EU legislation is, often, neither the most exciting nor relevant topic to our business lives. Much of it dictates the specifics of trade, controls safe manufacturing and various other, broad topics. However, from time to time there are significant regulations that matter not only to a specific subset of businesses but to almost every business currently operating around the globe.
One such piece of legislation is the General Data Protection Regulation (GDPR), a new set of regulations set to come into effect on the 25th of May, 2018, that is specifically designed to protect consumers in an age of always-on, ever-present internet usage.
Now, you might hear phrases like ‘data protection’ and ‘internet usage’ and consider this a matter for your IT department, but the reality is that the GDPR is a subject that needs to be engaged with at the very highest levels of business, with the very real threat of non-compliance fines up to €20,000,000 or 4% of an organisation’s total global revenues. Here are the most important facts you need to know:
This article expresses the sole opinion of the author. Although the article is carefully researched, neither the author nor themanager.org accept any responsibility for its completeness and correctness. This article is intended to give an overview on the upcoming legal changes. It is not intended to be a substitute for legal or professional advice.
What is the GDPR?
The GDPR is the General Data Protection Regulation, a sweeping set of rules for protecting personal data of all EU residents and visitors. These new regulations are designed to completely replace the 1995 Data Protection Directive and any data privacy laws which have been passed by EU member states.
With internet usage at an all-time high, new sets of privacy issues have emerged, including weak data protection, digital permanence and more. As such, the new regulations set out to address these concerns, adding baseline requirements for ensuring personal data protection, ensuring that individuals have the right to access, erase, correct or move their personal data and standardise the application of these rules across the entirety of the EU.
As expected with legislation, this Regulation goes into great detail on how business are expected to approach the collection, use and storage of personal data of EU residents. The GDPR calls these individuals data subjects, while it also makes a distinction between data controllers – entities that determine the purposes and means of processing personal data – and data processors – entities which actually process the data on behalf of data controllers.
The full document is available on the EUR-Lex website.
Which businesses does it affect?
All this talk of ‘EU’ might have you breathing a sigh of relief. After all, if you’re not an EU-based company, you’ve got nothing to worry about – right? Wrong.
The GDPR applies to your business regardless of your home nation if you process any data from anyone who either lives in the EU or is travelling there. In practice, that means that almost every business in the world will have to comply with the GDPR or risk fines up to €20,000,000 or 4% of an organisation’s total global revenues.
Every business that operates a website or a profile at any social media network is potentially affected, since it cannot be sure that its online presence is not visited by EU citizens. Websites almost inevitably collect and store personal data from its visitors such as IP addresses, or, for instance set cookies.
In the UK, the fate of the GDPR is unclear with the forthcoming ‘Brexit’ negotiations. However, the Government have signalled their intention to implement a GDPR equivalent following Brexit, which will form an effective link between the UK’s data processing businesses and their EU counterparts.
What will your business need to do?
Becoming compliant with GDPR requires some significant steps. These include, among others:
- Appointing a suitably competent director to be accountable for compliance (for businesses that frequently employ 10 or more persons for processing personal data).
- Ensuring that any and all data you collect is confidential, accurate, backed-up and encrypted for security. You should also be able to produce this data when requested.
- Checking the compliance of your suppliers, a failure to do so can result in noncompliance.
- Ensuring that all of your customers have opted in to their data being stored. Simply failing to disagree with their data being stores is no longer enough in the new rules.
- Reporting any data breaches to the ICO within 72 hours of the breach.
- Explaining to customers what data you’re collecting, how you’re storing it, how long you’re holding it for and how your users can withdraw their consent and (crucially) their data.
- Making customer data available to customers upon their request, ensuring these requests are turned around quickly.
Business should also check if their online marketing practices are still in compliance with the GDPR.
A prominent example is the collection of email addresses for newsletter mailing lists. The popular practice of offering a so called lead magnet – a free piece of useful information like a checklist or mini-ebook – in exchange for the visitors email address is no longer legal under the GDPR. Everybody who is added to a mailing list has to explicitly agree to this. That means that businesses have to use the double opt-in procedure which requires prospects not only to fill in the subscription form, but also to click an additional confirmation link in a subsequent email. All subscriptions forms have to state clearly, what the subscriber will receive with the newsletter. As an example: If businesses promote their products and services to their mailing list, it is no longer sufficient to write something like. “Subscribe for updates”
In addition, websites now need to have a data protection statement which complies to the requirements of the GDPR.
Image 1 https://pixabay.com/en/europe-gdpr-data-privacy-3220208/
Image 2 https://pixabay.com/en/paper-business-office-aerial-3211179/