The new GDPR changes coming into force in May 2018 aim to give people greater control over what can be done with their personal data by businesses. It will have bigger and sharper teeth than its predecessor, with substantial penalties for non-compliance, including fines of up to 4% of annual worldwide turnover or ¤20m for the worst violations.
Unfortunately, there is still a huge amount of confusion as to what these changes actually mean for businesses. At HRC Law, we recently conducted research on what business owners have been searching for online regarding the upcoming changes to GDPR. A huge increase in searches over the past quarter highlighted that the changes are increasingly on businesses’ radars. However, a 450% rise in the most frequent search term, ‘GDPR compliance’, indicates that organisations aren’t clear on what they must do to ensure they’ll be compliant when the changes come.
With some parts of the regulations focusing on organisations with more than 250 employees you may think that this will not impact your business. But this is not just one for the big boys and girls: it’s one which will apply across the board. The regulations require compliance from all businesses that process or control personal data. With data rapidly becoming the lifeblood of the global economy, the GDPR will very likely impact you. And if it does impact your business, you’ll have to make some important changes to the way you deal with personal data in your organisation.
The good news is that the new legislation builds on many of the concepts and principles used in the current legislation. If you comply with data protection laws now, you’ll have firm foundations to build on. If you don’t, it’s high time to get your foundations in place.
New higher standards regarding consent will be required. Consent to process an individual’s personal data must be given by a clear affirmative action for each processing purpose – whether that’s a written or oral statement. Whatever it is, it must be unambiguous, freely given and with all required information provided.
Rights to access data
As previously, customers will be free to request a copy of their data. You will now have to comply within the month and provide the first copy free of charge. While this may seem like a simple request to fulfil, as a small business your CRM system may not lend itself well to this. Data may be scattered across servers or departments and an influx of customer requests may be a drain on resources. Now is the time to ensure your systems will be able to handle this.
Right to be forgotten
Businesses shouldn’t hold on to a customer’s data indefinitely. If it’s very old and of no business use, delete it. Under the regulations, customers will gain new rights, one of which is the aptly named the right to be forgotten.
New regulations will take cybersecurity up a notch. If you don’t have one already, now may be the time to get an IT expert on board to take a lead on encryption and pseudonymisation. This tongue twister is a new concept that means personal data can’t be attributed to a specific individual without more information – think of it as a high-tech pseudonym.
Should the worst happen and your business commit a data breach, you must notify the regulator and – in some cases your customers – within 72 hours.
Some of these changes will take time to implement so, if you haven’t already, you should start preparing for the changes now.
Clearly delegate the responsibility of compliance to someone within your business. This doesn’t necessarily mean you will have to appoint a data protection officer – although some businesses will have to – but it does mean you need a considered and documented approach. The changes will affect different organisations in different ways. Whoever is internally responsible for compliance should know enough about how your business operates to spot problem areas.
Carry out an information audit and look at how your organisation uses personal information. This will help you highlight problem areas and prioritise when and where to focus. At a minimum, you need to know what personal data you hold, where it came from and who you share it with.
Draft an action plan. Begin by targeting areas that will most affect your organisation – or take longest to implement, such as contractual renegotiations – and leave no stone unturned when you do.
The end goal is to ensure that, by next May, you and your organisation will be GDPR ready. Time is still on your side but preparation is key. So don’t leave it too late.