Over the past few months, the subject of the EU’s General Data Protection Regulation (GDPR) has made its way into everyday business discussions, not just those of IT and security professionals. According to Google Trends, searches on this subject have increased by 100% in the last four months. Let’s take a closer look at the regulations.
The European General Data Protection Regulation (GDPR for short) is built around two key principles.
It’s important to bear in mind that the GDPR will apply to any business established in the EU and may apply to companies based outside of the EU that process the personal data of EU citizens in certain circumstances. See the GDPR checklist for information on what ‘personal data’ includes. Businesses whose activities involve ‘regular or systematic’ monitoring of data subjects on a large scale (in other words processing extensive personal information), or which involve processing large volumes of ‘special category data’ must employ a Data Protection Officer (DPO). Their role will be to ensure the company complies with the obligations under the GDPR. They’ll also be the contact for any data protection queries. The GDPR may apply to any business that processes the personal data of EU citizens, including those with fewer than 250 employees (contrary to common misunderstanding).
Individuals will have more rights on how businesses use their data. In some instances, they have the ‘right to be forgotten’ if they no longer want you to process their personal data and you have no other legal grounds (for example the individual is no longer a customer so your contract with them no longer gives you a legal right) to keep the data. Failure to comply will result in harsher penalties. Currently, the ICO can fine up to £500,000 but the GDPR will allow fines of up to €20 million or four per cent of annual turnover, whichever is higher.
Being a small business doesn’t mean you fall out of the GDPR scope. It’s recognised that small businesses have fewer resources and pose less of a risk to data protection, so there may be more leniency by the ICO in relation to any non-compliance. However, you’ll still want to ensure you’re compliant with the principles of the GDPR. This is because your business must still comply if it’s involved in regular processing (which includes collecting, storing and using) of personal data. It’s easier to follow the GDPR and get compliant, than to spend time figuring out how you can avoid complying, especially if you’re working without legal guidance.
It’s also important to note that even if your company falls under one of the exemptions, if you’re contracting with a larger company that conducts large-scale processing you may also be subject to the harsher end of the GDPR’s regulation. The conditions for obtaining consent are stricter under GDPR requirements as the individual must have the right to withdraw consent at any time and there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities. This means you have to be able to prove that the individual agreed to a certain action, to receive a newsletter for instance. It is not allowed to assume or add a disclaimer, and providing an opt-out option is not enough.
GDPR changes a lot of things for companies such as the way your saleas team prospect or the way that marketing activities are managed. Companies have had to review business processes, applications and forms to be compliant with email marketing best ptactices. In order to sign up for communications, prospects will have to fill out a form or tick a box and then confirm it was their actions in a further email. Organizations must prove that consent was given in a case where an individual objects to receiving the communication. This means that any data held, must have an audit trail that is time stamped and reporting information that details what the contact opted into and how.
If you purchase marketing lists, you are still responsible for getting the proper consent information, even if a vendor or outsourced partner was responsible for gathering the data. The most simple and obvious answer to the question how to avoid GDPR fines is obviously making sure that you are as GDPR compliant as possible, can demonstrate you have done all you could in a prioritized way, taking all aspects of GDPR, risks from the data subject perspective and the different types of personal data and data flows and processing in your organization and its ecosystem of partners into account, along with the major rules of the GDPR such as consent and other principles of the lawfulness of processing personal data. Similar to how the GDPR will affect EU businesses, the impact of GDPR on American companies will mostly be in marketing, specifically marketing in digital platforms. The GDPR introduces very stringent rules regarding the extraction of data from subjects and archiving of these data, and these new rules will definitely shake things up in the way most businesses do digital marketing.
What about startups?
Many start-ups and tech business are SMEs with a small number of workers that does not exceed the GDPR threshold. Nonetheless, if processing data is a core activity, the start-up must appoint a DPO, for example an existing member of staff, as long as there is no conflict of interest with his/her current role. It is important to identify the specific privacy risks which the organisations is exposed to and how these risks can be mitigated or avoided. Organisations will be required to carry out data protection impact assessments (DPIAs) if their proposed activities are likely to result in a high risk for the rights and freedoms of individuals; in particular, through the use of new technologies and in cases of people profiling.
The new GDPR strives for simplification: it is sufficient for companies to be registered in the Member State of establishment. This means, that they will have to interact only with the data protection authority of the Member State chosen as their State of main establishment. In addition, while the GDPR does not provide for full harmonisation, it nonetheless creates a more consistent approach across the EU, reducing uncertainty and eliminating the need to comply with different national rules. The principles underpinning the GDPR will be applied and enforced consistently throughout the EU. For organisations which are naturally prone to innovation, concepts such as privacy by design, profiling and data portability provide the opportunity not only to innovate, but also to build customers’ trust and confidence. The ultimate purpose of the GDPR is to protect the data subject as well as to increase their trust towards the companies complying with the EU rules. These rules grant a higher level of protection compared to other jurisdictions. Ultimately, this can result in a competitive advantage for the EU companies.
Disclaimer: this article contains only some general information about GDPR. In order to make sure that your business is GDPR compliant, you should get professional assistance of a lawyer.