Here are answers to 10 key questions on GDPR.
GDPR - the EU General Data Protection Regulation - is coming. It promises to change the way you and your clients process private customer data. It will apply in all EU member states from 25th May. And for the UK, it’s unlikely Brexit will make any difference as the UK government looks set to duplicate the regulation.
Companies that run afoul of the new rules could face a fine of up to 20 million euros or four percent of global turnover.
Sounds a bit drastic, doesn’t it? Some companies, confused by the complexity of the GDPR legislation, are now panicking. This hasn’t been helped by a fair amount of doomsaying, especially from the legal community.
We take a different view. We believe there’s no need to panic. Instead, companies should think about the legislation this way: it merely codifies best practice around data privacy and security.
In other words, GDPR mandates measures that your customers (and you) should be putting in place anyway.
End users should be the focus of your attention - not the regulator. After all, if customers are happy with the way their data is used, they will not have any reason to consult the law.
As a valued service provider to your small business customers, this is where you can help guide them through the final preparations.
That said, what does best practice look like? And what action should your customers be taking?
To make things a little simpler, let’s answer ten key questions.
GDPR says there are six reasons why a company might reasonably expect to process data about its customers/users.
The most obvious is when a user says they’re happy for them to do so. In a commercial scenario, a company will ask a customer to provide certain credentials so it can stay in touch. GDPR mandates that companies make sure consent is explicit, informed and not bundled within a bunch of other terms and conditions.
The other reasons to hold data include:
No! GDPR applies to EU citizens, not the companies that process their data. So if your client is based outside Europe but has customers here, it must comply with the rules.
EU data protection authorities like the UK’s Information Commissioner’s Office can take action against organizations wherever they are in the world if British citizens are at risk.
As a first step, your larger customers should appoint a data protection officer. The regulator will look to them to ensure compliance and put in place the right processes and protocols. Beyond that, only approved employees - those with a business need - should have access to customer data.
GDPR demands high levels of security but is actually quite vague about specifics. It does not mandate particular measures. Instead, it says companies will be required to “ensure a level of security appropriate to the risk.”
We recommend you talk to your customers about the security they currently have in place to protect data. It’s also important they have the right systems in place to identify a breach. GDPR also requires that companies notify users in the event their data has been compromised.
While it’s critical to secure and ]arguably encrypt data both at rest and in transit, it’s also important to make it available to users when they ask for it. Under GDPR, people can request to see their records at any time, have them deleted or port them to a new provider. The regulation therefore says that companies should make sure they can transmit personal data in ‘structured, commonly used and machine-readable formats’.
The best way to ensure information is protected at all times is to use software designed with data protection in mind. GDPR encourages enterprises to embrace ‘privacy by design’ so that they can process data without having to make complex and time-consuming modifications later to ensure compliance.
The most important thing is to prepare ahead of time. GDPR calls for organizations to have a privacy impact assessment (PIA) in place. That basically means asking the question ‘how might our customers/users be at risk if their data was misused by bad actors?’ then writing down a common-sense approach to managing those risks.
Once an enterprise becomes aware of a data breach, it has 72 hours to notify both the local data protection regulator and any customers that have been affected. Oh, and all correspondence with users about data must be in plain English.
In a word: punitive. Regulators can levy fines of up to 20 million euros or four percent of global turnover. In reality, we would hope that initially the regulator would be more likely to seek assurances that the company had a plan in place and is doing its level best to address any problems.
GDPR names two parties that come into contact with personal data: controllers and processors. The controller is the ‘senior’ party. It’s the one that decides what data to collect and what to do with it. The processor carries out a controller’s instructions.
Under the old regime, the controller had most of the legal liability. Under GDPR, processors will also be held accountable for actions that affect personal data.
GDPR extends liability to all organizations that handle personal data. If a third party with access to your customer’s database is not compliant, then your customer is not compliant. That means they should dust off those contracts and make sure their suppliers are part of the solution, not the problem.
Obviously, there is much more to GDPR than these ten points. But they’re a good example of how most of the rules simply reflect sensible business practice. If customers are happy then the regulator will be too.
If you suspect that your customers are not fully prepared, reassure them that they can achieve a lot with 12 simple and practical steps, as recommended by the UK ICO.
Small businesses have many challenges to overcome in 2022, but they can still work toward success and grow using the right strategies and talent.
Incident response planning infrastructures have gotten very complex. Here's how you can prepare for an incident in a well-thought-out and organized manner.