The EU GDPR (General Data Protection Regulation) comes into force on 25th May 2018. Media reports seem to range from glaring inaccuracies to spurious and misleading sales techniques. There is also a fair amount of scaremongering! You can’t afford to ignore the new legislation, but there’s no need to panic just yet; providing you are considering your next steps and what your business needs to do before the deadline.
In this blog, we explore what GDPR is, what you should be considering right now and, if necessary, where to get help.
What is GDPR?
The way society uses the internet has changed dramatically over the years; people now rely on the internet to communicate and handle everyday tasks. From sending emails and paying bills, to working and shopping; most of these tasks are now done online.
These processes will usually involve sharing a great deal of personal information: contact details, bank details, sometimes even online behaviours and IP addresses. All this juicy information is collected and stored, but what happens to it next?
Companies which collect personal information say that it’s used to improve their service or customer experience; but how true is that? People are becoming much more privacy-conscious and would like to know, rightfully so, just how much of their information is collected and what is being done with it.
Enter the General Data Protection Regulation (GDPR), the new privacy regulation that will become enforceable in May 2018, and will change the way businesses collect, store and use customer data.
Who does it affect?
If your business processes personally identifiable information (PII) of EU residents’, then GDPR most likely applies.
Even if your business is based outside of the EU, but you process, store or transmit personal data of EU residents, you will still be required to comply. It’s also worth noting that GDPR will still become enforceable regardless of the outcome of Brexit.
As you can see, GDPR has a far-reaching effect and is likely to touch most businesses.
One of the most important distinctions your business needs to make is whether you are a data controller or a data processor:
- Data controllers (like ITGUY) use services to store data online on behalf of clients. For example, using a third party to store cloud backups for a client.
- Data processors would be the third-party company. Whilst the data controller has certain legal obligations, the processor is legally liable for any breach.
The Information Commissioner’s Office (ICO) explains the differences in greater detail here.
What should I do before the May deadline?
As the regulation is not yet “live”, there is no certificate or accreditation you can achieve. That doesn’t mean that there isn’t plenty to be done though! Being proactive in your approach and readying your business for the May deadline is important; it will ensure you don’t have masses of work to do right before the deadline, or worse; be left in a position where you could be liable for prosecution.
By now you should have or be in the process of a full review of all the data your business holds or processes. You need to review exactly what personal information you hold, how it’s collected, why you have it and how long you keep it for.
Remember, under GDPR, the definition of personal information will be much broader than it currently is. For instance, as of May, IP addresses will be classified as personal information.
A key area in your business which needs to take note of GDPR is your marketing department. It’s not uncommon to find many business owners who don’t know where their marketers obtain data from, or how they use it. Now is the time to become curious; learn how the changes will affect how your team works, what work needs carrying out before May, and who is doing the work. Digital Marketing Magazine published a useful article on what GDPR means for marketers.
Get help with GDPR
Some less than honest companies are responding to panicked business owners by offering nonsensical services, for example, certificates to prove that you’re compliant. There is NO certification scheme for GDPR (yet), so avoid anyone offering these services.
It’s important that you understand the regulation and what is required of your business. The ICO website can help you in two ways; they have a clear guide to GDPR and a 12 step checklist which you can follow to help prepare your business.
Another reliable source of learning is the Federation of Small Businesses.
Whilst a large part of preparing for GDPR compliance is an exercise in administration, there are very specific requirements that pertain to IT. If you don’t have the expertise within your business to proceed any further or are struggling to understand what you need to do, you may want to consider calling in expert help from an IT support specialist.
At ITGUY, we have fully embraced GDPR and taken several steps to ensure that not only is our own business ready for the deadline but that we are able to offer other businesses support and guidance too. You can read more about this in our GDPR Statement.
What happens if I don’t comply?
Now comes the scary part…
Failure to comply with the new GDPR legislation or evidence of gross data breaches could see you fined up to 4% of your company’s annual turnover or up to Є20 million… that’s just the monetary losses!
You must also think of your business reputation and loss of trust from your customers… could you afford that?
We’re here to help
If you’d like to discuss GDPR with ITGUY, please feel free to give us a call on 020 72 41 22 55 or fill out our contact form and we’ll quickly get back to you.