GDPR has been all over the news recently, as companies of all size scrabble to make sure they are ready for the new regulations.
The new rules are set too come into force on May 25th 2018, meaning your business only has a few more days to ensure it is compliant.
But what exactly does GDPR entail? Here’s our guide to everything you need to know.
What is GDPR?
The General Data Protection Regulation, or GDPR, (or EU Regulation 2016/679 if you want to be official) is one of the most significant and wide-ranging pieces of legislation ever passed.
Approved by the European Union in April 2016 and set to come into force in the UK on May 25th, 2018, GDPR looks to bring together several existing laws and regulations to harmonise rulings across the European Union.
Primarily, it replaces the UK’s 1984 Data Protection Act and the EU’s Data Protection Directive, which initially came into force in 1995, with new guidelines that are better adapted to the modern, technology-dominated world.
The main points of GDPR concern the privacy rights of everyday users and the data they create online, and will affect businesses of all sizes due to its effect on how they gather, store, and look after their data.
Under GDPR, companies will also need to give explicit notice when collecting the personal data of their customers. This will also mean that consent will need to be explicitly given, and that companies will have to thoroughly detail the exact purpose that this data will be used for.
This personal data will also need to be encrypted by default as part of a process known as pseudonymisation, meaning that it cannot be linked to a specific person without being accompanied by extra information.
Personal data applies to a wide range of information – effectively anything that could be used to directly or indirectly identify a person online. This could include names, email addresses, images, bank details, posts on social networking websites, medical information, or even a computer IP address.
Users will also have the right to know exactly what details a company or organisation holds about them, and also request that any of this information be deleted if they feel their rights to privacy are being infringed as part of the new “right to erasure”.
Companies that suffer data breaches, whether accidental or as part of a cyber-attack, will need to disclose this event to the relevant within 72 hours of it happening – although there is no requirement to notify users unless instructed.
Who does GDPR apply to?
Put simply, if your business offers goods or services to anyone living within the European Union, then GDPR will apply to you.
This means that companies outside of Europe will also need to ensure they are compliant with the rules, as they could also be subject to fines if found not to be up to speed.
If you have mailing lists for newsletters or promotions, and some of your prospects or customers are EU citizens, GDPR applies to you.
What do I need to do to be ready for GDPR?
As mentioned above, if you deal with customers within the EU, you’ll need to ensure that the way you gather, store and use their data is GDPR-compliant.
For starters, you’ll need to identify just exactly what data you currently own, and the means by which you acquired it. Many organisations may be unaware of the sheer mountain of information they own on their customers – much like their customers might be unaware how much info they have shared.
All the data will need to be properly secured to ensure it remains protected, so it is definitely worth instigating new policies to limit access to the most precious data to a few key team members.
You should also be frequently backing up your data, as under GDPR, customers are able to request to view exactly what information you have on them whenever they feel like it.
If your business carries out large-scale data practices, you will also need to appoint a Data Protection Officer (DPO).
A DPO will be able to take responsibility for much of the heavy lifting when it comes to GDPR, including overseeing compliance and data protection.
Lastly, you’ll need to ensure that all your employees are clued up about what exactly GDPR means. The rules aren’t just the prerogative of the IT department, but could affect everyone in your organisation.
What happens if I am not GDPR-ready?
GDPR is a huge deal, and as such, the punishments for not complying are significant.
Any organisation found to not be conforming to the new regulation after the May 25th deadline could face heavy fines, equivalent to four per cent of annual global turnover, or €20 million – whichever is greater.
It remains to be seen exactly how GDPR will be monitored, and if fines will be handed out to every company large and small.
For now, it seems that the best course of action is to prepare as much as you can.