The General Data Protection Regulation (GDPR) is the EU’s new regulations on how companies handle customer data. While it’s EU regulation, it has an extraterritorial effect, meaning all non-EU countries are also affected. Any company that deals with the data of EU citizens must comply to avoid infringements. The definition of personal data has also been expanded to include a greater range of information.
This allows us to take Brexit off the table straight away. Although there’s a crossover where GDPR is in affect while we’re still part of the EU, it’s equally relevant to nearly every business even after Brexit.
Will my company be affected?
In short, yes. GDPR now makes the EU the proud owner of the world’s strongest data protection rules. The digital landscape has changed considerably, the laws protecting our personal information haven’t.
Any company that stores or processes personal data will be covered by GDPR. The definition of personal information has been expanded beyond human data, such as name and address, and now also includes any piece of information that can be used to identify a person. This means it covers a broad range of categories, from sexual orientation to IP address. The Information Commissioners Office (ICO) has published its own guide to GDPR.
The increase in the use of mobile devices to access the Internet also makes it virtually impossible for any website not to process data that could potentially identify an individual. This fact alone can create big problems for businesses. Organisations don’t just deal with customers, they also transfer information internally. Any data sharing within an organisation will need to be encrypted to be compliant with GDPR. No company is compliant without considering their portable devices. See this guide to GDPR compliance and USB drives, for more information.
What has GDPR changed?
The overriding intent behind the many changes in the text of GDPR is to give more control and transparency to individuals. To achieve this, the regulations place obligations on organisations. Failure to comply with the regulations will open you up to fines.
In basic terms, you will not be allowed to collect any personal information about visitors to your website, even their IP address, without their express consent. This will mean a change in approach for new start-ups, as well as website updates for existing companies.
If you already have an e-mail list of customers, or for your newsletters, you’ll need to contact the entire list to get their consent to continue holding their data. In certain circumstances, GDPR also makes it free for users to get access to any data a company holds on them, such as when they want to withdraw consent.
The changes aren’t just digital
Companies that deal with a sizeable amount of data will need to have comprehensive data protection policies in place that clearly lay out how data is processed. Putting this information together will require impact and risk assessments. If the amount of data being processed is significant, enough a company may need to employ a data protection officer (DPO).
The fines are substantial
GDPR states even smaller offenders that fail to be compliant could face fines of up to €10 million, or 2% of the global turnover, whichever is greater. These figures double to €20 million and 4% respectively for more serious offenders. When you consider the previous maximum fine in the UK was a mere £500,000, it becomes clear just how much more substantial these new fines are.
If you’re company has a digital presence GDPR will affect it. An alarmingly high number of companies still need to take action to be fully compliant. However, the ICO is likely to take a more lenient view on those who are already taking steps, rather than companies who are continuing like nothing has changed.
GDPR is just one of many updates to data protection law needed globally, so expect to see more follow. Comprehensively preparing now could save you a considerable amount of time in the near future.