GDPR - the EU General Data Protection Regulation - is coming. It promises to change the way you and your clients process private customer data. It will apply in all EU member states from 25th May. And for the UK, it’s unlikely Brexit will make any difference as the UK government looks set to duplicate the regulation.
Companies that run afoul of the new rules could face a fine of up to 20 million euros or four percent of global turnover.
Sounds a bit drastic, doesn’t it? Some companies, confused by the complexity of the GDPR legislation, are now panicking. This hasn’t been helped by a fair amount of doomsaying, especially from the legal community.
We take a different view. We believe there’s no need to panic. Instead, companies should think about the legislation this way: it merely codifies best practice around data privacy and security.
In other words, GDPR mandates measures that your customers (and you) should be putting in place anyway.
End users should be the focus of your attention - not the regulator. After all, if customers are happy with the way their data is used, they will not have any reason to consult the law.
As a valued service provider to your small business customers, this is where you can help guide them through the final preparations.
That said, what does best practice look like? And what action should your customers be taking?
To make things a little simpler, let’s answer ten key questions.
1. When can enterprises legally hold on to personal data?
GDPR says there are six reasons why a company might reasonably expect to process data about its customers/users.
The most obvious is when a user says they’re happy for them to do so. In a commercial scenario, a company will ask a customer to provide certain credentials so it can stay in touch. GDPR mandates that companies make sure consent is explicit, informed and not bundled within a bunch of other terms and conditions.
The other reasons to hold data include:
A contract with the individual: for example, an employee contract
A legal obligation
Vital interest: for example, when processing data is necessary for well-being
Legitimate interest: when there is an unavoidable reason to process personal data without consent
2. Is GDPR only for continental European companies?
No! GDPR applies to EU citizens, not the companies that process their data. So if your client is based outside Europe but has customers here, it must comply with the rules.
EU data protection authorities like the UK’s Information Commissioner’s Office can take action against organizations wherever they are in the world if British citizens are at risk.
3. Who can access personal data?
As a first step, your larger customers should appoint a data protection officer. The regulator will look to them to ensure compliance and put in place the right processes and protocols. Beyond that, only approved employees - those with a business need - should have access to customer data.
4. How should companies secure data?
GDPR demands high levels of security but is actually quite vague about specifics. It does not mandate particular measures. Instead, it says companies will be required to “ensure a level of security appropriate to the risk.”
We recommend you talk to your customers about the security they currently have in place to protect data. It’s also important they have the right systems in place to identify a breach. GDPR also requires that companies notify users in the event their data has been compromised.
5. What’s the best format for holding customer records?
While it’s critical to secure and ]arguably encrypt data both at rest and in transit, it’s also important to make it available to users when they ask for it. Under GDPR, people can request to see their records at any time, have them deleted or port them to a new provider. The regulation therefore says that companies should make sure they can transmit personal data in ‘structured, commonly used and machine-readable formats’.
6. What is “privacy by design” and what does it mean for me?
The best way to ensure information is protected at all times is to use software designed with data protection in mind. GDPR encourages enterprises to embrace ‘privacy by design’ so that they can process data without having to make complex and time-consuming modifications later to ensure compliance.
7. How should companies respond in a crisis?
The most important thing is to prepare ahead of time. GDPR calls for organizations to have a privacy impact assessment (PIA) in place. That basically means asking the question ‘how might our customers/users be at risk if their data was misused by bad actors?’ then writing down a common-sense approach to managing those risks.
Once an enterprise becomes aware of a data breach, it has 72 hours to notify both the local data protection regulator and any customers that have been affected. Oh, and all correspondence with users about data must be in plain English.
8. What are the penalties for non-compliance?
In a word: punitive. Regulators can levy fines of up to 20 million euros or four percent of global turnover. In reality, we would hope that initially the regulator would be more likely to seek assurances that the company had a plan in place and is doing its level best to address any problems.
9. What’s the deal with data ‘controllers’ and data ‘processors’?
GDPR names two parties that come into contact with personal data: controllers and processors. The controller is the ‘senior’ party. It’s the one that decides what data to collect and what to do with it. The processor carries out a controller’s instructions.
Under the old regime, the controller had most of the legal liability. Under GDPR, processors will also be held accountable for actions that affect personal data.
10. What about other companies in the ecosystem, like SaaS providers?
GDPR extends liability to all organizations that handle personal data. If a third party with access to your customer’s database is not compliant, then your customer is not compliant. That means they should dust off those contracts and make sure their suppliers are part of the solution, not the problem.
Obviously, there is much more to GDPR than these ten points. But they’re a good example of how most of the rules simply reflect sensible business practice. If customers are happy then the regulator will be too.
If you suspect that your customers are not fully prepared, reassure them that they can achieve a lot with 12 simple and practical steps, asrecommended by the UK ICO.