Get to know General Data Protection Regulation (GDPR)
If you’ve spent any time at all on the internet in the last six weeks or so then you’ve probably heard people talking about the new General Data Protection Regulation (GDPR). In fact, companies have left it to the last minute, which is why your inbox is filling up with last-minute requests from companies who want to continue to store and use your data.
GDPR affects almost everyone, and companies have a responsibility to understand how it affects them and to take steps to make sure that they’re fully compliant. Despite the fact that it’s EU legislation, it extends to any company that processes data on EU subjects. This means that a whole heap of companies which weren’t covered by the older DPA regulations will now be covered by GDPR and will need to ensure that they’re fully compliant.
If you ship goods to European customers then you’ll need to obey GDPR. If you allow European visitors to sign up to your website then that means you’re processing their data and that you need to comply with the regulations. And honestly, the fines for non-compliance are so harsh that it’s really not worth risking it. Even if you think it doesn’t affect you, it’s a good idea to make sure that you’re in full compliance anyway. Think of it as futureproofing yourself just in case.
What GDPR non-compliance looks like
Possibly the most surprising thing about the new GDPR is the severity of the fines for non-compliance. In fact, companies could face a fine of up to 4% of their annual global turnover or up to EUR 20 million, depending upon which is the larger number. Many people remember the introduction of EU Cookie Law and how slow the European Union was to levy fines. Perhaps they’ll be slow this time as well, but if you ask us it’s not worth taking a chance on it. EUR 20 million is a lot of money.
Speaking of cookies, the way those are handled will have to change. GDPR is serious about consent, and it specifies that it must be as easy to remove consent as it is to give it. That means that simply expecting people to block cookies isn’t good enough. You need to give them greater control over which data you hold and what you’re able to do with it.
Some companies will also be required to carry out data protection impact assessments (DPIAs), but only if their activities are classed as “high risk” when it comes to the rights of the individuals whose data they process. Of course, “high risk” is a subjective term and there are no specific guidelines in place, so it’s a case of using your common sense. Remember also that it’s better to be safe than sorry. If you think you need to carry out DPIAs, you should carry out DPIAs.
It’s all about rights
It’s important to remember that GDPR isn’t being introduced just to confuse people and to try to catch them out with a massive fine. Instead, it’s about enhancing the rights of regular people and giving them additional control over what companies do with the data that they gather. People must be able to access their data, to ask for it to be modified or deleted, and even to take data from one provider and to move it to another. This is called the right to data portability and it’s something we’re likely to hear more about in the coming months and years.
GDPR comes into effect on Friday, May 25th, so if you’re not already compliant then you’re going to need to get a move on. It’s never too late to get started and even if you’re non-compliant and you receive a fine, there’s a chance that legislators will go easy on you if they can see that you’re taking steps to fix the problem.
Now that you know what you need to know about GDPR, it’s over to you to make sure that you’re fully compliant. Remember, you have a duty to do so, not just to protect your company but also to safeguard your customers. Don’t be caught out. The deadline is coming.