As GDPR is becoming a reality, more and more people are asking the big question:
What is GDPR and how will it affect my business?
And there’s no denying it – to most of us, GDPR is a scary word (technically it’s an acronym, but still)…
Sure, it’s been all over the news and internet but, for most of us, it’s still pretty difficult to get a clear picture of what GDPR really is and how it works
Unfortunately, a simple lack of knowledge does not excuse companies from complying with the new rules. That’s why I want to tackle the topic once and for all, and answer some of the most common questions about GDPR.
Disclaimer: Many aspects of GDPR legislature are left to interpretation. Thus, the views and tips shared here should not be treated as the law.
What is GDPR?
GDPR stands for General Data Protection Regulation. It’s a new set of rules that requires businesses to protect the personal data of European Union citizens.
We live in an internet-connected age where everything revolves around data. GDPR is designed to protect the personal data stored by businesses, and thus – protect consumer rights.
It will regulate all transactions within European Union as well as the exportation of personal data outside of it. This means that companies will be forced to put new processes in place that will make sure that the data is collected legally and is safe from misuse.
Why does the GDPR exist?
GDPR is not a complete novelty. It’s a replacement for the Data Protection Directive. Since the directive dates back to 1995, which was before internet became a common word in everybody’s lexicon, it is very outdated.
But is there a real necessity for GDPR now?
There is, and here are the stats taken from the RSA Data Privacy & Security Report to prove that:
- 80% of consumers admit that lost financial data is a top concern for them
- 76% are worried about lost security and identity information
No wonder 41% of consumers admit to intentionally falsifying data while signing up for services online! Most do it to avoid unwanted marketing, or due to security concerns.
However, not only are people concerned about the safety of their data but they are also quick to blame. In fact:
- 62% would blame the company for losing or leaking the data, and not the hacker.
- 50% claim they’d be more likely to shop at an organization that can guarantee data protection.
What types of privacy data does the GDPR protect?
Ok, so it’s clear that there’s a need to protect private data, but what can be classified as private information?
Unlike the Data Protection Directive, where only the name, address, and photos were classified as private data, GDPR goes much deeper.
The new legislature protects some basic identity data, such as name, address, social security, and ID numbers, as well as web data (IP address, location, cookie data, RFID tags).
It is also designed to protect health, genetic, racial, ethnic, and biometric data – data that can be used to uniquely identify a person.
And let’s not forget about the more sensitive data: political opinions and sexual orientation. They are also protected under the GDPR.
Who does GDPR apply to?
Although GDPR is a European Union legislature, its reach extends to thousands of countries around the world.
So what companies need to comply with the GDPR legislature, and how do you know if yours is one of them?
It’s actually pretty simple: GDPR affects any organization that stores and processes personal data about EU citizens, whether based in EU or anywhere else in the world. That means that even if a business is based in United States and services mostly Americans, it must comply with GDPR if at least a portion of their customers are EU citizens.
The second criteria is the number of employees: over 250 employees. But before you exhale and think that your company is exempt, know that there’s a huge exception:
GDPR also affects companies with less than 250 employees if their data-processing impacts the rights of the people, is not occasional, or includes some types of sensitive personal data.
That means that almost all companies that collect customer data will need to comply with GDPR.
When does GDPR come into force?
All the member nations (countries in the European Union) are expected to have added GDPR rules to their own legislature by 6 May, 2018.
The actual all-encompassing GDPR will come into effect on 25 May 2018.
That’s the deadline for companies to make all the necessary changes to be compliant with GDPR.
Who will be responsible for compliance?
If your company processes special categories of data on a large scale, or monitors individuals, also on a large scale, you need to appoint a data protection officer (DPO). That should be someone with professional experience with data protection in your industry.
Public authorities, too, need to appoint a DPO, but he or she can be responsible for several organizations. Failure to appoint a data protection officer, if one is required, will result in a large fine.
If your company does not fall into those categories, you are not obliged to appoint a DPO. You do, however, need to make sure you have the knowledge and well-informed staff to deal with all the new rules and processes. That also includes having a clear understanding of who handles data.
The GDPR legislature mentions two types of data-handlers: the controllers and the processors. The controllers are people or organizations that determine and state the how and why personal data is processed, but don’t actually do it. The processors, on the other hand, processes personal data on behalf of that controller. The data processors can be an internal part of a company or an outsourcing IT firm hired for the job.
These roles don’t necessarily need to be assigned, but companies need to have an understanding of whether they’re a controller, processor, or both. Although processors are the ones held liable for GDPR breaches, both the processors and the controllers can be held responsible. That’s why it’s important that both have a designated DPO.
What does GDPR mean for businesses?
One of the biggest advantages of GDPR is that it makes the same rules apply to the entire European Union, with a single supervisor authority. This will make the process cheaper and simpler for big businesses, in the long run.
However, many steps will need to be taken and processes altered to meet the GDPR demands. Of course, each business and service is different and will need to approach GDPR in a different way, but it’s safe to say that big changes will need to be made.
Data protection safeguards will need to be built into products and services from the very earliest stages of product development.
Many companies will probably have to use techniques such as ‘pseudonymization’ to collect and analyse personal data in a safe and secure way.
Businesses will have to get a system in place, that insures that:
- Data is collected in a safe way
- Data is securely protected
- People have access to their data and can easily opt out
- Any breaches, if they occur, are reported
Speaking of breaches, businesses will now be obliged to report all data leaks and breaches to the relevant regulatory body, as well as to notify the user if their data was hacked.
What does GDPR mean for consumers?
There have been billions of data breaches over the years and most of us have suffered from them to some degree.
While GDPR can not guarantee that these breaches will not occur, it can help people stay informed. Like I mentioned above, GDPR forces companies to report breaches if they happen and to notify all the users. This will give people an opportunity to take appropriate measures in a timely manner.
Consumers will also get better access to their own personal data and will be able to see how it’s processed. If they do not want their data stored in the company data base, they will be able to easily opt out or ask to have it deleted.
Consumers will have a lot more rights with GDPR and it’s up to companies to comply.
Repercussions for not complying with the GDPR
It can be expensive for a company to make all the necessary changes to comply with GDPR, but it’s even more expensive not to. The repercussions for failing to comply with the new legislature are grave and the fines – significant.
The size of the fine will depend on the severity of the breach.
The biggest fines, of 20 million euros or 4% of worldwide turnover (whatever is greater) will be issued to companies that:
- Infringe on the rights of the data subjects
- Bring about unauthorized international transfer of personal data
- Ignore people’s requests to access their data
Companies that mishandle data in other, less dangerous ways, will be fined 10 million euros or 2% of worldwide turnover.
This can be the repercussion for:
- Nor reporting a data breach
- Not applying data protection in the early stages of a project
- Not appointing a data protection officer if one is required.
GDPR may seem like something confusing and problematic, and let’s admit it – at first it will be.
Many businesses will need to make a lot of big changes to comply, but once they do, the internet will be a much safer place.