The internet has spectacularly changed the way we communicate and how we deal with everyday tasks.
We send emails, we share documents, we pay bills and we buy products by entering our personal details all online, without the slightest hesitation.
Have you ever realized how much personal data you have shared online?
Or what happens to those shared details?
We’re talking about your banking information, contact details, addresses, social media posts, and even your IP address and the sites that you’ve visited, are all stored digitally.
Companies tell you that they obtain these kinds of details so that they can provide you with better services, offer you more targeted and relevant communications, all to give you a better customer experience.
However, is that what they really use the data for?
This is the question, which was asked and answered by the European Union (EU), and why in May 2018 a new European privacy regulation called GDPR came into effect and for eternity changed the way you, as a business, collect, store and use customer data.
In a study of more than 800 IT and business experts that are in charge of data privacy at companies with European customers, Dell and Dimension Research discovered that 80% of businesses know few or nothing about GDPR.
So, whether you’re in tech, travel, retail or an entrepreneur, we explain what GDPR is, how it may affect your business and, what can you do to get a handle on your data for GDPR. We've separated the primary concerns here to make it easier to understand.
The new European privacy regulation came into effect on May 25, 2018. GDPR is a shorthand for the General Data Protection Regulation, is actually a European Union law, but it could possess extensive effects across European borders, as the US-based companies will have to follow the new rule while doing the business within EU. It's a wide-scale regulation intended to protect the privacy of individuals in the European Union (EU) and give them control over how their personal information is handled, including how it’s collected, stored and utilized. It affects each organization on the planet that deals with personal data about people in the EU.
The objective of GDPR is not to penalize businesses, but instead to protect individuals' personal information and expand their rights. The new regulation intends to balance the data protection laws of European countries and establish a single reference point for national data protection agencies and regulators. Experienced with the recent high-profile data leakages around the world, the governments will just make data protection laws even more extreme. To stay in business, European companies have to assure GDPR compliance before the deadline.
The two core targets of GDPR are:
Despite the fact that GDPR may appear to be terrifying at first, many consider it as a positive step forward for data protection. Some of the key areas that GDPR covers are:
This involves your customers, employees, suppliers and all the other individuals you receive personal data from. And this personal data includes names, contact details, medical information, bank account details or credit card information and more.
You can collect personal data only if you have an official purpose to do so. For example, you may require it for a sales contract. Or your customer may have requested you to send them some information about your products or services. In each case, you should clarify what the personal data will be utilized for – and use it for that purpose only.
You’re obligated to report certain kind of data violation to the relevant supervisory authority.
In general, the regulation has been initiated to encourage companies across the EU to think seriously about data protection. But be careful if you think you can neglect it; GDPR too comes with some fairly harsh penalties for those that do not adhere to new regulations. Moreover, people can sue you for compensation to heal both material damage and non-material damage, like distress.
The GDPR strengthens up punishments already in effect under the Data Protection Act (DPA). These existing penalties include:
With the initiation of GDPR, these penalties got heavier.
Businesses in breach are accountable to a major increase in fines, with penalties achieving a maximum limit of €20 million or four percent of annual global turnover, whichever is higher.
Bankruptcy will be an actual risk for disobedient businesses because of these fines. Though, keep in mind the possibility that people can also sue you if they undergo any material or non-material damage as a result of your data management, such as distress.
Better organization of your data needs to begin with exploration. GDPR will imply that every chunk of personal information held by your business should be recognizable – even if it’s on a mobile device or on the cloud.
Surely it’s a complicated task, however, one that should be performed to assure efficient handling of data in the future. Some businesses might think that they can fulfill compliance by using a complex spreadsheet. However, this won’t help you discover the information that you don’t know you have.
Though, technology can help. New solutions are open that can offer an exhaustive way to deal with data discovery today. If adequately applied, data discovery will usually lead you to data that you didn't know about.
When you understand where you’re holding personal information of individuals, you’ll then be able to better monitor compliance and the processes engaged with managing that information.
You will likewise be ready for Subject Access Requests (SARs) – a request under the DPA utilized by people who want to see a copy of the data a company holds about them – and the 'right to be forgotten', which may require you to detect and delete all of an individual’s information.
Preparation will be vital, but GDPR compliance will be a continuous task that will require attentive monitoring. Monitoring the new regulations and what they mean for your business is important. So don’t stick your head in the sand and sit tight for it to pass. Since the GDPR arrived, it's setting down deep roots.
Considering the essentiality and transformative effect of GDPR on data protection regulations and the fact that the law is already applicable to all EU member states, SMB ignorance about the topic remains relatively high.
Nonetheless, there are some definite steps to take to regulate your internal processes and practices with the data protection rules.
And a great place to start is to explore the ICO's 12-step guide to preparing for GDPR.
Here are some highlights for SMBs:
Document what personal data you hold - Understand what personal data you hold on to, where it originated from, what it was collected for, who you share it with, and whether it's still important and required for the purposes you collected it.
Ensure you can respect citizens' data requests - Under GDPR, EU citizens can ask you to delete, change, or move their data to a different organization. Your processes and technology should make it possible to respect these requests within one month.
Establish a legal purpose for processing personal data - Under GDPR, opt-out boxes aren't sufficient any longer. Rather, you should establish a legal reason for processing a citizen's personal data. In case it is consent, this should be opt-in, and a citizen will just give authorization for their data to be processed for a limited duration, for a closely determined purpose. Consent might also be taken off, so it's reasonable to consider what other legal reasons you can use to process information.
Prepare for data violations - Make sure your processes make it possible for you to inform the data protection authority of a data violation within 72 hours of becoming aware of it.
Appoint a data protection officer - A DPO is an important part of GDPR for companies executing extensive data processing. Appoint one sooner instead of later if this role is the one your organization must assign under the regulation.
Considerably, GDPR is applicable to all businesses and companies established in the EU, irrespective of whether the data processing occurs in the EU or not. Even non-EU established companies will be liable to GDPR. If your business offers goods and/ or services to citizens in the EU, then it is liable to GDPR.
And whereas GDPR does create difficulties and pain for us as businesses, it likewise creates opportunity. Businesses who show they value an individual’s privacy, who are transparent about how individuals' personal data is used, who design and apply new and better ways of handling customer data during its life cycle build deeper trust and maintain more loyal customers.