20 Nov The GDPR and you – don’t panic
Introducing the GDPR
On the 25th of May 2018, the EU will be implementing a new law that will affect what your small business needs to do to protect your client’s personal information. The GDPR will come into force before Brexit, replacing existing regulations such as the UK Data Protection Act. These new requirements will stay in effect after Britain leaves the EU and the government is in the process of passing a Bill that will bring our domestic laws in line with those of the GDPR.
The Regulation also applies to any business holding personal data on EU citizens, so you need to be aware of the changes even if you’re based outside of the EU. Compliance is mandatory and there are heavy fines for those who fail to abide by the new measures.
Coping with the GDPR is easier if you keep in mind what it’s all about – doing everything you can to prevent data breaches. We’ve all heard the stories about multi-national corporations who have been hacked, leaking sensitive personal information about their clients. The GDPR is the EU’s attempt to make companies more vigilant in protecting that data.
What it all Means
The purpose of the new law is to protect the personal information that you gather about your clients. This is basically anything that can be used to identify someone, and includes any genetic, mental, economic, cultural or social markers. So, things like race, ethnicity, physical characteristics and earnings along with more basic information like phone numbers and email addresses. The whole point is to reduce the amount of personal information you store, and to make sure you only keep it for as long as you need to.
These are the main points you’ll want to keep in mind when preparing for compliance:
- Personal information goes far beyond names and addresses. It now includes genetic data, political opinions, sexual orientation, and web data like cookies and RFID tags. If you collect anything at all that could be used to identify an individual, you need to take stringent measures to protect that data.
- You will need parental consent if you collect any data on children under the age of 16. This may also be lowered in the future to children under the age of 13.
- You must have consent to collect and process personal information. The document you use to get that consent has to be clear and easy to understand. The client must know what they’re agreeing to.
- Your clients have a right to be “forgotten”. In other words, to be deleted from your data base. They also have the right to ask for any information you hold on them to be “portable”, meaning you must be able to give it to them in the format of their choice, or transfer it to another business at their request.
- To stay on the right side of the Regulation you should only collect personal information that you actually need, use due diligence in protecting it, and delete sensitive data as soon as you don’t need it anymore.
- You need to be very careful about international data transfers. There are risks involved in sending data to countries that aren’t part of the EU, so if you use these countries to process your data, then you’ll need to be very familiar with the regulations that govern this practice.
- Businesses which simply process data, rather than collect data, will be equally responsible for any breaches of privacy. If you process data that was collected by someone else, then your contracts with the provider need to clearly spell out responsibilities, obligations, and shared liabilities. The reverse is also true. If you collect data and use a data processor (like a cloud provider), then your business could be equally subject to penalties if the processor gets breached. In short, who is responsible for what needs to be even more clearly laid out when you enter into these types of agreements.
- Moving forward, all systems and processes must adhere to “privacy by design.” This simply means that you need to consider your client’s privacy right from the start, in everything that you do. Only collect the amount of information you need to serve your purpose, and have a built-in method of destroying it when you’re done.
- The good news is that the GDPR applies to all 28 member-states of the EU, so you only have one regulation to deal with for all things relating to data security.
- Most small businesses won’t have to worry about appointing an official Data Protection Officer (DPO). As long as your core business activity isn’t data processing, you’re probably alright. That being said, it’s still a sensible idea to have someone in your organization that is responsible for monitoring the security of your data and up to speed on the regulations.
- If your business centres on data processing, you must appoint a DPO. This is the person who will liaise with the member countries in the event of a breach. They can be anyone with an “expert knowledge of data protection laws and practices.” The Officer is also responsible for making sure you’re compliant with the Regulation, and will be required to conduct privacy impact assessments if your business is processing higher-risk data.
- If your data base is hacked or breached in some way, you must report the incident to the regulator within 72 hours. In addition, you must notify any affected clients if the “data breach is likely to result in a high risk to the(ir) rights and freedoms.” This is the requirement that is perhaps having the most impact on how big businesses operate. Most have traditionally required a much longer timeframe to analyse the breach, engage in damage-control, and eventually advise those affected.
How do I Make Sure I’m Compliant?
If you own a small business, don’t share your data with anyone, and have taken reasonable measures to keep it secure, you’re likely already in compliance with the GDPR. If you’ve never really thought about the personal data you collect, and how to keep it safe from hackers, now’s the time to give it your full attention.
Tips for Compliance
- Start by figuring out exactly where you store the personal information you hold on your clients. Where are the databases and who has access to them? This is a good time to do a clean-up, deleting any entries and details that are no longer active or required. Keep only the personal client information that you actually need to run your business.
- Next, you’ll want to do a thorough review of what measures you have in place to protect your data. The GDPR stipulates that all businesses must implement a “reasonable level of protection”, but it doesn’t define what that really means. Err on the side of caution. Do you have adequate firewalls and security software? Do you need to consult with digital security specialist to make sure you’re doing all you can to protect your data from hackers?
- Do a dry-run of how your business would respond if there was ever a data breach. How would you know? Who would you call? How would you shut it down? If you prepare for the worst, you’ll know exactly what to do in an emergency and be fully compliant with the GDPR reporting requirements.
By all accounts, preparing for the GDPR is causing some major headaches (and hitting the pockets) of more than a few big multi-nationals. With a maximum fine of 20 million euros for non-compliance, and a 72-hour deadline to report a breach, many are struggling to get their systems hack-proof by May 2018. For most small business owners, however, the impact will be negligible unless you’re in the business of data processing.
Exercise common sense when it comes to asking for personal information, respect the privacy rights of your clients, and don’t be sloppy about digital security. These are three rules to live by – regardless of the GDPR, which is essentially just a law that compels businesses to engage in sound practices when it comes to personal data.