It seems those four letters are being thrown around all over the place: GDPR. But do you really know what it means, and how it affects you? No matter where in the world your business is based, if you hold any information about an EU citizen, it’s time to read up.
Please Note: although I’ve read up a lot on the GDPR, this article shouldn’t substitute legal advice. If there’s anything you’re unsure of, it’s best to get it checked over.
What the Hell is GDPR?
The General Data Protection Regulation (GDPR) is a new set of rules that come into force on 25 May 2018. We live in an age where personal data is increasingly valuable and the GDPR aims to protect all EU citizens from privacy and data breaches. Unlike with previous legislation, this doesn’t only apply if your business is based within the EU. Any company that holds personal data from an EU citizen must comply with the new regulations.
How Does it Affect Me?
Most small businesses hold some kind of personal data. Even if you are a solopreneur, chances are you at least have an email list. This includes names, email addresses and sometimes even more information, ie personal data. Now, if you have this data, I’m hoping you already know the importance of keeping it secure. The GDPR simply changes a few things about how you handle this data.
Whether you are a ‘controller’ or a ‘processor’, you should know about the changes. The ‘controller’ is the person that holds the data, and determines its purpose, for example a business owner with an email list. The ‘processor’ is the person that processes the data on behalf of the controller, for example a virtual assistant that sends out the emails. Of course, the ‘controller’ and the ‘processor’ can be the same person.
What Are the Changes?
There are many changes to the new regulations, but these are the main ones that you should be aware of, as a business owner.
This is probably the biggest change that everyone should be aware of. Like I said before, regardless of location, all businesses that hold data on an EU citizen must comply with the new regulation. Previous territorial applicability was ambiguous, meaning that data breaches were hard to police. GDPR makes it very clear. It will apply to the processing of personal data in the EU, regardless of whether the processing takes place in the EU or not. Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU.
Many people have heard the figure €20 million being thrown around and panicked. Don’t do that just yet; this doesn’t mean that, if you’re not compliant by 25 May, you’re going to be caught and fined. Companies can be fined up to €20 million or 4% of their turnover – whichever is greatest – but this is reserved for the most serious infringements eg not having sufficient customer consent to process data, or violating the core of Privacy by Design concepts. There is a tiered approach to these fines, and they apply to both ‘controllers’ and ‘processors’.
Companies can no longer use long, complex terms and conditions and privacy statements. All requests for consent must be clear and concise and the purpose for data processing should be attached. This simply means that anyone who gives you their personal data must know exactly what you intend to use it for.
All data subjects must be notified of any breach that may “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data ‘processors’ will also have an obligation to make their clients, ie the ‘controller’, aware of any breach.
Right to Access
Data subjects will now have the right to obtain information about how personal data, obtaining to them, is being processed. The ‘controller’ should also provide the subject a copy of the personal data, free of charge, in an electronic format.
The right to be forgotten entitles the data subject to have the ‘controller’ erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent.
Privacy by Design
Privacy by Design has existed for a number of years, but it is now becoming a legal requirement under the GDPR. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
Data Protection Officers (DPO)
DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
So, How Do I Get Ready?
Depending on how strict your data protection practices currently are, you might not have a lot to do. On the other hand, this could be a big job. This simple list will help you with the basics.
1. Identify where you hold personal data
Make sure you’re aware of everywhere you hold personal data. Keep a record of this so that you can be sure each one is compliant.
2. Check your third parties
If you use a mailing list provider, project management tool, CRM, accounts systems etc, you should check updates to their privacy policies and the ways that they use stored data. As the ‘controller’ of personal data, you should be sure of its security and that you only use reliable and reputable third party companies.
3. Identify sensitive data
Sensitive data is that which, by processing, could create significant risks to the fundamental rights and freedoms. Sensitive data includes, but is not limited to, racial or ethnic origin, sexual orientation, religious or philosophical beliefs, political opinions, trade union membership, genetic data, biometric data and data concerning health. This should not be processed without explicit consent and should not be shared with third parties.
4. Figure out the legal grounds for processing
Legal grounds for processing data include: consent, performance of a contract, compliance with a legal obligation, protect the vital interest of the data subject, processing is in the public interest or based on official authority of the ‘controller’, necessary for the purpose of legitimate interests of the ‘controller’ – except where the interests of the data subject overrule the interest of the controller.
5. Create a Processor Agreement
You must ensure that any ‘processor’ is GDPR compliant. This includes any employees or contractors, such as virtual assistants. Make sure that they agree to strict terms for handling and processing stored data.
6. Update your privacy notice
7. Create explicit consent statements for opt-ins
Wherever a subject enters data, there should be a clear statement telling them how this will be stored and used.
8. Create a system for handling subject access and date erasure requests
Under the new regulations, any subject is entitled to see what personal data (of theirs) you have stored. You should set up a system to manage these requests and send relevant data in electronic format. Subjects also have the right to have any data pertaining to them erased if it is no longer necessary in relation to the purposes for which is was collected, the subject objects to the processing and there are no overriding legitimate grounds for the processing, the data must be erased for compliance with a legal obligation or if the data was unlawfully processed.
Remember, the General Data Protection Regulation (GDPR) isn’t being introduced to make things harder for you, but to protect and empower all EU citizens’ data privacy and to reshape the way organisations approach data privacy. Of course this isn’t even close to everything covered by the new regulation, but these basics will help you to get ready.
You can find out more about the GDPR here.