On 25 May a major shakeup is happening in European data protection rules. The General Data Protection Regulation (GDPR) will come into force, replacing the current directive which dates back to the nineties, and will be passed into the laws of EU member states.
The whole business community seems to be talking about GDPR, not just in Europe, so you might be wondering if the change affects your business, especially if you only have a small business, or are not based in an EU country. This blog post will answer that question.
Almost certainly. Yes.
Oh, I see you’d like some more detail. Ok then, here we go.
Does this affect you?
GDPR is a European directive, but it has international reach. The rules will be applied to any organisation that holds data on EU citizens, even if they are not EU based. This means that wherever in the world you are, if you sell products or services into Europe, or employ Europeans, you will need to follow the rules. If you need some inspiration to comply with the new rules, maximum fines for breaches of €20 million, or 4% of your global turnover, whichever is higher, should focus your attention.
Time for change
There is another reason to pay attention to GDPR, that applies even if you never hold data on Europeans. These rules represent the cutting edge of data protection. The Data Protection Regulation, which GDPR replaces, was written in the 1990s, as were most similar data protection laws around the world. When the old rules were written the internet barely existed; The founders of Facebook were still in high school; Twitter was a noise made by small birds; the idea of connecting your boiler or your car to an online network was the realm of Arthur C Clarke. As the first comprehensive data protection rule set of the big data era, regulators around the world will probably look to adopt much of GDPR’s approach, if not its exact rules.
Beyond fears of fines, a third reason to pay attention to GDPR is that in many ways it represents best practice. If you care about your staff and customers, or at least for your reputation, the approach taken by GDPR will help you to protect them in an age of ransomware and high-profile hacks.
What should you do first?
So if GDPR applies to you, what do you need to do? There are a variety of rules that will apply only to specific areas or data types. At the core there are two key things we would advise you to start with:
1) Calm Down
A lot of the reporting and blogging online around GDPR can give you the idea that the world is about to end. We’ve been a little guilty of it in this post. It’s hard to blame us though, that whopping fine really makes a spectacular story, especially given that it would have seen Uber fined €52.7 million (4% of global turnover) for not reporting a data breach last year.
In reality, however, it is very unlikely that regulators will be roaming around handing out eight figure penalties. Britain’s Information Commissioner’s Office has had the power to levy fines of £500,000 for the past two decades. The closest they have come was a £400,000 fine to electronics retailer Carphone Warehouse in 2017. Indeed, a senior ICO official recently blogged that fines will be reserved for organisations that do not make an effort to comply, or to fix shortcomings when they are brought to their attention.
2) Find out what you need to do.
Changes will need to be made in the way you gather, process and store data under GDPR. Be aware – a lot of the advisory articles on the internet are penned by companies looking to sell you GDPR compliance services.
Some businesses may need to hire a professional, but start by seeing what it is you actually need to do.
Britain’s ICO has published free checklists aimed at SMEs, which will help you to gauge the size of your task, you might be surprised to find how much of it you can easily take care of yourself.
There will obviously be more that you need to do to prepare for 25 May. Approach the task calmly and use a checklist from a regulator (who, after all, knows what the rules are). This will make the whole process will be a lot less daunting.
If you want to know more, the ICO website is a good resource for furthering your knowledge.
This is the first in a 3 part mini-series on GDPR and what it means for business owners and managers.