After four years of preparation and debate, the GDPR was finally approved by the EU Parliament on 14 April 2016. If you are a business owner the chances are that these laws apply to you! And it’s serious! Enforcement date: 25 May 2018 – at which time those organisations in non-compliance will face hefty fines. The fine for not complying could be so huge that your business could close. Yes, it’s that serious, these guys are not messing around with data protection anymore. So I hope this post will demystify some of the basics of what you really need to know asap.
What is GDPR?
The aim of the GDPR is to protect all EU citizens from privacy and data breaches. The GDPR is unique because it requires affirmative user consent prior to processing any of the user’s data, requiring new technical changes at every user touch point. Read the full version on the EU GDPR website.
What is personal data?
Any information related to a person that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social media, medical information, or a computer IP address.
The maximum fine for non-compliance is 20,000,000 Euros or up to 4% of your annual worldwide turnover, whichever is the greater.
Appointing a Data Protection Officer (DPO)
All businesses that process personal data on a significant scale must appoint a Data Protection Officer (DPO) responsible for monitoring internal compliance of the GDPR regulations within the organisation and to ensure that GPDR compliance is achieved and then maintained.
What is the ‘right to be forgotten’?
Individuals also have the right to ask that their data is deleted if it’s no longer necessary for the business to keep it.
Who can help me?
*** Please let us know if you are able to assist people with this process. Leave your business name and website in the comment box below so we could point people to you for help.
Brexit and GDPR
When the GDPR comes into effect the UK will still be a part of the EU albeit one that is beginning the withdrawal process and the UK will adopt all EU legislation immediately after Brexit. The GDPR will remain relevant to the UK for quite some time and even if it changes it will remain relevant if you have customers who are based in the EU.
What do I need to do to get ready?
- Organise an information audit where you document what personal data you hold, where it came from and who you share it with.
- Ensure that all data that you collect is done with consent. Consent must be an active, affirmative action by the data subject and not passive acceptance such as pre-ticked boxes or opt-outs. Controllers must keep a record and be able to prove how and when an individual gave consent.
- Ensure that your data subjects can access their data. People may ask for access to data a company holds on them, and to know why that data is being processed, how long it’s stored for, and who gets to see it. Controllers must generally respond within one month.
- Store data in a mobile format. Controllers must now store people’s information in commonly used formats (like CSV files) so that they can move a person’s data to another organisation (free of charge) if the person requests it. Controllers must do this within one month.
- Prepare for a potential data breach. Ensure that you have the right procedures in place to detect, report and investigate a personal data breach.
- Appoint a DPO who will keep your business GDPR compliant at all times.
The above is a brief overview in layman’s terms and doesn’t constitute legal advice but only serves as a guide and introduction to the GDPR. If you have any questions or concerns please don’t hesitate to leave a comment in the box and we will do our best to find an answer for you.
We have dedicated an entire chapter of our Success Story System to back to basics, get involved and tap into all of our valuable resources to support you in your business.