Each New Year brings new business priorities. For some, the focus will be recruiting talent, for others driving forward growth and maximising new business opportunities. However, wherever you plan to channel your efforts in 2018, you need to make sure that preparing for the introduction of the EU’s General Data Protection Regulation (GDPR) is high on your list. The implementation of GDPR will see the biggest shake up in data privacy regulation in 20 years, requiring a lot of groundwork to guarantee compliance.
After four years of preparation and discussion, GDPR will come into force in less than a few months on 25 May 2018. It is, without doubt, the piece of business legislation that is expected to have the widest-ranging impact next year. The Great Repeal Act also means it will be converted into British law regardless of how Brexit pans out so businesses must get their policies and procedures in place.
The scope of GDPR is far-reaching – it will affect everyone offering goods or services or monitoring the behaviour of anyone in the EU. It applies to information that can be used to directly or indirectly identify a person – for example: a name, photo, email address, bank details, posts on social networking websites, medical information, or a computer IP address.
Outdated data policies
GDPR replaces the Data Protection Directive 95/46/EC which was written in the 1990s, a time when only the largest companies had the means to collect and store significant amounts of data and social media was an unknown entity. Nowadays most companies collect and store data, using it for sales, marketing and customer relationship management, and so data protection laws have become increasingly outdated. The GDPR will reflect these changes, harmonise data privacy laws across Europe and give citizens and residents greater control over their personal data.
The new legislation establishes guidelines on how companies should handle customer privacy, store data securely, and respond to security breaches. Stricter rules will apply to the processing of sensitive personal data and obtaining consent will be harder and no longer inferred from, for example, a pre-ticked box. There will also be a wider right to be forgotten than currently exists.
Failure to comply will result in much tougher penalties: organisations can be fined €20 million or up to 4 per cent of annual global turnover for breaching GDPR. This is the maximum fine that can be imposed for the most serious infringements but there is a tiered approach for other breaches. These rules apply to both controllers and processors: an outsourcing provider such as a cloud computing company, or a third-party payment provider will now be responsible too.
While many of these regulations may seem daunting, if businesses adhere to them, they will no longer need to seek advice from local lawyers to ensure compliance in each European country in which they operate. This will reduce ambiguity and costs. It should also result in greater transparency and security for customers, deepening the trust between companies and their customers, restricting the effectiveness of cyber criminals and strengthening a firm’s reputation for being trustworthy.
So as 2018 gets underway, businesses should conduct a full information audit of existing data and current practices. It would be wise to consider appointing a data protection officer (DPO) as this is a best-practice approach relevant for all. At Creditsafe, we have a GDPR manager who has the responsibilities of a DPO, while also working tirelessly to ensure our compliance and communicate the changes throughout the business.
A key aspect of preparing for GDPR is understanding that it’s an issue for everyone within a company – not just the DPO. GDPR may entail huge volumes of work for many different departments so it’s vital that everyone is on board and understands the urgency.