With the biggest shake-up in data privacy and protection laws the EU has seen in the last 20 years fast approaching, its time to get ready.
The General Data Protection Regulation (GDPR) is a significant piece of legislation, that is going to impact every business that handles private data of EU citizens.
Not only does this impact companies based in Europe, but ANY company worldwide that handles private data of European citizens will be affected.
It is a behemoth piece of legislation.
In typical EU fashion the GDPR was finalized in 2016 after years of negotiations between the various EU member states and institutions. The GDPR builds upon the core principles of the EU Data Protection Directive and places a significant emphasis on business accountability and individual consent.
Here’s the EU’s executive body summary of the GDPR objectives:
The objective of this new set of rules is to give citizens back control over of their personal data, and to simplify the regulatory environment for business. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritised. The reform will allow European citizens and businesses to fully benefit from the digital economy.
In English: The GDPR was designed to give power back to private citizens over how companies use their data. The right to be forgotten and collecting consent is a fundamental aspect of the GDPR. Companies will now need to obtain explicit consent from their customers to use their personal data.
With data breaches becoming increasingly common in recent years the EU has decided to act to protect private individuals data, and put more accountability on businesses who either control or process said data.
Failure to comply could have consequences for your business
This is not scaremongering. One of the most discussed elements of the GDPR is the very sizable non-compliance fines that businesses could face.
If your company processes an individual’s data incorrectly, you can be fined. If you require a data protection officer (DPO) and don’t have one, you can be fined. If there’s a security breach, you bet your ass you can be fined.
Non-compliance penalties are serious. They will reach an upper limit of €20 million or 4% or annual global turnover — whichever is higher.
For many businesses, the threat of insolvency or even closure as a result of GDPR penalties will soon be all too real.
This will impact your business
If you have customers in the EU (paying or not), and you process or control their personal data, then this will impact your business.
Any company that are either ‘controllers’ or ‘processors’ of personal data will need to be GDPR compliant.
Personal data, broadly means any piece of information that can be used to identify an individual. This can be a name, address, IP address or any other piece of information that can identify a person.
What’s the difference between a data controller and processor?
A controller is an entity that decides the purpose and manner that personal data is used, or will be used.
The person or group that processes the data on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data.
**You can be both.
3 Tips to help prepare for the GDPR
1. Research, research, research. #DYOR!
Nothing beats doing your own research. the good news is there’s a lot of resources on the regulation — here are a few good places to start:
2. Nominate a GDPR “Specialist”
You might not need a DPO (Data Protection Officer). But it makes a lot of sense to nominate someone at your company to take ownership of this.
It’s important to note that this project will be a cross department effort with a few stakeholders, so be sure to get the right people involved as there’s a lot of variables to take into consideration.
3. Get Started NOW!
The GDPR goes into full force 25th May 2018. Time is ticking.