The General Data Protection Regulation is a set of regulations in European Union law that was put forward in 2016 and was implemented in May 2018. In this article, I want to tell you about the implications of GDPR for businesses.
Here are the 55 things business owners should know about GDPR:
- What is GDPR? It is a set of regulations in European Union law that is concerned with personal data management.
- What are the principles of GDPR?
a) Giving individuals within the EU more control over their personal data;
b) Introducing a single, unified regulation for all businesses inside the Union (as well as some outside).
- When was GDPR proposed and implemented? It was firstly proposed in 2012 and implemented in 2018.
- Why was GDPR introduced? It was introduced as a means to deal with fast technological changes that are altering the way we deal with personal information; as well as to standardize personal data regulations across the EU. Casino pick outline in their infographic what these changes entail.
- What is the right to access? This gives data subjects the right to obtain a copy of their personal data and other supplementary information.
- What is the right to be forgotten? This is a data subject’s right to withdraw their consent to the use of their personal data.
- What is the right to data portability? This is a data subject’s right to transfer their data between services.
- What is the right to be informed? This is a data subject’s right to be informed prior to their data being gathered.
- What is the right to have information corrected? This is a data subject’s right to have their data updated if it is obsolete, incomplete or incorrect.
- What is the right to restrict processing? This is a data subject’s right to prevent their data from being processed.
- What is the right to object? This is a data subject’s right to stop the processing of their data.
- What is the right to be notified? This is a data subject’s right to be informed within 72 hours in the case of a data breach which affects them.
- Does GDPR apply to my business? GDPR applies to all businesses that sell goods and services to individuals within the EU.
- What is the difference between a regulation and a directive? A regulation, in this case, is a legal EU act that becomes law once it is implemented and affects all member states equally. Directives, on the other hand, need to be translated into national law.
- What if my company missed the GDPR deadline? Then you better act quickly if you want to avoid a steep fine! You may be relieved to know that approximately 27% of EU businesses still have not fully complied to the guidelines.
- Does GDPR bring advantages to my business? It brings more trust between your company and your clients, and trust is an essential component of a business.
- What are GDPR guidelines in relation to children? The GDPR set the age at which children can legally give consent to their data beingprocessed at 16 years.
- What are GDPR guidelines in relation to data breaches? The GDPR introduces a responsibility on the part of companies to report a databreach to the information ccommissioner ’s office(ICO) and individuals involved.
- What if I employ less than 250 people? Unfortunately, GDPR still applies to your business in this case!
- What constitutes personal data? Personal data is defined as “any information related to a person that can be used to identify that person”.It covers pretty much anything.
- Who does GDPR apply to? It applies to all organizations that are registered/have a subsidiary in the EU as well as ones that sell goods andservices to individuals inside the EU.
- What are the parties involved in GDPR? There are three: data controllers, data processors and data subjects.
- What are the penalties for not complying with GDPR regulations? The penalties are steep. Either 4% of your company’s annual revenue or up to 20 million euros, depending on which is higher.
- Who actually issues the monetary penalties for non-compliance? The supervisory authority concerned with handling the matter. This depends on where your business is located.
- What is a supervisory authority? Supervisory authorities (SA) are bodies within the EU tasked with hearing and investigating complaints, sanction offences etc. related to GDPR.
- What is a data protection officer? A data protection officer (DPO) is someone you may need to hire who will be responsible for data protection in your company.
- Do I need a DPO? You will only need to hire a DPO if your company processes high volumes of personal data. Despite this, it is advisable to have someone responsible for data protection in your company, even if they are a contractor.
- Are there instances in which GDPR does not apply? Yes, there are. GDPR does not apply in activities concerning national security of a member state or the Union at large; the personal data of a deceased person; in the course of an activity outside the scope of EU law; and it the processing of personal data of a person in the course of a purely personal or household activity with no connection to professional or commercial activity.
- How can I train my employees accordingly? You should train your employees in effectively identifying a data breach and put forth measures to ensure that the correct steps will be taken in the case of this happening. Make sure there is a clear line of communication between employees and DPO’s or contractors.
- What constitutes large-scale data processing? The GDPR does not fully define this yet, although some examples have been given, such as hospitals, transport services, and insurance companies.
- What is the definition of consent under GDPR? Consent must be presented clearly and separately from other policies on your website/communications. Essentially, it can no longer be hidden in the small print. Make it explicit!
- How do I get consent now? You get consent by making it clear that you are presenting it – inactivity is no longer acceptable to confirm consent.
- When can a data subject withdraw consent? Data subjects can withdraw their consent at any given time.
- What type of data does GDPR legislation apply to? GDPR legislation applies to personal data.
- How do I know if data qualify as ‘sensitive’? You must gain a good understanding of different types of data and what they entail.
- What is the difference between GDPR and the DPA? GDPR is much stricter than DPA. My advice to you is to get up to speed with the former regardless of whether you are up to date with the latter
- Am I a data controller or data processor? A data controller is a data processor that decides the purpose of the data processing activity. A data processor is involved with the storing, collecting, recording, organizing etc.. of data.
- What if I am not inside the EU? If you sell goods and services to individuals within the EU you will still need to comply with GDPR.
- Does Brexit affect GDPR in any way? So far it seems that Brexit will not affect GDPR, although changes may occur. For now, I would avoid taking any risks.
- What if my company does not charge for the services we offer? You will still need to comply with GDPR, unfortunately.
- What if my company processes personal data manually? GDPR still applies in this case.
- Do I need to ensure myself that my suppliers comply to GDPR? Yes, you do. It is important that you them into account when ensuring GDPR compliance.
- How do I gain consent from my customers to use their data? You need to be explicit with your customers – GDPR is stricter than previous personal data regulation and requires that you clearly gain data subjects’ consent before you process their information.
- Do I need to update my business’ security measures? This depends although you probably do if you have not yet ensured GDPR compliance. A broad use of encryption may be useful to minimize the chance of a fine in the case of a breach.
- How long do I have in order to deal with access requests? You will have a one-month time frame in order to deal with access requests.
- Does my company need to register under GDPR? If you needed to register under the DPA in 1998, you will probably need to register under GDPR as well.
- Do I need to check my supply chain? Yes, you need to ensure that all suppliers and contractors are compliant with GDPR.
- What about old data? One of the principles of GDPR is that a company should not hold on to personal data for longer than is required or for reasons that data subjects are not aware of. Therefore, you may want to consider what data you should or should not hold on to.
- Should I map my company’s data? Yes, this will make GDPR compliance much easier, as you will know the provenance of all personal data in your business and what is being done with it. It will also be good for your relationship with your clients.
- How can I know which data I need to keep? Try not to keep more personal data than necessary; remove data your company is not using. GDPR encourages businesses to use their data in a more disciplined manner.
- What are some criticisms of GDPR? GDPR regulations have been criticised for being unclear at times; as well as disproportionately affecting small businesses with burdensome costs and measures.
- Does GDPR disproportionately affect small businesses? A strong case could be made for this claim, yes. Although it is a beneficial development, it is an expensive one too. Trust is a costly business.
- What if my business cannot afford to comply with GDPR measures? This is unfortunate, but you need to make sure that your business is compliant. Although a considerable number of companies still does not comply, don’t sit and wait for too long before a fine comes around.
- What is the total cost of complying with GDPR for EU companies? The total cost of complying with GDPR for EU companies has been estimated at 200 billion euros.
- Is data the most valuable currency in the world right now? This may well be the case.
I hope this list was useful and that you can now make the necessary changes to your company in light of these developments. Good luck!