The GDPR, or General Data Protection Regulation, comes into force on May 25th, 2018. The GDPR data protection is the most extensive privacy legislation change ever undertaken. The data protection legislation refers to a new set of laws, safeguarding personal data. As a digital marketing agency, we understand the changes may be causing concern for many companies, so we are are providing advice on the regulations.
Personal data is said to be the ‘world’s most valuable resource’. As such, there have been misuses of data – most notably Facebook and Cambridge Analytica – and questions regarding the safety of data, hence the introduction of the GDPR.
Who is affected by the GDPR legislation?
The GDPR data protection legislation does not only refer to companies based in Europe, but also international companies that work within the EU or sell to European ‘data subjects’ (consumers) located in the EU.
What are the GDPR non-compliance penalties?
The data protection legislation cannot be ignored, and the companies included in the above must comply. One of the major changes, replacing the Data Protection Directive, is the addition of GDPR penalties for non-compliant companies. It’s worth noting that the fines are severe for businesses, and are split into two categories:
- Violations of the core principles of the GDPR, relating to the rights of the data subject
- Violations of the supporting principles
Failing to comply with core legislation of the GDPR can see your company receiving a 4% fine on global turnover, or a penalty up to €20 million. If you were to violate the supporting terms, you could receive a fine up to half of the amount mentioned above. These fines are also not the only avenue the Data Protection Authority (DPA) can take against your company, on behalf of your data subjects.
Who are the people involved in the GDPR?
The Data Protection Authority is the official body your company must be aware of. The DPA will ensure that all companies are compliant with the data protection legislation, and will investigate incidents which suggest your company is not.
The Data Controller is the entity that controls how personal data is used and, subsequently, how it is processed. The Data Processor will then process the data for the controller. Alternatively, a controller can also do the tasks of a processor.
Lastly, the Data Subject is the individual behind the personal data, and the critical aspect of the GDPR. The legislation was created to place control back in the hands of the consumer, and the subject can include customers or even employees of your company.
What can I do to become compliant?
We’ve put together a handy GDPR compliance checklist, if you will, that will help build a compliant company.
Start with a data protection leader
A data protection leader is the first step towards becoming compliant. The GDPR legislation has standardised data protection, but – in the words of HMRC – you cannot take a ‘one size fits all’ approach. The data protection leader will be responsible for ensuring you comply with the rules, and provide advice moving forwards as to data privacy functions. They can also carry out any data access subject requests, and coordinate with the DPA should a data breach ever occur.
Ensure your vendors/suppliers comply
Your company has an obligation to ensure all suppliers or trade vendors you share personal information with also abide by the GDPR. You may need to verify they are following the data protection legislation, but it is crucial you use the correct suppliers. Ultimately, the GDPR has placed control in making sure personal data is safe with the individual company, and you must maintain compliance.
As part of the GDPR, every company must understand the process of how data is collected, processed and, subsequently, used and for what purposes. As such, it is best to document the entire procedure.
Protecting user data
At the core of the GDPR is the importance of protecting personal data. The regulation provides specific requirements as to how you must safeguard information, as well as collecting data and the potential uses.
Breaches of data can happen, but you have a duty to disclose the data breach to the Supervisory Authority. You must do so immediately and, at the very latest, within 72 hours.
Data management requests
The GDPR aims to alleviate the worries consumers have regarding their data. As such, there are several data management requests all companies should be aware of and have provisions in place.
Right of consent
You must receive explicit consent to use a customer’s data, and outline the process of doing so. If a consumer does not provide your company with permission, you must not use their data.
Right of access
The data subject (or customer) has the right to ask for information on the use of their data, why and where it is being processed and other collateral information.
Right to be forgotten
The consumer can ask to be removed from your database and obtain the erasure of their personal data. You must do so without delay.
Right to portability
Essentially, this refers to exporting customer data to provide information to the consumer on the use of their personal data. Article 20 states: “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit the data to another controller.”
Right to object
The data subject can object to the use of their personal data, on their own particular grounds, at any time.
If you are still unsure of what the GDPR means for your business, you can find more information here.