GDPR, the Eu’s general data protection resolution, may well be one of the most profound pieces of legislation protecting consumer and privacy rights ever.
It’s a recognition that the means to generate data and information on people have multiplied to an extent that regulators need to step in and mandate that companies holding or helping to generate that information have to treat it with respect.
It also gives people significantly stronger rights over the information being held on them. They can demand to see what’s being held – in a format that makes sense – and they can demand the right to be forgotten and have that data deleted.
SMEs need to start gaining an understanding of the data they hold on individuals and if its personal data as defined by the law.
Law in Eu
To be fair, while GDPR becomes law on May 25th and like all laws will be open to interpretation that will be sorted out in the courts, it is well thought out and takes into account the relative burden on companies large and small.
Under Article 30, the GDPR acknowledges SMEs are different to large corporations and public organisations. Those SMEs with less than 250 employees (which in Ireland’s case is the vast majority) that don’t collect a lot of personal data:
• Do not have to hire a full-time data protection officer
• Do not have to keep formal records about how the company processes data
• Do not have to report minor data breaches as long as there is no risk to the rights of the people involved.
Be seen to comply
While SMEs have these exemptions, they must still comply – AND BE SEEN TO COMPLY – with the new law. This applies to Irish companies doing business in Ireland and in all the other Eu countries, where the same law will apply from May 25th. This includes the UK, which has stated that, irrespective of Brexit, it is adopting the legislation as well.
Join the Business Achievers GDPR group to keep up with how General Data Protection Regulation (GDPR) might affect you including topics on the requirements of GDPR, penalty provisions and fines, regulatory responsibilities and more.
Data is personal
So all SMEs need to start gaining an understanding of the data they hold on individuals and if its personal data as defined by the law. This is any information relating to an identified or identifiable ‘natural person’ (a “Data Subject”). It can include information such as a name, a photo, an email address (personal and work), bank details, posts on social networking websites, medical information or even an IP address. The definition of ‘personal data’ is the same in all Eu states. The provisions of the GDPR are generally consistent across all member states.
So, as a general rule, any information that can be used to identify an individual – either on its own or when combined with another piece of information – is classified as personal data. This can include biometric, genetic and location data.
Responsible and accountable
Once a company identifies its data in this way, it has three major responsibilities:
Accountability – and the GDPR is big on accountability. The SME will have to be able to prove its compliance to the data protection regulations. It will have to be seen to be complying and making every appropriate attempt to comply.
Notification of data breaches. There are exemptions for minor breaches, but all other breaches must be reported to the regulators within 72 hours. In addition all customers affected by the breach have to be informed.
Consent and privacy notices. The GDPR means businesses must get consent to use the data they collect from consumers. The GDPR has a principle of “purpose limitation”, under which personal data must only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. As mentioned consumers are allowed to withdraw consent and to ask to see what information is stored about them.
The GDPR aims to strengthen individual’s rights to privacy in a ubiquitous environment. That is to be commended and respected.
And if not, there are severe penalties for non compliance and there are no exemptions from these. Companies could be fined up to €20,000,000 or 4 per cent of annual turnover.
The Eu with its GDPR law is getting serious about protecting consumer’s rights to privacy and is putting every business on notice.
Source: Business Achievers