What is the GDPR & How does it affect Small to Medium Businesses?

What is GDPR?

GDPR stands for General Data Protection Regulation, a regulatory legislative framework that was passed into law by the Parliament of the European Union on the 14th of April 2016. It has already repealed and replaced the (now outdated) legal framework for digital organisations Directive 95/46/EC (1998). This directive previously set regulatory standards for data protection and handling of personalised digital data of the citizens of the European Union. However, this document did not require direct compliance under law as it was purely an advisory on data protection.

Why has General Data Protection Regulation been Passed by the EU?

GDPR was created mainly in response to recent concerns about the growing potential for criminal exploitation of digital footprints or logged data (i.e. blackmail or coercion), profiling of individuals by political, religious, or personal affiliation, lack of consumer and client oversight of personal data, and the threat of lax security and privacy safeguarding on the part of major corporations and government organisations, particularly with those handling mass data collection. It has also been passed to update and formally conclude the passage of 1995 and 1998 directives on data security into standard practice for all EU data processors and data controllers. Processors are broadly defined as entities that harvest, quantify, or use existing data and controllers as those who analyse, store, or direct it for use.

What will it do?

The primary aim of the GDPR framework is to secure a greater degree of digital data security and personal privacy for all EU citizens and all those who do business with the EU. The GDPR is intended to ensure that online security over any personally identifiable data held by businesses, governments, or non-profit organisations on individuals is upheld to a decent standard. It will also provide a greater degree of informed consent and control for individuals over their treatment of their own personalised data through a detailed legislative program for data storage and processing system construction, called Privacy by Design.

What will this mean for Individual Data Protection Rights in the EU?

The General Data Protection Regulation will thus ensure that all EU citizens are empowered, after May 2018, to demand their own stored data from any organisation (free of charge) and to delete their own stored data on request (subject to public interest). It is intended to set a unifying precedent for all EU member states, as the industry expectations and laws that govern data protection throughout the EU often vary. For example, the framework will make sure that data collected on an individual living in France is not stored and used to different standards by a business operating from Spain.

How will the EU rules on Data Consent Change?

The regulation is also intended to maintain “informed consent” for EU citizens when data collection is requested. This will be done through requiring organisations to go into more detail about the intended use of any sensitive personal data entrusted for storage or processing. Consent may be withdrawn as the individual sees fit at any point, at which point the stored data must be destroyed (under penalty of law if it is not). Any documentation on data storage or processing that is provided to your customers, clients, or users should be free of any language that might confuse, be overly technical, deliberately mislead, or be difficult for the average reader to understand. Some organisations must also appoint a designated Data Protection Officer or Officers, who will be able to notify the authorities of changes in the organisation’s data handling directly.

How will this be Enforced?

The regulation will give the EU the ability to issue new and more robust punitive punishments to organisations that are found guilty of failing to adequately safeguard, unfairly exploit or misuse, breach outlined terms for consent on, or accidentally release data. Companies may be fined up to 4% of their expected, annual global profit or up to 20,000,000 euros for a breach of compliance. Fines will operate on a tiered system based on severity. 20,000,000 euros is the absolute maximum penalty that can be imposed for a singular failure to comply with EU data regulation.

What must be done in the Event of a hack or leak?

Legally, all EU data controllers and data processors must notify affected individuals and member states within 72 hours of detecting an accidental or malicious data breach.

When will Enforcement Start?

Full enforcement of the articles contained within the GDPR will begin at 0:00:01 AM on 25th May 2018. Subsequently, the regulations set out in the framework will apply to all full member states within the European Union and organisations public and private therein, under penalty of law. A two year grace period has been allowed for Europe to reach full compliance, in which time no audits or prosecution can take place.

Is Britain Exempt, due to Brexit?

Brexit will not provide any exemption whatsoever from the GDPR for the vast majority of public facing organisations located within the United Kingdom.

The British government has indicated that they will pass an equivalent measure as part of the expected Great Repeal Bill, transferring the legislation into UK law. The measures themselves were ratified by British representatives prior to the referendum. As with any other country, British organisations will have to provide evidence of full compliance with the framework if they wish to trade or operate within in the EU whilst retaining personal data. This will also apply to any organisations holding data on EU citizens outside of the EU without any direct use (such as with data storage companies).

If you are still holding or using data concerning a single EU citizen after the deadline, regardless of their nationality, your company could be audited for non-compliance and fined. 44% of UK businesses with EU ties were recently polled by Crown Records Management as (falsely) believing themselves exempt. Don’t be a part of one of them.

How will this Affect Small or Medium-Sized Businesses?

If you run a business, the most important approach to the regulation is one of common sense. The regulation is a mostly passive piece of legislation aimed at ensuring better practice. It should not require you to significantly change or update your hardware or data collection methods. However, it may need you to update your corporate behaviour, or offer greater documentation to or interaction with your customers over their data and how you plan to store and use it. You should also make sure that you have the capacity to easily destroy any and all customer data if so requested.

What Risks could it pose to Businesses?

The main risk posed to small and medium businesses is through punishment for non-compliance or poor execution in data processing or control, which could ultimately result in severe and damaging fines for each offence. Maintaining strict compliance when it comes to data protection and consent are the most important things to consider here. If you are going to add a new data collection system it may well be worth designing it with EU data compliance built in as policy. This could save vast amounts of time with systematic deletion and detailed documentation.

Likewise, a meticulous approach to data server security will always be a good approach for a business to take, regardless of legislation. Data breaches and leaks are often embarrassing, costly to deal with, and can severely damage the reputation of a company. This regulation will force you to disclose if you have suffered a critical hack, or receive a further charge and a fine. It is obviously best to avoid that scenario altogether, or risk taking a double hit on one setback.

Checklist

To ensure full compliance with EU regulation on data protection by June 2018 your business should be able to:

  • Provide full and clear information to consumers that allow for full and informed consent for data processing and storage
  • Safeguard existing and any new data effectively to an industry-accepted standard of online and offline security
  • Provide a high degree of control over any stored data to individuals
  • Store no more sensitive data than is necessary to complete the data processing your customers have consented to and your business believes necessary
  • Be able to offer and delete stored data on request to consumers, whether gathered passively or initially provided by the individual
  • Offer a high degree of public transparency as to what your company actually does with the data it collects
  • Comply with all existing legal statutes for lawful data processing and third-party transfer and use of data
  • Have at least one designated Data Compliance Officer for your business, if appropriate
  • Be prepared to notify the public and authorities rapidly in the event of a critical data breach or leak