You may have been living under a rock for the past 6 months or you may have simply been super busy being fantabulous at your job…in which case you may not have heard a single thing about GDPR and be thinking, ‘Nah, I won’t bother reading that blog as it’s got nothing to do with me!’. You’d be wrong.
Most people have heard about Data Protection rules and know the gist of it, however, with everything these days being online and/or in the cloud, existing Data Protection regulations aren’t quite cutting it.
What does GDPR stand for?
GDPR stands for General Data Protection Regulation which is a new law as a result of a collaboration of the European Parliament, the Council of the EU and the European Commission. The law was adopted in April 2016 and will come into force as from the 25th May 2018. It is NOT a directive so it is BINDING and APPLICABLE and before I hear the cries of ‘ah but the UK will be leaving the EU, we’ll be fine!’ the UK will be covered this law regardless. Any foreign company processing data of any country within the EEA is also affected it as they will have to conform to the regulation. The intent is to create a clearer legal environment, strengthening and unifying data protection and giving control back to citizens of the EU.
How GDPR applies to you
You will need to comply with GDPR for the following:
Storage of client documents:
- Where are they being kept, if on a server somewhere what protection is there? If on paper do you follow the proper regulations for disposal of personal data?
Visitors to your website:
- If people from the EU visit your website then you have access to their IP addresses and more
Stored client data:
- Maybe you have client data on a spreadsheet, accounting package, pen drive, external hard drive, old pc
Social Media Management/Mailers/Newsletters:
- If you have collected email addresses for the above where is the information kept?
Please note that ultimately whoever is processing the data is liable for complying with GDPR, so if you outsource make sure the person you outsource to is compliant. However, it is the responsibility of the board of directors of a company to ensure that the business as a whole is complying and in certain cases appoint a Data Protection Officer to ensure this.
If someone complains you can be prosecuted and the maximum penalty is 20 million euros or up to 4% of the global company turnover. Yes, you read that right.
So what do I need to do?
- Seek advice from a legal team specialising in GDPR to carry out a data audit and suggest solutions
- Ensure all campaigns, mailers and newsletters have a double opt-in
- Check that any cloud-based services you use are EU compliant
- Register with the ICO if you are in the UK which costs £35.00.
If the GDPR applies to your organization – and it probably does if you collect any sort of information about anyone who resides anywhere within the EU – you can’t afford to ignore it. Hefty fines, while not automatic, are a possible consequence. But don’t panic; the GDPR isn’t quite as scary as you might have thought. Its purpose is to protect the privacy of personal data, not to hand out harsh punishment to companies that are making an honest effort to comply.