The GDPR or General Data Protection Regulation is fast approaching. On May 25th 2018, all entities that process personal data of data subjects (i.e. an identified or identifiable natural person) located in the EU will need to comply with the new legal data privacy framework. Compliance is a necessity, not a choice. Find out everything your SME needs to know about the GDPR.While a lot of organisations have already taken major steps to become compliant, it seems that quite a large group of SMEs are unsure what it entails or believe that they’re not bound by the GDPR. According to Small Business UK more than half of SMEs were still unfamiliar with the GDPR in October 2017. The GDPR is for organisations of all sizes, including SMEs: if you haven’t done so, it’s high time to take action today.
What is GDPR and who needs to comply?The GDPR implies that every European country will be bound by the same privacy rules. If your business is compliant with the GDPR, you’re in most part in accordance with the law in all European countries. However, as this regulation can be imposed more strictly within a EU country, there might be small national differences. The current legislation, the Data Protection Directive, is outdated and was introduced before the internet and cloud technology could case data exploitation (e.g. selling customer data to other companies or hacking into security systems).
The GDPR states that it contains rules about the protection of natural persons about processing their personal data and the free movement of personal data. The goal of the GDPR is threefold:
- Protect EU data subjects and give them more control over how their personal data is used
- Update the privacy laws so that they reflect the current technology landscape
- Unify the privacy laws across all EU member states
Gathering, processing and exchanging personal data are daily activities for many businesses. The scope of the GDPR is dual:
- Material scope: the GDPR applies as soon as processing of personal data takes place
- Territorial scope: the GDPR applies:
- If you’re located in the EU and process personal data within the context of your activities, regardless of whether this data is processed in the EU or not and regardless whether you act as controller or processor (see below).
- To the processing of personal data of data subjects, who are in the EU (i.e. broader than just EU citizens) by a controller or a processor that's not established in the EU, but where the processing relates to one of the activities below:
- offering goods or services to data subjects in the EU (regardless of whether a payment of the data subject is required)
- monitoring EU data subjects’ behaviour as far as it takes place within the EU
Why is it important to take measures for the GDPR?
What are the consequences for your company if you’re not in compliance with the GDPR? Stakes are incredibly high: businesses who don’t comply will risk administrative fines imposed by the local Data Protection Authority: depending on the nature of the infringement, fines can go up to 2% maximum or 4% maximum.
What’s more, when customers disclose their data to a company, they care about how and where their data is stored and handled. For example, according to research from the local Data Protection Authority in the UK, the ICO (or the Information Commissioner’s Office), only 20% of the UK public have trust and confidence in companies and organisation storing their personal information. Therefore, a company may lose (potential) customers as not complying with the GDPR can have a huge impact on your customers' trust and can reflect negatively on a company's reputation.
Prepare today: take these 3 actions now
Considering the financial and reputational risks involved, you have to take the necessary precautions to become GDPR compliant. Not sure where to start? Start with the following pressing actions today:
- Decide what you can do internally and see whether you should call in external help. Divide and conquer: decide which actions need the help of an external pair of hands. This is especially key for the legal documents which will need to be created or updated. A simple Google search will already suggest a few excellent GDPR experts.
- Audit your data: map how you currently collect and store data. Where do you currently locate all your contact information? How did you collect it and for which purposes are you currently using this? Your data management process is crucial. But there’s good news: cloud and SaaS technology with the most up-to-date security settings can help you with this as they offer numerous possibilities to store your data securely in one location in the cloud.
- Inform your own customers: the best way to be transparent about how your company processes personal data is to update your privacy declaration. This is an obligation for data controllers (i.e. the entity that determines the purposes and means of processing personal data). Furthermore, you can also prepare a detailed email to explain the GDPR to you customers with a link to your updated privacy declaration.
What should your privacy declaration contain? It must at least make reference to the GDPR and contain information about: which personal data is collected, how it is collected, the purpose of processing, the data retention period, the rights of the data subject, your complaint procedure, data transfer process to third parties, etc.