The General Data Protection Regulation (GDPR) is the biggest change in data protection laws for 20 years, and when it comes into effect on May 25th, 2018, it intends to give European citizens back control over their personal data.
Businesses are collecting more personal data than ever before. But with the GDPR policy coming into effect next year, are small businesses ready to make changes to how they collect, store and use their data? Could your business take a £310,000 financial hit? Sounds painful, right? That figure is the average maximum cost of a data breach, up from £115,000 in 2014.
What is the General Data Protection Regulation Law?
It is a new set of rules governing the privacy and security of personal data laid down by the European Commission. The new single data protection act will make major changes to all of Europe’s privacy laws and will replace the outdated Data Protection Directive from 1995.
The collection and use of personal data has been growing rapidly. Websites, apps, devices – everything we use creates data which is all going somewhere. And a lot of the time people don’t know where or for what reason, leaving a lot of customers unhappy. That’s where the General Data Protection Regulation (GDPR) comes in. It is a new set of rules governing how businesses collect, use and share data from EU citizens and people within the EU.
This doesn’t just mean businesses within the EU, but any business globally that does business inside the EU.
Its impact won’t just be felt in Europe though, as it will have wider implications for companies across the world that hold data on the continent. While great news for individuals, it presents complex problems for companies.
Why is there a new law?
The new regulations have been changed to ensure personal data and the rightful owners of the information have power over how their data is processed and used.
Under the new rules, individuals have more of a legal “right to be forgotten”, which means they will be able to ask that businesses delete their no longer necessary or accurate personal data. Individuals can do this now, but the new rules mean that there will be more of a consequence. However, that’s not the only reason, one of the main intentions is to simplify the regulatory environment.
But there is a huge grey area about how it will apply in real life. The laws mean that in theory people could ask social networks like Facebook to delete their profiles entirely. Laws relating to freedom of expression will stop “the right to be forgotten” extending to news articles.
But there is the potential for individuals to transfer their data from one service to another more easily – which is great news for consumers, making it simpler to swap utilities, insurance or ISPs.
Cybercrime – will it really affect my business?
Rising levels of cybercrime are also a crucial factor in the quest for data compliance. The storing aspect of GDPR refers to how businesses keep customer data safe – if there’s a breach and customer data is compromised and you aren’t compliant then there will be fines to pay.
Some SMEs assume that because they’re smaller in headcount and profit margin relative to multinationals, they’re not on the radar of hackers. This couldn’t be further from the truth. If you’re not investing in security, training and data compliance about how to work securely then you’re an easy target. In other words, you might not have the
same potential value to a hacker but you might be a lot easier to hack.
Studies from the Federation of Small Businesses (FBS) show that 66% of small businesses have been a victim of cybercrime. Shockingly a small business will be a victim of four cybercrimes every two years. The amount lost totals billions.
Tell me about the fines and Penalties!
And importantly, you’ll be hit by the same fines and penalties from GDPR. Once GDPR comes into force on 25th May 2018, you could be fined up to €10 million (£7.9 million) or 2% of your global turnover (whichever is greater) for lesser breaches. Or for more severe breaches, €20 million or 4% of your turnover – whichever is greater.
Add this fine to the cost of the time your business is out of operation post-breach, to loss of earnings, loss of reputation and loss of customers, and most businesses would be out of action in one fell swoop.
But don’t forget that while data security is a large part of GDPR, at its core, this regulation is about the correct use of data.
The next steps
Don’t delay your preparation. It’s essential that you don’t stand still. GDPR isn’t waiting for anyone, so the longer you take preparing and thinking about resources, the longer it’s going to be before you’re in a better position to prepare.
Involve your whole business. Stats from PWC have revealed that 30% of small businesses suffer breaches due to the actions of their staff. Educate people at every level of the business and help them understand why their section of the business is being involved.
Auditing is essential.
Undertake a discovery exercise to find out where the data audit could save your business. Start by defining exactly what counts as personal data. Currently, that’s any data that can be used to identify a person, such as HR records, customer lists and contact details.
Marketing departments, for example may be using platforms like Dropbox, Evernote, Zoho or Slack, which each contain their own ecosystem of personal data. This should include everything from auditing existing data to collecting and using data going forward. The customer experience needs to be first and foremost in their minds.
The new regulations will also include genetic, mental, cultural, economic and social information as well. You need to understand exactly what information you hold, which could be anything from old emails to data lists or cookies. You also need to know where it’s held, whether you have permission to hold it and what processes are involved in the procurement and security. This also includes the personal data you collect, hold and process from business partners.
Don’t get greedy. If you don’t need data then get rid of it. Don’t hold anything you don’t use or is out of date. Saving data for a rainy day doesn’t help anyone, least of all your business, so, if you don’t have a specific purpose for it it’s time for a clear out.
And don’t assume you have a right to the data you need. There are guidelines appearing for what is and isn’t possible in a post-GDPR world. Make sure you understand the nuances of the regulation, such as being able to provide justification and permission for customer records where that is required. The right to be forgotten enables an individual to request the deletion or removal of personal data when a business holds no compelling reason to hold it.
The future
It’s easy to see GDPR as an insurmountable problem. A better way of looking at it is to see it as a chance to do better by your customers and make your business more secure, resilient and agile than ever before.
Crucially this will impact the way businesses do digital marketing. By being more transparent with customers and acknowledging that the power balance has shifted, you’ll be able to become a business that customers want to engage with. It’s going to be a time of getting to know your customers better by gaining their trust and consent.
In summary, GDPR is coming. It’s time to do the best by your business and your customers and step up to the task of being compliant. You’ll be in a better position to meet the opportunities and challenges it brings.
What should businesses be aware of?
The Information Commissioner’s Office in the UK recently released a set of guidelines to help businesses prepare for GDPR. It also recommends that companies review privacy notices and ensure there is a plan in place that allows them to make any necessary changes to comply with GDPR.
However, it’s not too scary potentially as the ICO insists the new measures will contain many of the same principles and concepts as the current Data Protection Act.
Which means the companies already successfully abiding by the 1995 legislation will probably be covered.
But there are predictions businesses will go on recruitment drives for data protection officers – to ensure they’ve got the right personnel in place.
Cyber crime breakfast seminar!!
Visit us at Hickory’s Smokehouse and find out a little more about GDPR and cyber security. We’ll talk through some practical hints and tips for you to ensure your business is compliant and safe.