What does a European Union law about privacy have to do with your small business?
That might seem like a ridiculous question to ask, but it’s not.
The General Data Protection Regulation, or GDPR for short, went into effect on May 25, 2018. And with privacy issues in the news on a near-daily basis, with the recent Congressional hearings about Facebook and Cambridge Analytica, you can’t afford to ignore the ramifications of GDPR for your business.
You could keep your head buried in the sand – but that’s not a good idea. Here’s what you need to know about GDPR.
What is GDPR?
GDPR is a law that was designed to standardise data privacy in the European Union’s member countries. It represents a big chance – and a victory for EU citizens, who can now be confident that their data will be secure and that the regulations used to ensure its security is transparent.
On the flip side, EU-based businesses have had to scramble to be compliant with the new rules. The biggest requirement involves Personal Identification Information or PII. PII is sometimes used as a general term in the United States to describe personal information that companies might collect and store on behalf of their customers.
The GDPR expands the definition of PII to include other things. For example:
- Web data, including the user’s location, IP address, cookies, and RFID tags
- Medical and genetic data, including medical records, test results, and DNA
- Biometric data, including fingerprints and other unique identifiers
- Racial and ethnic data
- Political opinions and orientation
- Sexual orientation
In other words, companies in the EU must now protect their customers’ IP addresses and other information collected online with the same care that they would financial information. It further requires that organisations:
- Store and process personal data only with an individual’s explicit consent
- Hold data for only as long as it is necessary to do so
- Destroy stored data upon request
There’s no denying that the implementation of GDPR represents a big change for EU companies.
How Does GDPR Affect Companies?
Think for a moment about the different ways in which you use the data you collect from your customers. The chances are good that you do more with it than you realise.
Organisations in the EU are finding that they institute company-wide changes to be compliant with GDPR regulations. Privacy can impact various departments within an organisation, including:
Business owners and managers must work together to identify potential privacy problems and security issues and address them to protect the information they have stored. At the same time, they must accommodate incoming requests related to the “right to be forgotten” if customers ask them to delete the data they have on hand.
Why You Should Worry about GDPR Compliance?
If Your business is based in the United States – and you might be asking the obvious question:
Why should I worry about GDPR compliance?
You may not need to worry too much about it if you have never had a customer who was an EU citizen. However, if you do business in the EU (or cater to tourists from the EU), then you might be impacted by the new regulations.
This is what the GDPR website says about organisations outside the EU:
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
In other words, if you collect data on your website from EU citizens, process payments from them, or hold any personal information belonging to EU citizens, you must adhere to GDPR rules about collecting, using, and storing their PII.
You might not have any EU customers, but even if you don’t it may be worth taking a look at the way you store personal data. There’s no question that there’s a worldwide movement toward increasing privacy protections. Cybercrime is on the rise and criminals are getting wilder every day. Considering the damage that a data breach can do to your bottom line, it makes sense to err on the side of caution.
What Are the Penalties for Violating the GDPR?
As you might expect, there are penalties attached to violating the GDPR. The law is meant to be a deterrent and the EU intends for organisations who fail to be complaint to pay a price.
The most likely penalty if you fail to protect EU citizens’ data is a fine. The maximum fine is 20 million Euros. The specific rule is €20 million or 4% of the company’s global revenue, whichever is higher.
The harshest penalties are intended to punish companies with the most severe violations, such as violating core concepts or not getting a customer’s consent to process their data. Other fines are organised in tiers. For example, an organisation can be fined 2% of their global revenue for things like:
- Not having their records in the proper order
- Not notifying the authorities of a security breach
- Not conducting the required impact assessment
These are serious penalties. You’ll need to take a hard look at your security and data handling procedures to avoid them if you do business in the EU or with EU citizens.
What Should You Do Next?
If you do business in the EU or simply want to get your ducks in a row when it comes to protecting your customers’ data., it may be helpful to make a thorough review of your existing data collection and storage procedures to identify potential problems.
You can find detailed information about the GDPR on this website. Depending on your circumstances, you may want to consult an EU lawyer as well.
In the end, remember that GDPR compliance protects you as well as your customers. It can be impossible to protect the digital perimeter of your business from hackers, but the procedures required by the GDPR can give you an extra layer of protection in the event of a breach.
Being based in the UK: From 25 May 2018, the Data Protection (Charges and Information) Regulations 2018 requires every organisation or sole trader who processes personal information to pay a data protection fee to the ICO, unless they are exempt. Click here to find out more and visit www.ico.org.uk