What is the GDPR?
The General Data Protection Regulation (GDPR) is the European Union’s new law designed to protect the personal data of EU citizens. It’s being introduced for two main reasons: to give people more control over their personal information and to help put a stop to growing cases of cyber fraud.
Safer and more transparent transactions are great for consumers and companies alike. That’s why the GDPR is on its way to clean up how business is conducted.
Businesses have until the 25th of May, 2018 to prepare for the GDPR. Failure to do so will put your business at risk of hefty fines.
A fine of up to £10 million or up to 2% of annual turnover may be imposed for certain infractions. While more severe offences will incur more costly penalties. In such cases, fines will be doubled up to £20 million or 4% of worldwide annual revenue.
How will the GDPR affect business?
The GDPR will require businesses to focus on the safety of personal data like never before. The data processes of organisations will be closely monitored. And these new laws will be strictly enforced.
If you are responsible for handling the data of customers in the European Union, you’re known as the data ‘Controller’, and there are a few critical requirements to remember:
- You will be legally obligated to erase the information of a customer if that customer requests you do so.
- You will be expected to transfer personal data to a competing provider if your customer asks for a move.
- And, you will need explicit consent from customers if you intend to process any sensitive personal information.
If you are handling data on behalf of another business, you act as the ‘Data Processor,’ and you need to ensure that you facilitate the protection requirements of the ‘Data Controller’. It’s also good to ensure that the data controller has gathered and shared the data in accordance with these laws.
Why is the GDPR important?
More and more consumers are sharing personal information with businesses. However, most of us are unaware of what happens to our address, date of birth, or phone number once a company has the information. The GDPR keeps businesses responsible while holding them accountable.
Plus, the data security experts at UKfast uncovered that 90% of large UK businesses suffered a data security breach in 2015. Smaller businesses were similarly affected. 74% of SMEs were hacked, some without knowing it. The GDPR will reduce business and consumer exposure to criminal activity.
10 tips for staying ahead of the GDPR
We appreciate that the GDPR may be coming as a surprise to some. So here are the key steps to take to be fully prepared by May 25th, 2018.
- Spread The Word:
A shift as crucial as the GPDR will require the involvement of all staff. Work towards getting key staff members on board.
Make sure everyone is up to speed as one mistake has the potential of hurting the entire company.
- Run A Full Audit Of Your Data:
The GDPR provides you with the ideal motivation for re-assessing your company’s data procedures.
It is advised that your business takes the time to assess its data storage processes. Examine how data is acquired, from where it originates, what it is used for and who can access it. Map your data.
- Revise Existing Terms And Privacy Notices:
Avoid the complexity which tends to fill legally binding documents. Keep your terms and conditions easy to follow. The GDPR aims to prevent consumers from agreeing to contracts they do not understand.
- Protect And Be Compliant:
After auditing and revising your company’s current data management procedures, your company ought to take significant steps to secure the individual rights of customers. The GDPR requires your company to comply with data access and erasure requests by customers. Identify and close gaps between new regulatory expectations and your current business realities.
- Prepare To Be Responsive:
Pulling up old accounts (consumer data) can be time-consuming. Update your data processes so your company can respond to increasing information requests quickly.
- Create And Follow Rules:
If you have followed all the above steps, you’ll find that your company is positioned to do well despite the coming changes.
To get rid of possible loose ends, establish a guideline for all employees to follow. These procedures should be standardised throughout your company.
- Re-examine Your Consent Process:
Now that you have handled the technical adjustments needed to be GDPR compliant, protect new customers by making sure they are aware that you will be collecting their data. Be sure you receive explicit consent from consumers.
- The Privacy Of Minors Is No Small Issue:
See to it that your company has thoroughly reviewed its procedures for handling agreements signed by minors. Be sure to verify age. Clearly and directly request consent from parents and guardians when processing data of those under the age of 18.
- Plan For The Worst:
Have a Plan B. Working to play by the rules is smart business, but knowing what to do if something goes wrong is great business.
Review breach notification procedures. Make sure you have a system in place to prioritise breach alerts. In case there is ever a breach, your company is expected to be able to report it within 72 hours.
- Consider A Data Protection Officer:
A Data Protection Officer (DPO) is responsible for ensuring your company is operating in compliance with the General Data Protection Regulation. If your company does not already have an employee assigned to the role, your business will benefit from going the extra mile.
What about Brexit?
The GDPR regulations apply to companies who manage the data of EU citizens, despite geographical location. That means companies in Latin America, the United States, and even the U.K (after Brexit) will have to keep up with the higher standards of the GDPR.
These rules were specifically designed to purposefully affect companies all over the world.
It is also likely that regulations similar to that of the GDPR’s will be adopted by the British lawmakers in the future.
What Add People are doing for the GDPR
Alongside controlling the data of our clients, Add People also act as processors of data on behalf of our clients who are the data controllers. So, ensuring data security and transparency is key.
As we continue to audit our current data process and procedures, we will also be assigning a Data Protection Officer alongside our compliance initiative, which includes:
- Control – We will work in accordance with the GDPR to facilitate control over personal data.
- Accountability – We will work in accordance with the GDPR to facilitate control over personal data.
For more details on the GDPR, check out this resource compiled by the Information Commissioner’s Office (ICO) – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/