The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
I have had a couple of conversations with data professionals but since we are not lawyers the common theme when talking about GDPR appears to be the fact that we know just enough to help us stay out of trouble.
One conversation was particularly interesting though. I had a short chat with one of my lecturers, here, at Stirling University, and he suggested that I think of data as an individual economic market. Businesses have to remember that data is a currency. Smart businesses such as Google and Facebook are using it daily. When you use Google Maps for example, you are using it for “free” but what we don’t usually associate it with is that we pay with our location data. This data can be used by Google to sell targeted ads to advertisers and more.
Since data is and can be used as an individual economic market place, it is fair to say that the EU new data protection regulations are not too strict, they have to come in place for everyone’s protection. Of-course, that means that businesses have an extra work to do and it won’t be cheap, but it is fair and necessary.
Also, you can be “smart” about it. Data creates market opportunities for you as well. That means that you, as a business, can use data to make more money and balance the efforts and money you have to invest to make sure that you use data responsibly.
Let’s have a look into the 3 Key points I think you need to think about to make sure your business complies with the GDPR.
3 Key Points:
Increased Territorial Scope (extra-territorial applicability)
Even if you are not an EU business, if you are not based in the EU, and if you are not processing EU citizen data in the EU it doesn’t matter! As long as you process EU citizens’ data GDPR affects you! If you offer services paid or not, you are still responsible for the data of your EU customers.
Penalties
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
A company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
Based on my intuition, the key-phrase for small businesses here is the impact assessment. Generally a small business doesn’t process large amounts of data since they don’t have the expertise to do so. You’re required to undergo impact assessment when you are processing customer data systematically and extensively but if you are not doing that you still need to keep in mind that there is another key-activity that requires you to have an impact assessment and this is the use of CCTVs. Check this website for more on impact assessment: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/
Consent
When you ask for consent it needs to be straight forward and plain language.
These are the three main key-points you have to keep in mind for GDPR. Find out more details on the official GDPR website here: https://www.eugdpr.org/the-regulation.html and please make sure you prepare your impact assessment before the 25th of May 2018 to be sure you’re avoiding fines, audits, and investigations.
Keep in mind that the GDPR doesn’t only require businesses to publish how they use customer personal data and what data they collect but it goes a step further, providing citizens with a lot of personal rights on their data such as the right to access and the right to be forgotten. This episode is to help busi