Yes, we know that it’s nearly Christmas and everything is winding down for the festive period, but the General Data Protection Regulation is coming, and it’s probably not going to have quite the same heart-warming impact as those sparkly trucks coming over the hill.
The GDPR will be applied in the EU on 25th May 2018 – so not long at all if you’re a business that needs to prepare for the new regulations. For some, this preparation will be a mammoth task – there are 99 Articles and 173 recitals to comprehend – and considering that the penalty for failing to comply can cost you up to 4% of your international annual turnover, you really want to make sure that you know your stuff.
Now, being a strategic design agency based in the vibrant town of Marlow, what insight can we offer you about the GDPR and how to prepare for it? Well we’re certainly not going to lay out all 99 articles in scientific detail, but we can provide you with a quick layman’s guide on how to make sure that you know what the GDPR is about and whether it effects your business.
First things first – what are the main principles of the GDPR?
Well article 5 of the GDPR requires that personal data shall be:
-Processed lawfully, fairly and in a transparent manner in relation to individuals;
-Collected for specified, explicit and legitimate purposes;
-Adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed;
-Accurate and, where necessary, kept up to date;
-Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; and
-Processed in a manner that ensures appropriate security of the personal data, including protecting against unauthorised or unlawful processing and against accidental loss.
We live in a world where we’re expected to provide personal details for every online transaction and purchase that we make, whether that’s booking a hotel room, sending a card to a loved one, or even ordering an obscenely large amount of pizza for just one lone-person (just me?) – it is a truth universally acknowledged that you will have to hand over your personal data in exchange for the goods.
With this in mind, the GDPR has been designed to ensure that we do not need to be concerned about our privacy. The new regulation will not only streamline the regulatory environment, but it also brings information security to the forefront – no bad thing if you’re a consumer.
So where do you start if you’re a business?
Well if your company is already, or is intending to begin, processing personal information of EU citizens, whether your company is based within Europe or not, then the answer is probably, yes – you will need to make sure that you are complying with the General Data Protection Regulation when it comes into force next spring.
And what happens if you don’t?
Well depending on the severity of the infraction, you could be looking at a penalty of €10,000,000 or up to 4% of your international annual turnover (whichever is higher) of the preceding financial year – a potential business-closer depending on the size of your company.
But what if you’re not selling anything?
This doesn’t matter I’m afraid – if you’re processing the personal data of an EU citizen as a business then you are required to comply with the new regulation, money or no money.
Does it impact B2B?
Yes, depending on your business arrangement you will be considered as either a data controller or a data processor and responsibility for compliance is shared between both controllers and processors, so find out which one you are and make sure you’re covered.
What exactly does ‘personal information’ mean?
It’s pretty much everything that you can think of, but in case you’re not sure, read this from the GDPR itself (Article. 4):
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
How do you comply?
Well unfortunately there is no magic answer for this question, other than the fact that you will need to make sure that you are complying with all of the relevant sections of the regulation – and as you can imagine, deciphering some of the verbose language of the Regulation itself can be taxing to say the least. There are other resources out there that attempt to guide you through it, but again, these can be quite jargon-heavy and complicated to understand, so the Regulation itself is still your most reliable document of reference.
Where can we find out more?
As you can see, this topic is very layered and riddled with complexities, and this post is merely just a starter for ten if you haven’t already been looking into the subject in much detail. For some far more detailed and comprehensive advice on how to make sure that your business is completely GDPR compliant by May 2018, then Hannah at Brabners LLP is the GDPR source for you, trust us, she really does know her stuff!
We hope this helped, happy GDPR-ing!