The European Union’s General Data Protection Regulation (GDPR) comes into force on May 25 2018 and it will signify a huge change in the way data protection and privacy is handled. It will also affect any business that uses the data of EU citizens, so even though you’re on the other side of the globe, you need to be ready.
The EU has decided to give its citizens more control over their data and it also wanted to make regulations consistent across all the member states, hence GDPR.
GDPR in a nutshell
Basically, once someone no longer wants a company to hold their data, the company must delete it unless there are genuine grounds for retaining it. Breaching this code can lead to serious fines – up to 4% of global revenue.
It doesn’t matter what size your business is or where you are
Even small and micro businesses have to comply with GDPR if they handle customers’ personal data. They don’t, though, have to have a data protection officer unless collecting and processing data is the core business activity.
Your location doesn’t matter, either; if you collect the data of an EU citizen, whether it’s an email address or bank details, you have to comply with GDPR.
Why is data so important?
An email address for marketing offers could, for example, also be linked to a support group for a particular medical condition in a particular town. It’s easy to see why someone may not want this data bandied about willy-nilly and why they should have control over it.
Getting your business ready
Analyse your systems
You need a consultant to explain the new data regulations and how they affect your business, then you need to examine your existing data systems to look for flaws.
Your staff needs to understand GDPR and their responsibilities when collecting and handling personal data, including the data of colleagues, partners, family members, contractors and associates.
Bring in a compliance officer
If you have the budget, employ a compliance officer who can review and implement changes in law as they arise. If you can’t afford a full-time officer, then you could hire a contractor for a few hours every month or learn to do it all yourself.
Identify the data affected by GDPR
This includes EU-citizen data in invoices, HR reports, purchase histories and so on. Look at how you store it, deal with it and also who has access to it. Once you’ve isolated this data, work out how to handle it.
Look at your contracts
All your third-party associates and vendors must be GDPR-compliant as well and you need to find out how they’ll handle EU data and how they’ll deal with any violations or breaches of GDPR. You’re vulnerable to fines if one of your associates misuses data so you need to make sure everything’s watertight.