TMB looks at what General Data Protection Regulation (GDPR) means for businesses, and what you need to do to avoid being fined.
By early next year, all businesses that have customers in the European Union will have to adhere to the EU’s new rules on data protection – and the penalties for not doing so could be severe.
Fines of up to €20 million or 4% of annual global turnover could potentially be used to punish companies that stray from the EU General Data Protection Regulation (GDPR), set to become law on 25th May 2018.
And because the rules cover the rights of EU citizens, it doesn’t matter where companies are based. If your firm has customers who are EU citizens, then how you handle their personal data will be subject to the conditions of GDPR.
Furthermore, the UK government has committed to transferring the full complement of rules to British law, in the form of a new Data Protection Bill - currently making its way through parliament. That means businesses and organisations with customers in the UK will have to comply with practically identical rules, even after Brexit.
In the meantime, the UK isn’t set to leave the European Union until at least 2019, so it’s vitally important to be ready by next year.
What Are The Rules?
When GDPR was originally adopted on 27th April 2016, organisations were given a two-year transition period to get it in place. If you have yet to adopt correct data protection practices, then time is running out. The requirements set out in the Official Journal of the European Union are complex and extensive, and larger businesses are likely to require the assistance of specialists to comply. Smaller businesses have a bit more leeway, but there are still some key rules they'll need to consider if they want to be GDPR compliant.
Information and transparency
If you store information about your customers or other individuals, including addresses, birthdays and so on, then you need to make sure they can access that data when asked. Individuals should also be given clear opportunities to opt-in regarding what information they allow companies to keep. Smaller businesses will have a reduced liability, but they still need to make sure they’re treating data properly.
The right to be forgotten
Under this rule, all individuals have the right to request that their data be removed when it’s no longer relevant. Already enshrined in European law since 2014, as part of GDPR the right to be forgotten will take things further, by placing the burden of proof on the companies that hold the data.
The right to data portability ensures that individuals can obtain and reuse their personal data as they see fit. This would make it easier for people to, say, move from one supplier to another.
A big part of GDPR is that it places the responsibility of data security firmly on the companies that hold it. While it's accepted that data breaches may be impossible to prevent 100% of the time, organisations have to show that they've taken positive steps to protect data. For example, it will no longer be acceptable to store personal data about your staff and customers on unencrypted portable USB drives.
How To Prepare For GDPR
Ideally, you’ll already have made your business GDPR compliant or have a clear plan of how you’re going to make that happen. If not, then you have some catching up to do. Thankfully, the Information Commissioner’s Office has created a handy 12-step guide to preparing for GDPR, which can help you prepare.
Also, as a business that has been through the process of becoming GDPR compliant ourselves, TMB can help get you on the right track, with tools and solutions that meet the EU's requirements. Just drop us a line, and let us know what you need.