GDPR: four letters that you'll hear more and more over the next few months.
You probably know that the EU's General Data Protection Regulation constitutes a dramatic change to the way businesses must handle and process their data - and it comes into force on 25 May.
But beyond that, most people scratch their heads. Here are five things you should know.
1. It's got three aims
At its core, GDPR is really quite simple. Its three aims are:
- To unify and strengthen the protection of personal data for EU citizens
- To give EU residents greater control of how their data is stored and used
- To control how personal data is exported outside the EU
Everything about GDPR boils down to these three guiding principles. Understanding how your business can fulfill these aims is the first step to compliance.
Personal data can be anything from name and address to race, religion, social media posts or even genetic and biometric data. Making sure businesses use the personal data that they possess in the right way is the crux of GDPR.
2. It's tougher than the rest
GDPR replaces older legislation like the EU's Data Protection Directive or the UK's Data Protection Act and goes beyond them in a few important ways:
- Unlike a directive, it's directly binding - so if your business is based in the EU or deals with it, you will have to comply from 25 May
- It harmonises various sets of legislation into a single framework
- It includes export of personal data beyond, as well as within, the EU
In short, there's no way of avoiding it and it has potentially worldwide reach. On the flip side, a single legislative framework simplifies compliance: nail GDPR, and your business has a compliant data management system that will build customer trust, strengthen reputation and image, and dodge financial penalties. Which brings us to the third point...
3. It's got teeth
GDPR packs a serious financial punch for businesses found to be in non-compliance after 25 May. Fines of up to €20m (£17.56m) or 4% of annual turnover, whichever is greater, can be slapped on companies not managing personal data properly. Personal data must be:
- Processed transparently and lawfully
- Collected for legitimate purposes
- Relevant, pertinent and necessary
- Up-to-date and accurate
- Stored only if necessary
- Secure and confidential
If your business isn't complying with any of this - plan how to change it before May!
Some key steps to take include:
- Creating detailed records of your data processing
- Documenting your data policies and procedures
- Training and informing staff about GDPR
We know how it is. You want to focus on the long term, but those short-term tasks stack up, get in the way and take up time. Trust us: setting aside some time for creating and actioning a plan now is the best approach to avoid nasty surprises further down the line.
4. It will affect your business... even after Brexit
Every business with ties to the EU will be affected by GDPR. Yes, that includes British businesses after the Brexit date of 29 March 2019.
The Queen's Speech in June 2017 highlighted the fact that GDPR, or something broadly identical to it, will remain in force once the UK leaves the European Union - so complying with GDPR is just as important for British businesses as those on the continent.
5. It affects everyone
The data protection officer (DPO) will be the main gatekeeper of GDPR, with tasks like monitoring compliance, cooperating with data protection authorities, and informing and auditing colleagues. But responsibility for data and information security compliance in a business falls on everyone. Let's take a look:
- Marketing teams must get consent from those receiving marketing information
- IT teams must guarantee electronic data security - and inform the supervisory authority within 72 hours if there's a breach
- Customer account teams must make sure customer data is secure and relevant
- HR must safeguard employee information
- And so on!
Data touches all parts of a business. So getting questions answered, gathering information and putting together an action plan for GDPR compliance is absolutely vital.
What you should do now
GDPR will be the biggest overhaul of data protection regulation in twenty years - so get prepared.
Download our free GDPR toolkit for more information and guidance.