Data protection measures in the EU will soon receive an upgrade more than five years in the making. As of May 2018, the
General Data Protection Regulation (GDPR) will go into effect, two years after its approval by Parliament. This measure will replace the 20-year-old
Data Protection Directive (DRD).
The DRD went into effect in October 1995 as an effort to regulate the processing of personal data in the budding cyberworld. The regulation sought to protect EU citizens against the misuse of any data collected or its dissemination to third parties without proper consent.
While the DRD strove to guarantee security in a brave new world that traveled along a digital information superhighway, it could not quite envision the extent to which such data would be used a mere 20 years later. It also left the supreme authority over violations of this regulation to the member states and required an independent entity to oversee protection and administrative actions. This meant 15 separate agencies (at
minimum) with 15 individual interpretations (again, at minimum) of the directive.
January 2012 found the European Commission in talks to update this regulation with the notions of unity and improved protection and regulation at the forefront. This led to another four years of debate, approval, amendment, and revisions before the EC finalised and adopted the GDPR in April 2016.
Businesses received a two-year grace period in which they would take measures to fall in line with this updated regulation before it became enforceable. SBEs should
not expect to be overlooked or fully exempted. After all, a great deal of business is conducted digitally in the 21
st century, even on the small scale! SBEs face the same challenges as their larger counterparts and will be held accountable. Some of the changes you should expect
include:
- More stringent requirements with regard to consent. While you must already obtain a customer’s permission to process his or her data, you could do so only once in the past and be covered for your future uses. No longer: Now companies must obtain permissions for each use of a person’s information.
- In addition to individual permissions, companies must keep detailed records of when and how they received approval. A simple box-click will not suffice. Clients must clearly give their OK for you to receive and use their information. In turn, the company must keep detailed records of how their received this consent, when they received it, and the purposes of use.
- Consent is no longer perpetual. A timeframe of use must be included in the permission records.
- Customers can revoke their consent at any time for any reason and companies must comply. It could be the customer believes there are inaccuracies in the provided information and they simply wants to ensure its validity. This only places a temporary hold on the data’s use but still requires a go-ahead beforehand.
- Customers who wish to completely remove their data from company databanks may enforce their “right to be forgotten.” Once requested, a company must delete any traces of this person’s information it once held.
- Companies must provide confirmation that they possess a client’s data – all types and reasons/uses – upon request from the client and provide a machine-readable copy of said data within one month of request.
- Companies must show the efforts undertaken to safeguard this data through technological means. The GDPR includes suggestions such as data encryption and pseudoanoymization (the separation of personally-identifiable data from all other forms).
- This compliance will require companies to: Establish an internal IT group (which may prove beyond some SBEs’ means); rely on personal (pre-established) IT experiences; or outsource to specialists.
- The IT personnel would work hand-in-hand with a delegated data protection officer (DPO) who would be responsible for the oversight and enforcement of any data policies created to ensure compliance.
While it seems the GDPR offers little wiggle room for SBEs, it
does recognise the variance in resources and capabilities between larger and smaller businesses. The DPD, in contrast, applied the same rules unilaterally without regard for size or means.
Exceptions include:
- DPOs are mandated for companies of more than 250 people but heavily recommended to be placed in SBEs in some Consultants are a viable option instead of the creation of and hiring for a new position in a small organisation.
- SBEs will not need to keep detailed records that account for how they process client data.
- SBEs will not be required to report “minor” data breeches – those that pose no risk to the rights or freedoms of the victims – to the proper authorities. However, in the event of a potentially detrimental breech, you will be required to report the amounts and types of data involved within 72 hours of occurrence. This calls for a great deal of diligence, hence, the recommendation of a DPO.
Punishments for failure to comply can prove quite steep. The maximum penalty totals to 4 per cent of the company’s annual global turnover
or €20 million, whichever proves
greater. Such a fine would result from gross negligence and failure to comply with key provisions of the GDPR, such as infringement of data subjects’ rights or transfer of data to parties with inadequate protective measures.
(Notice that you can be held liable for the delinquency of your transfer recipients!)
The lower tier of penalties for technical offences such as improper maintenance of certifications or failure to follow breech notifications may be as much as the greater of 2 per cent of turnover or €10 million. Take note there are no listed exemptions for fine, which means SBEs
could be held liable for quite a sum!
There’s a great deal of information to take in about these new changes and not much time left before they become enforced throughout the EU. This crunch is especially disconcerting for many SBEs and how it might
impact their businesses. A number are still confused about the regulation and what it entails:
- 50 per cent of surveyed businesses somewhat understood the definition of “personal data” in a business sense; 19 per cent did not understand it.
- 52 per cent did not understand the expanded rights of customers with regards to the collection and use of their personal information.
- More than 40 per cent of SBEs do not know if they will be compliant with GDPR before 25 May 2018.
- Despite that, 56 per cent of SBEs are unsure of their collection methods’ propriety or, even worse, made no efforts to ensure propriety.
Not much time remains to review a regulation that runs more than 260 pages. The Information Commissioner’s Office opened a dedicated
advice line (0303 123 1113, option 4). The ICO’s website also offers a wealth of
guidance documents to help breakdown the regulation and its potential SBE-related impact.
What are some starting measures you could take to help your business meet the approaching
deadline?
- Review the GDPR or commission a report of how it might impact your operations. While it will cost for such a rundown, the understanding of specialists versus the uncertainty of laypersons could well offset this charge.
- Review your personal data holding records (should they exist). Note your methodologies of obtaining this information and, should you share this data, with whom.
- Review your plans and privacy notices for this material and its deletion under the new guidelines; should they not exist, create them.
- Ensure consent records and data verification processes.
- Review your policies and procedures for breech detection, reporting, and investigation. Perhaps looking into outsourcing your detection needs to a specialist.
How confident are you that you will meet these criteria? What steps has your company taken to ensure compliance?