With our everyday lives becoming more reliant on technology, there is always a risk that our personal data may end up in the hands of criminals and hackers. Never before have companies been so aware of the importance of protecting the personal and sensitive data of their consumers and employees.
For many of our clients and business owners, we are discovering that the looming EU General Data Protection Regulation (GDPR) compliance regulations are at first sight confusing, time-consuming, complex and unclear. I am going to break it down for you in simple terms, not to patronize you, but if like me, you’re finding it complex and confusing, this may help understand what is required of you as a business owner, so don’t put it on the back burner any longer.
Let’s start with the basics – what is GDPR?
General Data Protection Regulation is regulated by the EU and comes into fruition on the 25th May 2018, failure to do so will result in heavy fines. After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016.
The EU General Data Protection Regulation (GDPR) was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.
GDPR should be applied to B2B and B2C that conduct business within the EU or between EU residents or companies. It opens up the gateway for transparency for EU citizens to have the right to access and ask any organisation how, where and what information they have on individuals, holding companies responsible for managing their data.
What does this mean for you?
It now means that your business is responsible for demonstrating your compliance, reviewing your data privacy protocols so that they are in line with GDPR regs and showing evidence that, as a company, you have done everything in your power to protect you and your clients’ data, compiling a data protection policy forms part of this. There is no certificate to acknowledge your compliance, but failure to protect data or comply with regulations could leave you paying large fines.
How you do this will vary from company to company and if you handle a vast amount of data with many different agencies, it will be more complex and you will include all the different areas within the data protection policy. You may need to invest in professional advice to ensure compliance.
The new guidelines will enforce actions and punish those companies who do not adhere, for instance, if a client/person wishes to be taken from your call/email list, failure to do this and to update your records immediately may result in a large fine. In terms of what data other companies hold about your business, it is assumed that the larger the company (measured by turnover), that they are compliant in respect of the data they hold about you or your organisation, a copy of their disclaimer must be made available, by them, for viewing.
If you or your company freely give out your contact details, maybe by advertising or by handing over a business card you are giving consent to be contacted or ‘opting in’.
You will need to seek professional advice in order to meet your company’s requirements.
Do I need to comply, even when the UK exits the EU?
The answer is yes! When the policy comes into force in 2018 we will still be part of the EU. The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
The EU regulations guidelines state that if you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with GDPR, irrespective as to whether or not the UK retains the GDPR post-Brexit.
If your company only trades within the UK, any decision to implement GDPR post Brexit has yet to be decided. The UK Government has indicated it will implement equivalent or alternative regulations, any such regulations are expected to follow GDPR guidelines.
To simplify, if your company trades, handles or shares the personal/sensitive data of anyone who lives and works within the EU, including the UK, you need to put in place a data protection policy and adhere to GDPR guidelines despite the UK leaving the EU in 2019. If you are unsure, then I suggest putting together or revising your current data protection protocols and doing some research to ensure compliance.
“I own a small business in the catering and hospitality sector, we have around eight staff and were unsure if we needed to comply, so I covered my back. I put together a one page statement to all my staff, alerting them to our procedures, the handling of their data and what their responsibilities are when handling customer data in terms of credit card transactions and the disposal of card receipts and lost credit cards as well as the handling of CVs that we regularly get. I got all staff to read and sign that they give permission for me to handle their data and which agencies their data would be used, i.e. HMRC, PAYE and our pension contribution provider. I also allocated myself as designated Data Protection Officer (DPO), although I didn’t need to allocate a DPO according to guidelines, but I felt the staff needed to know who the responsibility fell on and where they could go to discuss concerns. We do not trade within the EU, but some of our customers and employees are from Europe, so I felt the need to review our procedures, it didn’t take long and I felt we owed it to our employees and customers to ensure we follow procedures to protect their personal data” – Restaurant owner, Norwich*
* Not all small companies have the funds and means to get expert advice. I am not suggesting you do this and it is your responsibility to seek the correct information based on your company’s requirements.
Does my business need to appoint a Data Protection Officer (DPO)?
The EU website states that “DPOs must be appointed in the case of: (a) public authorities, (b) organizations that engage in large-scale systematic monitoring, or (c) organizations that engage in large-scale processing of sensitive personal data (Art. 37). If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.”
What are the penalties for non-compliance?
The fine process follows a tier approach.
||Up to €10 million or 2% of annual global turnover of the previous year, whichever is highest.
||Not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. Breaches of controller or processor obligations will be fined within the first tier.
||Up to €20 million or 4% of annual turnover of the previous year, whichever is highest.
||Most serious of breaches, such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. Breaches of data subjects’ rights and freedoms will result in the higher level fine.
Data protection policy – what to consider
What constitutes personal data?
Data means data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual. Ref: ico.org.uk
The golden rules of GDPR
The four V’s
Volume How much data do you, as a company, actually hold and the type of data, i.e. email/household address, names, titles, bank account details? Do you need to hold certain information? Try to hold as little as possible.
Velocity Does your data move around a lot and could it get lost in transit?
Value How valuable is the data. Could it be valuable to someone else?
Variety What different types of data do you hold?
What my policy should include
The data protection policy should specifically include the following key elements:
- Topics covered by the policy;
- Reasons why the policy is needed;
- Contacts and responsibilities – you must allocate a Data Protection Officer
- How to handle violations. Breach notifications, any breach of misuse must be acted on within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
- Evidence that your business is capable of implementation and enforcing data protection. Security and encryption of all devices.
- Evidence that your procedures are concise and easy to understand.
- The ability to balance protection with productivity.
- Right to access/Subject Access Request – Any individual has the right to obtain a ‘Subject Access Request’ created by section 7 of the Data Protection Act. This allows the freedom to obtain a copy of the information an organisation holds about them. The individual will be told whether any personal data is being processed; given a description of that personal data, the reasons why it is being processed and if it will be given to any other persons or organisations, they are then given a copy of the information and details of the source of the data. Failure to do this is considered a breach of GDPR.
- Right to be forgotten/data erasure – the right of subjects to have their data removed by request and to avoid further use of the data by third parties upon it no longer being relevant to original purposes for processing, or a data subjects withdrawing consent.
For expert advice on GDPR visit ico.org.uk.
Research Runner are a global sales consultancy, specialists in lead generation and sales training. For more information on how to increase your sales pipelines, please visit www.research-runner.com or call us on +44 (0)1279 260 031.