For small and medium-sized enterprises (SMEs), it’s especially important to ensure all necessary laws and regulations are followed so the business can continue to operate and grow without interference. One such piece of recently-introduced legislation is the GDPR, which is considerable in its impact and may be complicated to get started with. Of course, for businesses with limited time to spare, it may be a good idea to hire a team of experts in GDPR compliancy, who are familiar with the related rules and regulations, and can advise on the best ways to implement GDPR solutions seamlessly into your business operations.
What is GDPR?
The GDPR is legislation for the European Union that came into force in May 2018. GDPR stands for General Data Protection Regulation, and as the name suggests, it is designed to standardise the laws of data privacy across EU member states and protect EU citizens from the dangers of poorly protected data.
Why become GDPR compliant?
For those that are subject to the GDPR, failure to comply may result in fines of up to 4% of annual turnover or €20 million, whichever is greater. Both Ticketmaster and British Airways are facing fines under the GDPR as a result of data breaches in 2018, due to lateness of informing customers and failure to report a breach respectively.
These kinds of breaches will lead to damaged reputations and the loss of trust from customers or clients. But more than just avoiding prosecution and maintaining a wholesome public image, following the new regulations can lead to a much safer and more efficient business practice as the risk and potential damage caused by cyber attacks can be minimised.
Who needs to know about the GDPR?
The regulations apply to companies that are processing the personal data of individuals who live in the EU, wherever the company may be based. It also applies when a third party processor, such as a cloud services provided, comes between the subject and the company, regardless of where the third party is based. This means that although the regulations are for EU citizens alone, they will have a much wider global impact.
Though it is leaving the EU, the UK is currently subject to the GDPR, and also the Data Protection Act 2018, which complements the GDPR. The exact agreement between the UK and the EU regarding data protection laws has not been finalised, but both pieces of legislation are in place. The GDPR leaves some more specific rules of implementation for each member state to decide upon, and this is addressed by the Data Protection Act 2018 for the UK.
Steps to take to become GDPR compliant
A start can be to document the flow of data in your organisation. Through data mapping, it may be possible to identify weaknesses in your operations and the areas where you may be failing to be GDPR compliant. For this, a GDPR data map template can be used.
Take an approach of prevention rather than responding to attacks when they happen. Data breaches can be hugely damaging and the seriousness of the GDPR penalties show that everything must be done to secure sensitive data. This means that monitoring and detecting potential breaches before they happen is imperative.
To reflect the necessary changes in business practices that the GDPR represents, training must be offered to staff members to ensure they are familiar with the basic principles of the regulations, the importance of data protection and the changes to procedures.
Companies should assess and update their privacy policy to ensure that it is GDPR compliant. Every way in which data is dealt with must be communicated to customers in a way that is easy to understand.
It is important to understand exactly what the GDPR means and how far it extends. There are usually two responsible parties: the data controller, who directs how the data is collected, and the data processor, who collect or process the data. All data that is personal is regulated, and this can be anything from an email address to a social media post.
There are many general practices that can improve data protection and help with becoming GDPR compliant, but are not compulsory. These include adjusting the use of opt-in forms and cookie consent on company websites so that they follow the regulations and are not at risk of data leakage. Using encryption on all data is another practice that is not mandatory under the regulations, but is a sensible precaution to take.
As demonstrated by the case of the British Airways, it is essential to report data breaches as soon as possible or it could result in a large fine.
With the new data protection laws, as well as the heavy fines and penalties, the European Union is showing that it’s serious about data protection. Though it’s only enforced where the data of EU citizens is concerned, international organisations and those that are open to business from customers from around the world will need to be GDPR compliant. While this may be disruptive and costly for some, in the bigger picture the adjustments of practices and tightening of security will lead to a safer and more secure world.
