Is your business ready for GDPR?

Is your business ready for GDPR?

From May 2018, a new legal framework will apply to every country in the EU. And failure to comply could see your company facing a major fine. Here’s what you need to know about General Data Protection Regulation (GDPR).

You might have heard some talk of General Data Protection Regulation (GDPR) – a major new legal framework for the EU – that applies to an organisation’s responsibilities when it comes to collecting and protecting personal data.

The European Commission announced that it had agreed upon new legislation to replace the 1995 Data Protection Directive and the 1998 Data Protection Act back in 2015, and it has now been confirmed that the regulation will come into effect on 25 May 2018, and will apply to all companies operating within the EU.

Even post-Brexit, whatever deal we might or might not walk away with, companies will need to comply as the regulation extends to any organisation operating outside of the EU that offers services to member states.

What does the legislation mean?

GDPR is essentially designed to give individuals autonomy over their personal data and force companies to think seriously about data protection – a change in the definition of personal data will come into place, along with stringent rules regarding consent to use personal data and mandatory privacy impact assessments.

Overall, this will mean organisations collecting personal data will need to be able to demonstrate that they have received clear and affirmative consent to process that data. In addition, this consent must be given free – an organisation cannot insist on receiving data that’s not required for the performance of a contract. The legislation also requires that organisations have the processes and technologies in place to delete data if requested.

What will my company be accountable for?

Under GDPR, companies will be held accountable for personal data. They must comply with the principles set out by the regulation and demonstrate this compliance – one way of doing this is by documenting all decisions that your company takes around the storing and processing of data.

Article 30 of the regulation declares that organisations with fewer than 250 employees will not be bound by GDPR, for example they will not be required to employ a data protection officer.

However, many of the rules set out by the legislation will still be in place for organisations with fewer than 250 employees if their data storing and processing is likely to result in a risk to the rights and freedoms of data subjects. Requirements in this instance includes immediately reporting any breaches in data protection to bodies such as the Information Commissioner’s Office.

Ideally, breaches should be reported within 24 hours, and definitely within 72 hours.

What could happen if I fail to comply?

Not keeping comprehensive records of your data storing and processing standards, and failing to adhere to breach notifications, could result in a serious fine. Regulators can fine up to £500,000 for malpractice, but the GDPR will be able to fine up to €20 million or 4% of annual turnover, whichever is higher.

Therefore, now is the time to check your company has the appropriate steps in place to ensure your data collection processes aren’t breaching the rules.

This will mean assessing CRM systems and outbound marketing activity, and potentially making the move to professional software and tools that are compliant with GDPR legislation.

With less than three months to go until the introduction of the General Data Protection Regulation (GDPR), three-quarters of small and medium-sized enterprises have yet to even start preparing.

GDPR includes requirements for new processes such as the employment of data controllers, privacy impact assessments and greater choice for customers, including the right to be forgotten.

Businesses will also be required to disclose all data breaches to regulators. Some of the rules sound deceptively simple, but many firms will struggle to cope because they don’t even have a clear idea of what data they currently hold on customers, or where and how it is stored.

All organisations must take the GDPR seriously and SMEs are no exception. Making an investment now in order to prepare and protect your business is essential if you do not want to risk incurring EU Penalties.

Categories: Business Finance