This is the first in our series of blog posts about the upcoming Europe-wide GDPR (General Data Protection Regulation), where we’ll be looking at everything businesses need to know, and do about it.
By now most, if not all, businesses will have heard of GDPR. It’s been on the horizon for some time, but the countdown is now on to 25 May 2018 when it comes into force.
Some of the companies we’ve talked to know what it is, but are confused about what they need to do to comply with the regulations. We’re not surprised, a quick Google of GDPR and you’re faced with 6,610,000 search results! More than 6 million links to training courses, workshops, guides, articles, tips, checklists, advice and more.
Making sense of it all – what is GDPR?
In a nutshell, GDPR is a new data protection law. It is an EU-wide regulation that is much more geared towards the digital age. This makes sense, as the Data Protection Act 1998 was created before mainstream Internet, social media and mobile devices.
It gives EU citizens more control over their personal data and assurances that their information is being securely protected. Personal data is any information related to a person, such as a name, email address, phone number, bank details, photos, updates on social media networking sites, location, medical information, or a computer IP address.
Just about every business processes a lot of personal data every day. Your business might be processing data on behalf of your clients, about your clients and certainly will be about your employees. The fact is that, while you collect, process and store a lot of data, you don’t own it. That information belongs to the person it is about.
How this mass of information is handled, retained and stored will be under much more scrutiny when GDPR comes into effect from 25 May.
There will be penalties for your business where data is found to have been gathered, used or stored inappropriately. And importantly, you need to have a legal basis to have this data, and be clear about the reason you have it. If there isn’t a valid reason for having it, you need to securely remove the data.
What happens on 25 May 2018?
From 25 May 2018, if your business isn’t complying with GDPR you will be hit with a fine. If your company is found guilty of a data breach that compromises an EU citizen’s data, the penalty could be:
- €10 million (about £8 million) or 2% of your annual turnover, whichever is bigger, for failing to keep proper records, violating data breach notification requirements, and failing to appoint a data protection officer where needed, etc
- €20 million (about £16 million), or 4% of your annual turnover, for violating the basic principles for processing, ignoring people’s rights, incorrectly transferring personal data, etc
Think about it, if you run a large business you could be fined hundreds of millions for just one single breach.
So, to eliminate the risk of a fine, you need to get your GDPR ‘ducks in a row’ so to speak, and do what’s needed to ensure your company complies. The sooner you do this the better for your business.
The last thing you want is a fine, but have you also thought about the negative headlines or public backlash your business could face if you fail to collect, store and use customer, stakeholder, even employee information in the right way? The potential repercussions go way beyond a financial penalty.
It’s not worth the risk.
If you haven’t already taken the steps you need to comply, the good news is you still have time to do so.
With this new regulation there’s a lot to think about and action. So, over the next few weeks, we’ll be posting a series of blogs about what GDPR means for you and what you need to do. You can also find guidance and sector-specific information from the Information Commissioner’s Office (ICO).