If you haven’t already heard of the upcoming GDPR (General Data Protection Regulation), well, let us salute you. It seems to have become a bit of a buzzword that is impossible to avoid at the moment.
The problem is, the discussion so far has all been rather vague. As such, we thought that we’d be useful and write an article that explains and demystifies GDPR in language that is easy to understand.
So, what is the GDPR?
In a nutshell, the GDPR is a new EU regulation that will unify the EU’s approach to data protection and security. It will be enforced on 25th May 2018.
Note: it’s a common misconception that Brexit will mean that this law will not be applicable to UK countries. It most certainly will be applicable to the UK. In fact, this law will be mandatory despite EU membership, because any company that looks to trade with EU residents must be compliant to GDPR.
What changes will the GDPR bring about?
The aim of the GDPR is to move companies away from a ‘tick-box culture’ when it comes to protecting customer data, and to instead put the security of personal information at the heart of how companies operate.
Key GDPR rule changes include:
1) Companies will have to obtain consent from individuals regarding their data. No more auto-selected boxes or long, unreadable terms and conditions. Although not confirmed, early reports seem to suggest that standard procedure post-GDPR will be a double opt-in when signing up for a newsletter.
2) Individuals will have the ‘right to be forgotten’, by which their data can be completely erased from a company’s database. As well as this, companies will have to inform individuals of their rights and also the methods by which complaints can be made should they be unhappy with the how their data is being used.
3) The reporting of data-breaches to an EU regulation board will become mandatory and will have to take place within 72 hours of the breach’s discovery.
4) Companies must be able to demonstrate documentation that shows how they have put ‘state of the art’ procedures in place to ensure that their data is protected. The transcription of data will play a big part in this role.
5) The appointment of a DPO (Data Protection Officer) will be mandatory for certain companies. These will include all public authorities and also companies in which the processing of data occurs ‘regularly, systematically and on a large-scale’.
What are the consequences of not acting?
The ramifications of not getting your company GDPR-ready are extremely severe.
As well as the bad press your company would receive, a serious breach could also lead to a fine of 4% of your company’s global annual turnover, or €20 million (depending on which is greater).
This would be a significant increase to the UK’s current legislation – the Data Protection Act – a breach of which can result in the maximum fine of just £500,000. Incidentally, the largest fine imposed under this act was the £400,000 given to telecoms company TalkTalk for allowing a cyber attacker to access its customers’ data ‘with extreme ease’
How to prepare for GDPR?
Rule one is to not bury your head in the sand. GDPR is not going away and you need to act.
As data-protection audit specialist Matthew Pryke says: “Too many companies are complacent and think because of their size or the nature of their business that they are somehow exempt from complying.”
The rules, however, are clear. Whoever is responsible for a breach – be that a hacker, an employee or a third-party – it is irrelevant as it will be the company that foots the bill if it hasn’t complied with the GDPR.
Therefore, you need to demonstrate that you are adopting best practices around your company’s data-handling, your security processes and how you capture your data and leads.
If you run or work for a smaller business and are concerned about your ability to cope with the complex processes involved with getting GDPR-ready, your first step should be to get clear on the best practices.
GDPR are you ready?
GDPR might seem like a mammoth task to tackle at first so we created an easy to use checklist: your go-to guide to ensure you've got this whole compliance lark nailed down.
If you would like some advice on how your company should best prepare itself for the GDPR, contact our team today.