protection Regulation can be very expensive. If a business doesn’t take the necessary steps to comply with this new legal framework by May 2018, it will be subjected to significant penalties.
If the Commission of Protection of Privacy receives complaints from consumers and they find failure on company’s part to comply with the provisions of GDPR, they can impose fines up to €20 million Euros. Subsequently, if a large number of people lodge complaint against the company and demand damages, the business can be in even bigger trouble. Along with a huge financial loss in the form of legal fees and payment for damages, it can lead to loss of reputation and credibility for the company, and its eventual downfall.
Part of the requirement is that a business website uses a SSL Certificate to protect customer data shared between the company and the customer over the Internet.
General Data Protection Regulation Conclusion:
In conclusion, the General Data Protection Regulation will apply to almost all companies as early as May 2018. To avoid being among the first companies to be penalised it is necessary to take actions to make your business comply with the law. The steps to be taken are certainly restrictive and put more financial burden on small businesses, but the risks of non-compliance are too great to be ignored.
It is advisable to consult the website of the Commission for the Protection of Privacy where the GDPR is shown and explained in detail.
If a company does not have the internal resources to start the regularization process, it is advisable to call on specialised service providers. This is information every business owner should know about, just one of the many obligations placed on a website owner. If you need help and support, just make contact.
Information Update June 2018
All non-EU countries will have to comply with this regulation if trade is made with any EU member state.
We also offer the presentation as a flip book. Click on the image below for a full screen presentation
General Data Protection Regulation resources
https://www.eugdpr.org/ GDPR full text here.
You will notice all the above links have “https” as part of the web address and so should you.
© Copyright 2018 www.drachsi.com all rights reserved