There has been a lot of noise about a new law called the General Data Protection Regulation (GDPR), that comes into force on 25 May 2018. As that date gets closer, the noise is likely to get louder. Up until now, reactions to the noise have been divided. First there is the doom and gloom camp, talking up the risks of non-compliance and the possibility of large fines as a result. Second, there are those in the lets wait and see camp, keeping their fingers crossed that doing nothing for the moment is a justifiable strategy.
If a company complies with existing data protection law, it will not take much extra effort to comply with the GDPR, but there are five significant changes to data protection law under the GDPR which companies should be aware of:
1. More companies are required to comply with the new law – the existing law applies only to companies that control the processing of personal data (Data Controllers). The GDPR extends that law to those companies that process personal data on behalf of Data Controllers (Data Processors). For example, if you buy a new washing machine and give your contact details to a shop to deliver that washing machine, only the shop would be liable for looking after your personal information under the existing law, but under the GDPR, the shop and the delivery company could both be liable.
2. There are larger fines for non-compliance – whether such fines become a reality or not, the GDPR allows the regulator to fine non-compliant companies up to 4 per cent of global turnover.
3. Companies need to be able to show that they comply rather than just say that they comply – the regulator is emphasising the need for accountability and appropriate record keeping.
4. There is a new requirement to notify data breaches to the regulator – under the existing law the regulator recommends that companies notify it if they experience a data breach. Under the GDPR there is a requirement to notify under certain circumstances.
5. It will be much harder for marketing departments to rely on consent as the basis for processing personal data such as email addresses – for companies relying on consent as a legal basis to process personal data, opt out will no longer be an option. Consent will have to be more specific and a more granular rather than broad brush approach will be required. Also, companies will have to inform individuals that they can withdraw such consent at any time.
Is The GDPR Relevant To Small Companies?
Yes. The GDPR, in effect, applies to all companies, as all companies process personal data (think employee contact details as a minimum). However, certain companies are more at risk than others. In reality, the less personal data a company processes, and the less sensitive that personal data is, the less a company is likely to need to be worried about the GDPR. However, companies should think carefully before coming to the conclusion that they do not process much personal data. Even small companies with employees, a website and a CRM solution are likely to be processing a lot of personal data.
Complying with the GDPR will be good for all businesses – it is a matter of customer trust. Todays customers are more concerned about what happens to their personal information. Certain companies will only do business with companies that promise to be GDPR compliant. And finally, for owners of companies looking to sell their businesses in the future, potential buyers will insist on the company being GDPR compliant.
Finally, remember that not all data breaches are caused by big companies like Uber being hacked. More likely is an individual employee losing an unencrypted laptop on a train, or mistakenly sharing a customer list by email. This can happen to any company. That company may have to notify such a breach to the regulator under the GDPR. And no company wants the reputational consequences of such a notification being made public.
How Do I Ensure That My Company Complies With The Law?
Eight Top Tips: What A Comprehensive Data Protection Compliance Programme Looks Like
It is a programme which embeds compliance into your company and recognises where the risks are likely to come from. The regulator is most likely to get involved with your company if you have a data breach, or an individual makes a complaint. Therefore, have a programme which ensures that such breaches are unlikely to happen and means that individuals are less likely to complain.
In practical terms:
1. Educate your employees as to what data protection means in practice and what they must do to protect personal information in their day to day jobs.
2. Know what personal data you process, where you keep it, who you share it with, how long you keep it and what you do with it when you no longer need it.
3. Be transparent with individuals about what you do with their personal information. Have easy to understand privacy notices that tell individuals what you do with their personal information.
4. Think carefully about who you share personal information with and ensure that they are bound under contract to protect it.
5. Be ready with responses and a process for responding to requests from individuals in relation to the personal information you hold about them.
6. Keep the personal information you control secure by making sure that you get the simple stuff right eg. encrypt laptops, keep the office locked, shred paper rather than putting it in the bin and don’t allow sharing of passwords.
7. If personal information you control is being processed outside the EEA (for example, if you use cloud storage, or other solutions hosted in the USA) make sure that you can demonstrate that such information is safe.
8. Ensure that you build privacy into your processes. For example, if you are building a new product, think about how that can be built with the minimum amount of personal data.
In relation to all of the above, keep written records and policies detailing how you comply!
Who To Turn To If You Need Help With Your GDPR Compliance
Remember, you can do this by yourself. The ICO (the regulator in the UK) has a brilliant website with lots of useful information and guidance. If you feel that you do need help, there are the following options:
- pay an external lawyer or compliance professional;
- employ an in house lawyer or compliance professional;
- outsource the compliance function to an external data protection officer; or
- make use of technology solutions such as those that help with data inventory, data classification or production of privacy impact assessments.
You can mix and match these possible solutions, or use a comprehensive solution such as The Privacy Compliance Hub.
The GDPR is an evolution, not a revolution. There are easy steps that you can take now to make your company GDPR compliant. Embed GDPR compliance into your company, make sure that your employees understand what GDPR is and why it is important, let your customers know that you believe strongly in protecting the personal information of individuals, and then be prepared to demonstrate your compliance if anyone ever asks about it, or an accident happens. Think of your brand and your bottom line – customers are more likely to do business with companies that they trust; less likely to do business with companies that seek to confuse them; and stop doing business with companies that are reported to the regulator.