There are less than six months before new General Data Protection Regulations (GDPR) take effect in the European Union (EU). These aim to strengthen the rights and protection of consumers in the EU. This means that all businesses need to prepare for the impact of more stringent data collection and storage processes.
GDPR starts May 25, 2018. This legislation affects all EU member states. Everyone will now have to follow the same laws for collecting, storing and using consumer’s personal data.
Benefits of GDPR
There are two key benefits to the GDPR:
- Its goal is to give EU residents control over their personal information.
- It simplifies the regulatory environment for international businesses operating in the EU.
Everyone using the internet has privacy concerns. The GDPR addresses that for consumers. For businesses, the strict new legislation replaces 28 data protection laws in the EU one set of regulations.
How does it affect small to medium enterprises?
The GDPR legislation applies to all organisations doing business in the EU. This include small to medium enterprises (SMEs). No matter how big or small your business, you will have to follow the law. This is great news for consumers as it makes it more difficult for companies to misuse consumer personal data. And, any breaches can see you fined.
There is some good news for SMEs. There are some exemptions. Under Article 30, the GDPR acknowledges SMEs are different to large corporations and public organisations. SMEs with fewer than 250 employees, not collecting a lot of personal consumer data, are exempt from:
- hiring a full-time data protection officer
- keeping formal records about company data processing methods
- reporting minor data breaches as long as there is no risk to the rights of the people involved.
While SMEs have these exemptions, it is not a free pass to avoid the GDPR. The exemptions only recognise the working capacity of SMEs. You must comply with the new laws.
So, do you understand what the GDPR means to your business? Do you know what the business needs to do to prepare for the new legislation?
The key changes are to the rights of your data subjects (people you collect data about). You need to understand what this means to your business.
Data subjects – what are they?
These days every business collects information about their customers. Such as contact information to store in a database. But, businesses also collect information from people signing up for special offers and in all sorts of ways. Then there are employee, supplier, bank and medical records. These are all stored in databases. All these are data subjects organisations collect, store and use data about for business purposes.
A lot of information organisations collect to store is sensitive and personal. The GDPR makes sure that all businesses do the right thing to protect the data they collect and store.
What changes under the GDPR?
There are three major changes under the new GDPR, including:
- Accountability. The GDPR emphasises accountability. Your organisation will have to be able to prove its compliance to the data protection regulations.
- Notification of data breaches. GDPR brings in new rules about reporting data breaches. This means reporting all beaches of personal information to the regulators within 72 hours. You will have to tell those affected when the breaches put them at high risk. SMEs are exempt from this if the breach is minor.
- Consumer consent and privacy notices. The GDPR means businesses must get consent to use the data they collect from consumers. It also allows consumers to withdraw consent and to ask to see what information organisations store about them. The GDPR aims to give people back their right to privacy in a digital environment. This means businesses need to change their privacy notices. All privacy notices accessed by consumers need updating to reflect the GDPR changes.
Penalties for non-compliance
Do not make the mistake of thinking SMEs are exempt from fines for non-compliance with the GDPR. No one is exempt. You could be up for up to €20,000,000 or 4 percent of your annual global turnover. GDPR is serious about protecting consumer’s rights to privacy.
What do you need to do to prepare for the GDPR? Act now! Some businesses need to do a lot of work overhauling data collection and storage systems to be ready in time. Others only need minor changes to databases and consent forms.
Hire someone with the knowledge to look at your systems and processes to ensure you are ready for the GDPR in 2018.
Do not get caught out. Now is the time to act and prepare.