The GDPR penalty is seriously stiff.
However, though it has ruffled feathers across the continent, the European General Data Protection Regulation (GDPR) is not landmark legislation.
Rather, GDPR refines and expands current laws protecting individuals’ rights online, first outlined in the UK under the Data Protection Act of 1998.
In general, GDPR limits what personal data companies are allowed to collect, store, and purpose. But GDPR also includes big changes for how some small businesses operate, which may prove confusing.
Unfortunately, in the eyes of the law, confusion is no excuse for not following GDPR rules.
Moreover, among of the most significant changes put forward by GDPR are those to do with compliance. In Europe, violations of data protection law now mean gargantuan fines: up to €20,000,000 (or 4 percent of annual global turnover, whichever is more).
If you own a business, and you want to avoid hair-yanking cybersecurity hassles and pricey penalties, here’s a simplified guide to the new data protection laws, and an explanation of how they impact you:
1. The GDPR penalty will still affect British business practices post-Brexit.
In just a year and a half days, England will leave the EU. But GDPR takes effect in May 2018, a few months before Brexit is (supposed to be) officialized.
To ease this awkward transition, the British government published an outline of its new UK Data Protection Bill earlier this month. This is mirror legislation; the GDPR data protection rules will be in place under these new British laws, so that GDPR will essentially remain in effect after EU regulations no longer apply.
Predictably, Europe has remained frosty on this subject.
EU officials haven’t promised to recognize British data protection laws as ‘adequate’ post-Brexit. But the UK Data Protection Bill complies with GDPR to the letter, and, as a small business owner, you should treat them the same in terms of scope and authority (though the UK Data Protection Bill includes some minor protections not in GDPR).
2. If you store personal data about individuals, you must protect it, or risk many millions of pounds in fines.
Under GDPR, fines imposed for data breaches are much more severe; in some cases, up to 79 times higher than those imposed last year.
In 2016, for example, the telecommunications company TalkTalk was fined £400,000 when an easily preventable hack placed thousands of its customers at financial risk.
If the same thing happened next year, under GDPR rules, TalkTalk would have to pay £59 million.
3. You may need to hire a Data Protection Officer.
If your business conducts ‘regular and systematic data monitoring,’ or if you have more than 250 employees (or both), then you’ll need to hire a Data Protection Officer (DPO).
Not having a DPO when legally required to means fines; not having one also means your data is more likely to be processed incorrectly, which means fines; without a DPO working to safeguard your data, a breach is more likely, which means fines, etc.
GDPR applies to any company that uses customer data, from insurance companies managing policy offerings to advertisers using data to target marketing campaigns — and everything in between.
If serious data collection is something your business does on any scale, you’re most likely going to need a DPO to operate in Europe, either full-time or retained by contract.
4. Anyone can now demand to see any data about them, free of charge.
While current laws allow companies with data about an individual to charge that person £10 to see it, you must now respond to these sorts of requests free of charge and within one month.
If you collect customer data, you need to be willing and able to handle these requests, called Subject Access Requests (SARs), promptly.
5. You must delete customer data upon request.
These changes also include an elaboration of the EU ‘Right to be Forgotten.’ Now social media platforms such as Twitter and Facebook must delete personal data upon request. (At present, even if you delete your Facebook, they still store all of your information on their servers).
But the same rule applies to any business that relies on data collection, from tech start-ups to Rolls Royce. If customers ask you to delete the information you have about them on file, you’ve got to do it.
Ensuring you have procedures in place for this before May 2018 is crucial.
6. You can no longer automatically sign customers up for emails — or for anything else.
Under the current law, you can collect data about a person with his or her consent. Consent is presently defined as signaling a ‘clear, affirmative action,’ which has been interpreted to mean: putting in an already ticked box that says something like, “Yes, I would like to receive as many emails from you as possible.”
Unless you consciously opt out of this agreement (read: un-tick the box), a company may legally assume your consent. However, under the new data protection laws, this is no longer the case.
To get permission to store data about a customer under GDPR, the request must be stated clearly, and consent must be granted with a ‘positive opt-in.’ Meaning it’s now illegal to tick the box on behalf of someone else — they must actively agree on their own accord, and be provided with a clear and complete explanation of how you’ll use their data.
7. The law now protects much more customer information
The area of the law describing what data is personal and protected is vague, probably by design; everything from your ethnic background to health issues to your IP address now falls under the banner of sensitive personal information.
Essentially, if you as a company store any details about anyone, and this information might be harmful in the wrong hands, then you must guard that data with the appropriate measures, and remove it from storage upon request.
Remember: if you don’t request to store personal data appropriately, then it’s illegal for you to have it.
8. You must report data breaches to the proper authorities within 72 hours.
If hackers break into your servers and pilfer personal data, you must report this to the proper authorities within three days. To this end, having a DPO is useful, as they’ll be trained in handling security breaks, and know the proper channels to report them.
9. Speak to a qualified legal professional before May 2018.
If your business is already regulated by an organization such as the Financial Conduct Authority (FCA), you may not have to do much in order to implement GDPR, as some industries are already bound to similar data protection requirements.
But if you’re just starting a business, or otherwise don’t have meaningful cybersecurity, you’ll have a lot to do before your SME safely complies with these new laws.
You now know what to expect, what sorts of questions to ask, and how to begin preparation. When in doubt, consult a qualified legal professional. It’s worth hiring one to make sure you aren’t in violation of these new regulations.
10. There’s no reason to panic. But now is the time to comply.
Your business can remain data-driven, but the onus is on you to collect information legally and protect it tenaciously.
Shielding customers from potential harm is important, as is respecting their privacy.
Soon, the GDPR penalty for failing to do so are stiff enough to sink your business all together.