The General Data Protection Regulation, better known as GDPR, is one of the most significant changes in data protection legislation to come into force in the last 20 years. The legislation has been 4 years in the making and was adopted by the European Union in April 2016. Since this date, the EU gave businesses 2 years to implement the legislation before enforcement on the 25th May 2018.
What is the General Data Protection Regulation?
The GDPR will replace the European Union’s Data Protection Directive, which has been in place since the late 90’s. This directive covered the control of a citizens’ personal data. As it was set in place prior to technological advancements in internet and cloud technology, it didn’t take into account the growing exploitation of a persons’ data through these means.
The GDPR is a regulation, meaning, it is applied in a uniform manner in national legislation across all 27 EU member states. As it applies to all EU member states, it also applies to all organisations conducting business with individuals within EU countries.
This regulation gives people significantly stronger rights over information businesses hold for them. They will, from 25th May 2018, have the right to:
- Know if a company is holding personal data.
- Access a copy of the personal data held by a company.
- Change or update their personal information held by a company.
- Prevent a business from using their personal data.
- Be forgotten.
Fines For Non-Compliance
Failure to comply with the GDPR requirements will result in significant financial loss within a business, business disruption and damage to the business’s reputation.
In terms of fines, there are two tiers outlined below.
- €10 million or 2% of annual global turnover for lower offences.
- €20 million or 4% of annual global turnover for severe offences.
What is Personal Data?
Within the GDPR, personal data is defined as any information relating to an identified or identifiable natural person.
The full GDPR definition of a Person and Personal Data as:
“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person.”
What does Personal Data Include?
Personal data includes any information that an individual can be identified from. This includes:
- Email Address (Personal and Business)
- Phone Number (Personal and Business)
- IP Addresses
- Website Cookies (Record of Website Visits)
- Application Forms
- CCTV Footage
- Recorded Telephone Calls
- Employment Files
- Financial Information
- Biometric Data
- Genetic Data
All businesses, irrelevant of size, need to start gaining an understanding of the personal information or data they hold on individuals as outlined by GDPR legislation.
What does my small business need to do to comply with the GDPR?
Small and Medium-sized businesses need to hold accountability and be transparent in the data they collect.
Accountability is a major part of GDPR legislation. SMEs must be able to prove they are complying and making every attempt to comply with the regulations. Small and medium businesses must also notify any major data breaches to the regulators and to all customers affected within 72 hours of the breach occurring.
Transparency is another major part of GDPR compliance. Businesses, whether small or large, must get consent from customers to use any data they collect. The data collected must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. For example, if a business is collecting consumer email addresses for email marketing purposes, businesses must explicitly state what information they will be sending the customer, allow customers to unsubscribe (the right to be forgotten), ask to see what personal data you are storing on them and must not use this data for any other purpose within the business.
Under Article 30 of the General Data Protection Regulations, Small Medium Enterprises or SME’s are recognised as being different from large corporations. With this in mind, SMEs with less than 250 employees who don’t collect a large amount of personal data are exempt from a number of things.
- SMEs are exempt from hiring a full-time Data Protection Officer (DPO).
- SMEs don’t have to keep a formal record of how the company processes personal data.
- SMEs don’t have to report any minor data breaches as long as there’s is no risk to the rights of the individuals involved.